9. centos project instance-firewall port configuration

1. Firewall Configuration 1.1. zzsrv1

First, you need to analyze the role of zzsrv1. It is the primary DNS, website, DHCP server, clock server.

We decided not to impose site restrictions, but only inbound restrictions, similar to XP

View current configuration

# Iptables-l

Chain input (Policy accept)

Target prot opt source destination

Chain forward (Policy accept)

Target prot opt source destination

Chain output (Policy accept)

Target prot opt source destination

Write the following configuration into a script file and execute

# Vi/root/myfw. Sh

# Clear all Iptables-P input accept Iptables-P output accept Iptables-P forward accept Iptables-F Iptables-A input-M state -- State established, related-J accept # Configure the port for enabling SSH. Iptables-A input-p tcp -- dport 22-J accept # Allow Ping Iptables-A input-p icmp -- ICMP-type 8-M state -- state new, established, related-J accept # Allow external hosts to access web services on the server Iptables-A input-p tcp -- dport 80-J accept # Allow external access to the DNS service on the server Iptables-A input-p udp -- dport 53-J accept Iptables-A input-p tcp -- dport 53-J accept # Allow external access to the NTP service on the server Iptables-A input-p udp -- dport 123-J accept # Allow external access to the FTP service on the server (active and passive) Iptables-A input-p tcp -- dport 21-J accept Iptables-A input-p tcp -- dport 20-M state -- State established-J accept Iptables-A input-p tcp -- Sport 1024: -- dport 1024:-M state -- State established, related-J accept # DHCP server Iptables-A input-p udp -- Sport 67: 68 -- dport 67: 68-J accept # Default rules Iptables-P input drop Iptables-P output accept Iptables-P forward drop

# Chmod + x/root/myfw. Sh

#/Root/myfw. Sh

# Iptables-l-N

Chain input (Policy drop)

Target prot opt source destination

Accept all -- 0.0.0.0/0 0.0.0.0/0 state related, established

Accept TCP -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 22

Accept TCP -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 80

Accept UDP -- 0.0.0.0/0 0.0.0.0/0 udp dpt: 53

Accept TCP -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 53

Accept UDP -- 0.0.0.0/0 0.0.0.0/0 uddpt: 123

Accept TCP -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 21

Accept TCP -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 20 State established

Accept TCP -- 0.0.0.0/0 0.0.0.0/0 tcp spts: 1024: 65535 DPTS: 1024: 65535 state related, established

Accept UDP -- 0.0.0.0/0 0.0.0.0/0 udp spts: 67: 68 DPTS: 67: 68

Chain forward (Policy drop)

Target prot opt source destination

Chain output (Policy accept)

Target prot opt source destination

Scan TCP port

C: \> NMAP-SS-T 5 192.168.188.11

Starting NMAP 6.46 (http://nmap.org) at China Standard Time

Nmap scan report for www. bigcloud. Local (192.168.188.11)

Host is up (0.00069 s latency ).

Not shown: 996 filtered ports

Port State Service

21/tcp open ftp

22/tcp Open SSH

53/tcp Open Domain

80/tcp open HTTP

MAC address: 00: 0C: 29: A4: 2E: 39 (VMware)

NMAP done: 1 IP address (1 host up) scanned in 7.06 seconds

Scan UDP port

C: \> NMAP-su-T 5 192.168.188.11

Starting NMAP 6.46 (http://nmap.org) at China Standard Time

Nmap scan report for www. bigcloud. Local (192.168.188.11)

Host is up (0.0010 s latency ).

Not shown: 998 open | filtered ports

Port State Service

53/udp Open Domain

123/udp open NTP

MAC address: 00: 0C: 29: A4: 2E: 39 (VMware)

NMAP done: 1 IP address (1 host up) scanned in 6.82 seconds

Tip: during the experiment, you can run the following command to clear all the configurations from scratch.

Iptables-P input accept Iptables-P output accept Iptables-P forward accept Iptables-F

RHEL 7 (cetos 7) uses the new firewalld instead of iptables. In this experiment, the script is executed at startup to solve the problem.

# Vi/etc/rc. Local

Add the following content at the end:

/Root/myfw. Sh

This article from the "Liu Qiong @ Tiandao reward diligence" blog, please be sure to keep this source http://lqiong.blog.51cto.com/8170814/1559079

9. centos project instance-firewall port configuration