因大量使用Ubuntu12.04,无力购买硬件防火墙,于是使用iptables进行简单的策略控制;
Ubuntu12.04自带的防火墙软件ufw,管控服务及端口很easy但是对于强大的iptables还是有差距;
于是卸载
apt-get remove ufw -y
此版本的Ubuntu的iptables与RedHat配置上很不相同
- RedHat方式:
RedHat只需将配置写到/etc/sysconfig/iptables文件
然后
/etc/init.d/iptables reload
iptables -nL
2. Ubuntu方式
Ubuntu居然不是这样,
Ubuntu的iptables不是服务
执行iptables-save
报错信息显示未创建/etc/network/iptables
iptables-restore < /etc/network/iptables #转存规则
iptables-save #保存规则
iptables -nL #查看规则
3. 配置文件规则示例
# Generated by iptables-save v1.4.21 on Tue May 17 03:39:50 2016
*nat
:PREROUTING ACCEPT [36:5869]
:INPUT ACCEPT [36:5869]
:OUTPUT ACCEPT [15:939]
:POSTROUTING ACCEPT [15:939]
COMMIT
# Completed on Tue May 17 03:39:50 2016
# Generated by iptables-save v1.4.21 on Tue May 17 03:39:50 2016
*mangle
:PREROUTING ACCEPT [1085:768611]
:INPUT ACCEPT [1085:768611]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [720:76434]
:POSTROUTING ACCEPT [720:76434]
COMMIT
# Completed on Tue May 17 03:39:50 2016
# Generated by iptables-save v1.4.21 on Tue May 17 03:39:50 2016
*filter
:INPUT ACCEPT [836:749295]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [720:76434]
# git
-A INPUT -s 192.168.3.13/32 -p tcp -m tcp --dport 29418 -j ACCEPT
-A INPUT -s 192.168.3.12/32 -p tcp -m tcp --dport 29418 -j ACCEPT
-A INPUT -s 192.168.3.11/32 -p tcp -m tcp --dport 29418 -j ACCEPT
-A INPUT -s 192.168.3.10/32 -p tcp -m tcp --dport 29418 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 29418 -j DROP
# xrdp
-A INPUT -s 192.168.3.10/32 -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3389 -j DROP
# ssh
-A INPUT -s 192.168.3.13/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.3.12/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.3.11/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
COMMIT