zoukankan html css js c++ java

Iptables-主机防火墙设置

基于Iptables构建主机防火墙

Iptables优点：数据包过滤机制，它会对数据包包头数据进行分析。

1.1.1 加载相关薄块到内核

[root@centos7 ~]# lsmod | egrep "nat|filter"
iptable_filter         12810  0 
ip_tables              27126  1 iptable_filter
[root@centos7 ~]# modprobe ip_tables
[root@centos7 ~]# modprobe iptable_filter
[root@centos7 ~]# modprobe iptable_nat
[root@centos7 ~]# modprobe ip_conntrack
[root@centos7 ~]# modprobe ip_conntrack_ftp
[root@centos7 ~]# modprobe ip_nat_ftp
[root@centos7 ~]# modprobe ipt_state
[root@centos7 ~]# lsmod | egrep "nat|filter"
nf_nat_ftp             12770  0 
nf_conntrack_ftp       18638  1 nf_nat_ftp
iptable_nat            12875  0 
nf_nat_ipv4            14115  1 iptable_nat
nf_nat                 26787  2 nf_nat_ftp,nf_nat_ipv4
nf_conntrack          133053  6 nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4
iptable_filter         12810  0 
ip_tables              27126  2 iptable_filter,iptable_nat
libcrc32c              12644  3 xfs,nf_nat,nf_conntrack

1.1.2 清空防火墙规则

[root@centos7 ~]# iptables -F 
[root@centos7 ~]# iptables -X 
[root@centos7 ~]# iptables -Z

1.1.3 允许ssh端口通信，本机lo通信

[root@centos7 ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
[root@centos7 ~]# iptables -t filter -A INPUT -p tcp -s 192.168.10.1/24 -j ACCEPT 
[root@centos7 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  192.168.10.0/24      0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination    

[root@centos7 ~]# iptables -t filter -A INPUT -i lo -j ACCEPT
[root@centos7 ~]# iptables -t filter -A OUTPUT -o lo -j ACCEPT
[root@centos7 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  192.168.10.0/24      0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

1.1.4 修改默认规则

[root@centos7 ~]# iptables -P INPUT DROP
[root@centos7 ~]# iptables -P FORWARD DROP
[root@centos7 ~]# iptables -nL
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  192.168.10.0/24      0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

1.1.5 配置允许网络地址段，如办公网络，对外开放端口80/443等

[root@centos7 ~]# iptables -t filter -A INPUT -s 124.56.56.77/24 -p all -j ACCEPT
[root@centos7 ~]# iptables -nL
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  192.168.10.0/24      0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  124.56.56.0/24       0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0  
#设置对外提供服务开放端口
[root@centos7 ~]# iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
[root@centos7 ~]# iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
[root@centos7 ~]# iptables -t filter -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
[root@centos7 ~]# iptables -t filter -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

1.1.6 允许关联数据包通过

#允许关联的包通过例如：FTP
[root@centos7 ~]# iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@centos7 ~]# iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

1.1.7 保存规则

service iptables save

1.1.8 检查保存的防火墙规则

[root@centos7 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Sat Sep  1 14:07:33 2018
*nat
:PREROUTING ACCEPT [16080:2838916]
:INPUT ACCEPT [13058:2471258]
:OUTPUT ACCEPT [45190:2717272]
:POSTROUTING ACCEPT [45190:2717272]
COMMIT
# Completed on Sat Sep  1 14:07:33 2018
# Generated by iptables-save v1.4.21 on Sat Sep  1 14:07:33 2018
*filter
:INPUT DROP [736:92755]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3:228]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -p tcp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 124.56.56.0/24 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Sep  1 14:07:33 2018

查看全文

相关阅读:
自定义jdbc框架
 sql 批处理、获取自增长、事务、大文本处理
 数据库设计
 数据约束
 mysql操作之二
 mysql基本操作
 38. 外观数列
 合并两个有序链表
 有效的括号
 实现strStr

原文地址：https://www.cnblogs.com/yanshicheng/p/9580559.html