zoukankan      html  css  js  c++  java
  • iptables

    yum install iptables

     iptables -L -n

    iptables -A OUTPUT -m state --state NEW -p tcp -d 182.92.228.160 --dport 80 -j ACCEPT 

    iptables -L INPUT --line-numbers

    iptables -D INPUT 3

     1 /sbin/iptables -P INPUT ACCEPT
     2 /sbin/iptables -F
     3 /sbin/iptables -X
     4 /sbin/iptables -Z
     5 
     6 /sbin/iptables -A INPUT -i lo -j ACCEPT 
     7 /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
     8 /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
     9 /sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
    10 /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    11 /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
    12 /sbin/iptables -P INPUT DROP
    13  service iptables save

    Linux系统脚本

      1 #!/bin/bash
      2 #########################################
      3 #Function:    linux drop port
      4 #Usage:       bash linux_drop_port.sh
      5 #Author:      Customer Service Department
      6 #Company:     Alibaba Cloud Computing
      7 #Version:     2.0
      8 #########################################
      9 
     10 check_os_release()
     11 {
     12   while true
     13   do
     14     os_release=$(grep "Red Hat Enterprise Linux Server release" /etc/issue 2>/dev/null)
     15     os_release_2=$(grep "Red Hat Enterprise Linux Server release" /etc/redhat-release 2>/dev/null)
     16     if [ "$os_release" ] && [ "$os_release_2" ]
     17     then
     18       if echo "$os_release"|grep "release 5" >/dev/null 2>&1
     19       then
     20         os_release=redhat5
     21         echo "$os_release"
     22       elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
     23       then
     24         os_release=redhat6
     25         echo "$os_release"
     26       else
     27         os_release=""
     28         echo "$os_release"
     29       fi
     30       break
     31     fi
     32     os_release=$(grep "Aliyun Linux release" /etc/issue 2>/dev/null)
     33     os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release 2>/dev/null)
     34     if [ "$os_release" ] && [ "$os_release_2" ]
     35     then
     36       if echo "$os_release"|grep "release 5" >/dev/null 2>&1
     37       then
     38         os_release=aliyun5
     39         echo "$os_release"
     40       elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
     41       then
     42         os_release=aliyun6
     43         echo "$os_release"
     44       else
     45         os_release=""
     46         echo "$os_release"
     47       fi
     48       break
     49     fi
     50     os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
     51     os_release_2=$(grep "CentOS release" /etc/*release 2>/dev/null)
     52     if [ "$os_release" ] && [ "$os_release_2" ]
     53     then
     54       if echo "$os_release"|grep "release 5" >/dev/null 2>&1
     55       then
     56         os_release=centos5
     57         echo "$os_release"
     58       elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
     59       then
     60         os_release=centos6
     61         echo "$os_release"
     62       else
     63         os_release=""
     64         echo "$os_release"
     65       fi
     66       break
     67     fi
     68     os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
     69     os_release_2=$(grep -i "ubuntu" /etc/lsb-release 2>/dev/null)
     70     if [ "$os_release" ] && [ "$os_release_2" ]
     71     then
     72       if echo "$os_release"|grep "Ubuntu 10" >/dev/null 2>&1
     73       then
     74         os_release=ubuntu10
     75         echo "$os_release"
     76       elif echo "$os_release"|grep "Ubuntu 12.04" >/dev/null 2>&1
     77       then
     78         os_release=ubuntu1204
     79         echo "$os_release"
     80       elif echo "$os_release"|grep "Ubuntu 12.10" >/dev/null 2>&1
     81       then
     82         os_release=ubuntu1210
     83         echo "$os_release"
     84       else
     85         os_release=""
     86         echo "$os_release"
     87       fi
     88       break
     89     fi
     90     os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
     91     os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
     92     if [ "$os_release" ] && [ "$os_release_2" ]
     93     then
     94       if echo "$os_release"|grep "Linux 6" >/dev/null 2>&1
     95       then
     96         os_release=debian6
     97         echo "$os_release"
     98       else
     99         os_release=""
    100         echo "$os_release"
    101       fi
    102       break
    103     fi
    104     os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
    105     os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
    106     if [ "$os_release" ] && [ "$os_release_2" ]
    107     then
    108       if echo "$os_release"|grep "13.1" >/dev/null 2>&1
    109       then
    110         os_release=opensuse131
    111         echo "$os_release"
    112       else
    113         os_release=""
    114         echo "$os_release"
    115       fi
    116       break
    117     fi
    118     break
    119     done
    120 }
    121 
    122 exit_script()
    123 {
    124   echo -e "33[1;40;31mInstall $1 error,will exit.
    33[0m"
    125   rm -f $LOCKfile
    126   exit 1
    127 }
    128 
    129 config_iptables()
    130 {
    131   iptables -I OUTPUT 1 -p tcp -m multiport --dport 21,22,23,25,53,80,135,139,443,445 -j DROP
    132   iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 -j DROP
    133   iptables -I OUTPUT 3 -p udp -j DROP
    134   iptables -nvL
    135 }
    136 
    137 ubuntu_config_ufw()
    138 {
    139   ufw deny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
    140   ufw deny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
    141   ufw deny out proto udp to any
    142   ufw status
    143 }
    144 
    145 ####################Start###################
    146 #check lock file ,one time only let the script run one time 
    147 LOCKfile=/tmp/.$(basename $0)
    148 if [ -f "$LOCKfile" ]
    149 then
    150   echo -e "33[1;40;31mThe script is already exist,please next time to run this script.
    33[0m"
    151   exit
    152 else
    153   echo -e "33[40;32mStep 1.No lock file,begin to create lock file and continue.
    33[40;37m"
    154   touch $LOCKfile
    155 fi
    156 
    157 #check user
    158 if [ $(id -u) != "0" ]
    159 then
    160   echo -e "33[1;40;31mError: You must be root to run this script, please use root to execute this script.
    33[0m"
    161   rm -f $LOCKfile
    162   exit 1
    163 fi
    164 
    165 echo -e "33[40;32mStep 2.Begen to check the OS issue.
    33[40;37m"
    166 os_release=$(check_os_release)
    167 if [ "X$os_release" == "X" ]
    168 then
    169   echo -e "33[1;40;31mThe OS does not identify,So this script is not executede.
    33[0m"
    170   rm -f $LOCKfile
    171   exit 0
    172 else
    173   echo -e "33[40;32mThis OS is $os_release.
    33[40;37m"
    174 fi
    175 
    176 echo -e "33[40;32mStep 3.Begen to config firewall.
    33[40;37m"
    177 case "$os_release" in
    178 redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
    179   service iptables start
    180   config_iptables
    181   ;;
    182 debian6)
    183   config_iptables
    184   ;;
    185 ubuntu10|ubuntu1204|ubuntu1210)
    186   ufw enable <<EOF
    187 y
    188 EOF
    189   ubuntu_config_ufw
    190   ;;
    191 opensuse131)
    192   config_iptables
    193   ;;
    194 esac
    195 
    196 echo -e "33[40;32mConfig firewall success,this script now exit!
    33[40;37m"
    197 rm -f $LOCKfile
    [root@iZ942bg57piZ storage]#  netstat -tunl
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State
    tcp        0      0 0.0.0.0:48                  0.0.0.0:*                   LISTEN
    udp        0      0 120.24.152.12:123           0.0.0.0:*
    udp        0      0 10.45.177.31:123            0.0.0.0:*
    udp        0      0 127.0.0.1:123               0.0.0.0:*
    udp        0      0 0.0.0.0:123                 0.0.0.0:*
    [root@iZ942bg57piZ storage]#
    [root@iZ942bg57piZ storage]# netstat  -tunp
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
    tcp        0     64 120.24.152.12:48            183.128.163.147:13553       ESTABLISHED 1317/sshd
    tcp        0      0 120.24.152.12:48            183.128.163.147:13770       ESTABLISHED 1453/sshd
  • 相关阅读:
    MYSQL触发器的使用
    数据库与信息系统经典例题
    【自考】数据结构第六章查找,期末不挂科指南,第10篇
    hdfs/hbase 程序利用Kerberos认证超过ticket_lifetime期限后异常
    mysql必知必会--MySQL简介
    启用CentOS6.5 64位安装时自带的MySQL数据库服务器
    com.mysql.jdbc.Driver 和 com.mysql.cj.jdbc.Driver的区别 serverTimezone设定
    redis的发布订阅
    使用ClouderaManager管理的HBase的RegionServer无法启动(启动失败)的问题
    mysql 的root 用户无法授权,navicat 远程授权提示1044解决方案
  • 原文地址:https://www.cnblogs.com/dazhaxie/p/4874744.html
Copyright © 2011-2022 走看看