firewall例子

1.允许ssh通过

[root@server ~]# iptables -t filter -A INPUT –s 10.106.42.169 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

[root@server ~]#

[root@server ~]# iptables -t filter -A OUTPUT -d 10.106.42.169 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

--避免反弹木马

[root@server ~]# iptables -P INPUT DROP

[root@server ~]# iptables -P OUTPUT DROP

[root@server ~]# iptables -P FORWARD DROP

 

2.允许127.0.0.1与用户进程通信

[root@server ~]# ping 127.0.0.1

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

ping: sendmsg: Operation not permitted

[root@server ~]# iptables -t filter -A INPUT -i lo -j ACCEPT

[root@server ~]# iptables -t filter -A OUTPUT -o lo -j ACCEPT

--apache 和用户的其他进程启动不了，需要把其打开

[root@server ~]# ping 127.0.0.1

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.035 ms

64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.061 ms

^C

--- 127.0.0.1 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 999ms

rtt min/avg/max/mdev = 0.035/0.048/0.061/0.013 ms

[root@server ~]#

 

 

3.允许ping通过

网络层协议

Icmp、Arp、rp、 ip

Icmp没有端口号

 

Ping 请求的是8、 回应是 0

-p  icmp  --icmp-type [!] typename

              echo-reply / 0

             echo-request  /8

[root@server ~]# iptables -t filter -A INPUT -s 10.106.42.175 -p icmp --icmp-type echo-request -j ACCEPT

[root@server ~]# iptables -t filter -A OUTPUT -d 10.106.42.175 -p icmp --icmp-type echo-reply -j ACCEPT

 

4.保存iptables规则：

[root@server ~]# service iptables

Usage: /etc/init.d/iptables{start|stop|restart|condrestart|status|panic|save}

[root@server ~]# service iptablessave

 

5.# modprobe ip_nat_ftp –ftp防火墙控制需要加载的模块

#lsmod --查看加载的模块

#vim /etc/modprode.conf

--把加载的模块写入文件实现永久加载