iptables企业级防火墙设置

原创

pk2008 2018-01-19 11:51:32 博主文章分类：老男孩学习总结 ©著作权

©著作权归作者所有：来自51CTO博客作者pk2008的原创作品，请联系作者获取转载授权，否则将追究法律责任

L096 L097 1、首次命令行新建iptables步骤 iptables -F #清除规则 iptables -X #删除自定义链 iptables -Z #清空计数 iptables -A INPUT -p tcp --dport 22 -j ACCEPT #开放22端访问 iptables -A INPUT -i lo ACCEPT #信任回环端口 iptables -A OUTPUT -o lo -j ACCEPT iptables -P INPUT DROP #设置INPUT链的默认规则为DROP iptables -P OUTPUT ACCEPT #设置OUTPUT链的默认规则为DROP iptables -P FORWARD DROP #设置FORWARD链的默认规则为DROP iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT #允许PING包 ####开放信任网段 iptables -A INPUT -s 192.168.1.100,192.168.2.0/24,192.168.3.0/24 -p all -j ACCEPT iptables -A INPUT -p tcp --dport 5900:5910 -j ACCEPT ####开启对外服务端口 iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 80,8080,443 -j ACCEPT ####允许关联的包通过 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

2、查看当前运行状态的iptables的规则 iptables-save 3、查看默认iptables配置配置文件的规则 cat /etc/sysconfig/iptables 4、保存iptables配置 iptables-save > /etc/sysconfig/iptables /etc/init.d/iptables save 5、重新执行iptables配置文件 /etc/init.d/iptables reload iptables-restore /etc/sysconfig/iptables 6、启停防火墙 /etc/init.d/iptables start /etc/init.d/iptables stop 7、查看详细的规则配置 [root@centos6 sysconfig]# iptables -nvL --line Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 3 247 20668 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 4 411 49930 ACCEPT all -- * * 10.8.26.0/24 0.0.0.0/0 5 0 0 ACCEPT all -- * * 10.8.201.0/24 0.0.0.0/0 6 0 0 ACCEPT all -- * * 10.9.1.1 0.0.0.0/0 7 0 0 ACCEPT tcp -- * * 10.8.26.0/24 0.0.0.0/0 multiport dports 6888,11034 8 0 0 ACCEPT tcp -- * * 10.8.201.0/24 0.0.0.0/0 multiport dports 6888,11034 9 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 10 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5900:5910 11 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8080,443 12 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 2 172 17712 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

8、基本配置文件示例 [root@centos6 sysconfig]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Fri Jan 19 03:14:49 2018 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] ####Trust loopback interface and Ping -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A INPUT -p icmp --icmp-type 8 -j ACCEPT ####Trust Network -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 10.8.26.0/24 -j ACCEPT -A INPUT -s 10.8.201.0/24 -j ACCEPT -A INPUT -s 10.9.1.1/32 -j ACCEPT -A INPUT -s 10.8.26.0/24,10.8.201.0/24 -p tcp -m multiport --dport 6888,11034 -j ACCEPT ####Open Port -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5900:5910 -j ACCEPT -A INPUT -p tcp -m multiport --dports 8080,443 -j ACCEPT ####Relate Packets -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Fri Jan 19 03:14:49 2018