zoukankan      html  css  js  c++  java
  • vim /etc/sysconfig/iptables

    # Firewall configuration written by system-config-firewall
    # Manual customization of this file is not recommended.
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT

    以上是防火墙设置文件的初始值。

    下面需要增加的:

    -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

    -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

    -A INPUT -s 115.28.46.84/32 -p tcp -m tcp --dport 3306 -j ACCEPT  //115.28.46.84是从数据库地址

    实例:

    [danny@ay-sc-hz-02 ~]$ sudo cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.4.7 on Tue Sep 30 14:47:08 2014
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [44:6143]
    :BLACKLIST - [0:0]
    -A INPUT -s 115.28.46.84/32 -p tcp -m tcp --dport 3306 -j ACCEPT
    -A INPUT -s 112.124.7.82/32 -p tcp -m tcp --dport 25 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -s 121.199.2.108/32 -p tcp -m tcp --dport 25 -j ACCEPT
    -A INPUT -s 54.204.167.252/32 -j ACCEPT
    -A INPUT -s 54.226.209.220/32 -j ACCEPT
    -A INPUT -s 180.166.51.234/32 -j ACCEPT
    -A INPUT -s 174.129.49.94/32 -j ACCEPT
    -A INPUT -s 75.101.181.183/32 -j ACCEPT
    -A INPUT -s 127.0.0.1/32 -j ACCEPT
    -A INPUT -s 10.160.2.32/32 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
    -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A BLACKLIST -j DROP
    COMMIT
    # Completed on Tue Sep 30 14:47:08 2014

    [danny@ay-db-qd-01 log]$ sudo cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.3.5 on Mon Aug 25 17:48:21 2014
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [184452044:15279824631]
    :BLACKLIST - [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -s 54.204.167.252 -j ACCEPT
    -A INPUT -s 54.226.209.220 -j ACCEPT
    -A INPUT -s 180.166.51.234 -j ACCEPT
    -A INPUT -s 174.129.49.94 -j ACCEPT
    -A INPUT -s 75.101.181.183 -j ACCEPT
    -A INPUT -s 127.0.0.1 -j ACCEPT
    -A INPUT -s 10.144.38.91 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
    -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A BLACKLIST -j DROP
    COMMIT
    # Completed on Mon Aug 25 17:48:21 2014

    [danny@ay-wifi-hz-01 ~]$ sudo cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.3.5 on Wed Aug 6 14:55:42 2014
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [91064865:14245935000]
    :BLACKLIST - [0:0]
    -A INPUT -s 112.5.193.46 -j DROP
    -A INPUT -s 112.5.193.47 -j DROP
    -A INPUT -s 115.168.77.68 -j DROP
    -A INPUT -s 115.238.225.110 -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -s 23.22.208.66 -j ACCEPT
    -A INPUT -s 54.226.209.220 -j ACCEPT
    -A INPUT -s 180.166.51.234 -j ACCEPT
    -A INPUT -s 174.129.49.94 -j ACCEPT
    -A INPUT -s 75.101.181.183 -j ACCEPT
    -A INPUT -s 127.0.0.1 -j ACCEPT
    -A INPUT -s 10.122.68.87 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
    -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A BLACKLIST -j DROP
    COMMIT
    # Completed on Wed Aug 6 14:55:42 2014

    [root@ay-xf-hz-01 ~]# sudo cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.4.7 on Wed Sep 24 17:11:18 2014
    *filter
    :INPUT DROP [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [86:9522]
    :BLACKLIST - [0:0]
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 8089 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -s 180.166.51.234/32 -j ACCEPT
    -A INPUT -s 174.129.49.94/32 -j ACCEPT
    -A INPUT -s 75.101.181.183/32 -j ACCEPT
    -A INPUT -s 127.0.0.1/32 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
    -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A BLACKLIST -j DROP
    COMMIT
    # Completed on Wed Sep 24 17:11:18 2014

  • 相关阅读:
    “指定的SAS安装数据(sid)文件不能用于选定的SAS软件订单
    windows下如何快速优雅的使用python的科学计算库?
    量化分析师的Python日记【第1天:谁来给我讲讲Python?】
    Python的lambda函数与排序
    使用python管理Cisco设备-乾颐堂
    python移除系统多余大文件-乾颐堂
    python算法
    python实现高效率的排列组合算法-乾颐堂
    使用python把图片存入数据库-乾颐堂
    Python将阿拉伯数字转化为中文大写-乾颐堂
  • 原文地址:https://www.cnblogs.com/chromebook/p/4006685.html
Copyright © 2011-2022 走看看