1、配置說明
iptables [-t table] -A/I INPUT/OUTPUT -p tcp -s 192.168.19.0/24 --dport 22 -j drop/accept/reject
table有以下三種方式。
nat:PREROUTING和POSTROUTING兩個規則鏈,主要做源地址和目的地址轉換工作。
filter:默認規則,針對INPUT,FORWARD和OUTPUT,3個規則連。
-A : 在尾部增加一條記錄
-I : 在頭部增加一條記錄
iptables -F 清楚所有規則
iptables -t nat -F 只清楚nat表所有規則
2、開放允許的端口訪問
iptables -I INPUT -p tcp -s 192.168.187.0/24 --dport 22 -j ACCEPT
3、關閉其他端口訪問
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
4、允許本地迴環地址訪問(即本地對本地訪問)
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
5、允許所有本機向外訪問
iptables -A OUTPUT -j ACCEPT
6、保存配置
service iptables save
7、修改配置文件
vim /etc/sysconfig/iptables
-A INPUT -s 192.168.187.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
CentOS 7.0版本以上配置:
systemctl status firewalld #查看防火牆服務狀態。
[root@localhost ~]# firewall-cmd --list-all
#查看防火牆規則(只顯示/etc/firewalld/zones/public.xml中防火牆策略)
[root@localhost ~]# firewall-cmd --list-all-zones
#查看防火牆規則(只顯示/etc/firewalld/zones/下所有的防火牆策略)
[root@localhost ~]# firewall-cmd --reload
#重新加載配置文件
firewalld 切換至iptables方法:
systemctl stop firewalld
systemctl disable firewalld
systemctl start iptables
systemctl enable iptables
systemctl start ip6tables #如果使用ipv6,也要開啓。
systemctl enable ip6tables
配置文件範本:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<!-- service name="ssh"/ --> #把所有的22端口都禁止掉了。
<service name="dhcpv6-client"/>
<rule family="ipv4">
<source address="192.168.127.19"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.10.32"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.10.33"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.100.100.0/24"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.122.18"/>
<port protocol="tcp" port="10050"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="101.71.246.196"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="115.236.173.94"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="211.140.31.50"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="218.108.21.122"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="60.192.70.89"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.150.155"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.150.11/24"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.150.12/24"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.100.61.45/32"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.100.100.0/24"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
</zone>