實驗環境說明:
兩臺linux,server4和server5,一臺windows xp。在server5上構建防火牆策略,其他兩臺作爲客戶端測試。
server4:192.168.1.14
server5:192.168.1.15
windows:192.168.1.156
server5上的配置如下:
首先刪除已經存在的chains,重置所有chains上的默認規則,刷新所有規則:
[root@server5 ~]# iptables -F;iptables -X
[root@server5 ~]# for chain in INPUT FORWARD OUTPUT;do iptables -P $chain ACCEPT;done;
[root@server5 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
[root@server5 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
target prot opt source destination
1.阻止所有從鄰近的主機(server4)進來的連接:
[root@server5 ~]# iptables -A INPUT -s 192.168.1.14 -m state --state NEW -j DROP
server4上做通過ssh做測試:
[root@server4 ~]# ssh server5
ssh: connect to host server5 port 22: Connection timed out
這樣,server4上不能連接server5。
這樣,server4上不能連接server5。
2.限制從鄰近的(server5)進來的icmp echo-request(迴應請求)包:
[root@server5 ~]# iptables -A INPUT -s 192.168.1.156 -p icmp --icmp-type echo-request -m limit --limit 6/minute --limit-burst 3 -j ACCEPT
[root@server5 ~]# iptables -A INPUT -s 192.168.1.156 -p icmp --icmp-type echo-request -j DROP
windows上做ping測試:
C:\Documents and Settings\jacky.lee>ping server5
Pinging server5.rhel5.com [192.168.1.15] with 32 bytes of data:
Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Request timed out.
Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Request timed out.
Ping statistics for 192.168.1.15:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
看,ping了三次,到第四次就丟包了吧。
server5上做測試:
[root@server5 ~]# ping xzxj
PING xzxj (192.168.1.156) 56(84) bytes of data.
PING xzxj (192.168.1.156) 56(84) bytes of data.
.........
一直就這樣,從server5上ping不通windows主機!
紅色部分要是看不明白,請參考我的另一篇關於iptables的文檔: