1. Firewall Configuration 1.1. zzsrv1
First, you need to analyze the role of zzsrv1. It is the primary DNS, website, DHCP server, clock server.
We decided not to impose site restrictions, but only inbound restrictions, similar to XP
View current configuration
# Iptables-l
Chain input (Policy accept)
Target prot opt source destination
Chain forward (Policy accept)
Target prot opt source destination
Chain output (Policy accept)
Target prot opt source destination
Write the following configuration into a script file and execute
# Vi/root/myfw. Sh
# Clear all Iptables-P input accept Iptables-P output accept Iptables-P forward accept Iptables-F
Iptables-A input-M state -- State established, related-J accept
# Configure the port for enabling SSH. Iptables-A input-p tcp -- dport 22-J accept
# Allow Ping
Iptables-A input-p icmp -- ICMP-type 8-M state -- state new, established, related-J accept
# Allow external hosts to access web services on the server Iptables-A input-p tcp -- dport 80-J accept
# Allow external access to the DNS service on the server Iptables-A input-p udp -- dport 53-J accept Iptables-A input-p tcp -- dport 53-J accept
# Allow external access to the NTP service on the server Iptables-A input-p udp -- dport 123-J accept
# Allow external access to the FTP service on the server (active and passive) Iptables-A input-p tcp -- dport 21-J accept Iptables-A input-p tcp -- dport 20-M state -- State established-J accept Iptables-A input-p tcp -- Sport 1024: -- dport 1024:-M state -- State established, related-J accept
# DHCP server Iptables-A input-p udp -- Sport 67: 68 -- dport 67: 68-J accept
# Default rules Iptables-P input drop Iptables-P output accept Iptables-P forward drop
|
# Chmod + x/root/myfw. Sh
#/Root/myfw. Sh
# Iptables-l-N
Chain input (Policy drop)
Target prot opt source destination
Accept all -- 0.0.0.0/0 0.0.0.0/0 state related, established
Accept TCP -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 22
Accept TCP -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 80
Accept UDP -- 0.0.0.0/0 0.0.0.0/0 udp dpt: 53
Accept TCP -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 53
Accept UDP -- 0.0.0.0/0 0.0.0.0/0 uddpt: 123
Accept TCP -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 21
Accept TCP -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 20 State established
Accept TCP -- 0.0.0.0/0 0.0.0.0/0 tcp spts: 1024: 65535 DPTS: 1024: 65535 state related, established
Accept UDP -- 0.0.0.0/0 0.0.0.0/0 udp spts: 67: 68 DPTS: 67: 68
Chain forward (Policy drop)
Target prot opt source destination
Chain output (Policy accept)
Target prot opt source destination
Scan TCP port
C: \> NMAP-SS-T 5 192.168.188.11
Starting NMAP 6.46 (http://nmap.org) at China Standard Time
Nmap scan report for www. bigcloud. Local (192.168.188.11)
Host is up (0.00069 s latency ).
Not shown: 996 filtered ports
Port State Service
21/tcp open ftp
22/tcp Open SSH
53/tcp Open Domain
80/tcp open HTTP
MAC address: 00: 0C: 29: A4: 2E: 39 (VMware)
NMAP done: 1 IP address (1 host up) scanned in 7.06 seconds
Scan UDP port
C: \> NMAP-su-T 5 192.168.188.11
Starting NMAP 6.46 (http://nmap.org) at China Standard Time
Nmap scan report for www. bigcloud. Local (192.168.188.11)
Host is up (0.0010 s latency ).
Not shown: 998 open | filtered ports
Port State Service
53/udp Open Domain
123/udp open NTP
MAC address: 00: 0C: 29: A4: 2E: 39 (VMware)
NMAP done: 1 IP address (1 host up) scanned in 6.82 seconds
Tip: during the experiment, you can run the following command to clear all the configurations from scratch.
Iptables-P input accept Iptables-P output accept Iptables-P forward accept Iptables-F
|
RHEL 7 (cetos 7) uses the new firewalld instead of iptables. In this experiment, the script is executed at startup to solve the problem.
# Vi/etc/rc. Local
Add the following content at the end:
/Root/myfw. Sh
This article from the "Liu Qiong @ Tiandao reward diligence" blog, please be sure to keep this source http://lqiong.blog.51cto.com/8170814/1559079
9. centos project instance-firewall port configuration