vim /etc/sysconfig/iptables-config
添加:
IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp" 为了启用iptables支持FTP服务模块
重启后会失效那么设置开机启动:
1脚本内容:
vim /etc/sysconfig/iptables.sh
#!/bin/bash
iptables -A clean_in -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -d 192.168.1.255 -p icmp -j DROP
iptables -A INPUT -d 255.255.255.255 -p icmp -j DROP
iptables -A INPUT -d 192.168.1.202 -m state --state INVALID -j DROP
iptables -A INPUT -d 192.168.1.202 -p tcp -m multiport --dport 21,22,80 -m state --state NEW -j ACCEPT
iptables -A INPUT -d 192.168.1.202 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -d 192.168.1.202 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -d 192.168.1.202 -p icmp --icmp-type 8 -m limit --limit 2/second --limit-burst 5 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.1.202 -m state --state ESTABLISHED -j ACCEPT
iptables-save > /etc/sysconfig/iptables-v1
echo "" > /etc/sysconfig/iptables
sed -i "/^$/d" /etc/sysconfig/iptables
service iptables restart
iptables -F
iptables-restore < /etc/sysconfig/iptables-v1
2给其执行权限
chmod 755 /etc/sysconfig/iptables.sh
3测试时要用到计划任务(安全)
yum -y install at
service atd restart
/etc/sysconfig/iptables.sh && at now + 10 minutes
at> service iptables restart
4测试好脚本后放到 /etc/rc.d/rc.local里每次开机执行
vim /etc/rc.d/rc.local
添加
/etc/sysconfig/iptables.sh
5重启
----------------------------------------------------------------------