[[email protected] ~]# iptables -F [[email protected] ~]# iptables -X [[email protected] ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # 不允许服务器主动建立新连接 [[email protected] ~]# iptables -A INPUT -p tcp -m multiport --sport 22,80 -m state --state NEW -j ACCEPT # 允许22,80端口的连接和监听 [[email protected] ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT # 允许ssh服务 [[email protected] ~]# iptables -P INPUT DROP # 默认禁止 [[email protected] ~]# iptables -P FORWARD DROP # 默认禁止 [[email protected] ~]# iptables -P OUTPUT DROP # 默认禁止 [[email protected] ~]# iptables -A INPUT -p udp --sport 53 -j ACCEPT # 允许dns服务 [[email protected] ~]# iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # 允许dns服务 [[email protected] ~]# iptables -A INPUT -p icmp -j ACCEPT # 开启 icmp协议 [[email protected] ~]# iptables -A OUTPUT -p icmp -j ACCEPT # 开启 icmp协议 [[email protected] ~]# service iptables save # 保存配置 iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [[email protected] ~]# service iptables restart iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ]
对应一般的简单web服务器基本够用,当然ssh端口肯定会修改,以上命令也进行调整。如果要禁止别人ping服务器,建议进行以下设置:
临时生效:echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
永久生效:
[[email protected] ~]# echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
[[email protected] ~]# sysctl -p
# Generated by iptables-save v1.4.7 on Mon Mar 21 18:13:01 2016 *filter :INPUT DROP [3:134] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --sports 22,80 -m state --state NEW -j ACCEPT -A INPUT -p udp -m udp --sport 53 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p icmp -j ACCEPT COMMIT # Completed on Mon Mar 21 18:13:01 2016
可以直接复制上面iptables配置到vim /etc/sysconfig/iptables 然后重启iptables
时间: 2024-09-30 22:16:53