標籤:防火牆 伺服器 policy source target
1. 防火牆配置1.1. ZZSRV1
首先,需要對ZZSRV1的角色進行分析。它是主DNS、網站、DHCP伺服器、時鐘伺服器。
我們決定不做出站限制,僅做入站限制,類似XP
查看當前配置
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
將以下配置寫入一個指令檔,執行
# vi /root/myfw.sh
# Clear All iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 配置開放SSH的連接埠。 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# 允許外部主機訪問伺服器上的web服務 iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# 允許外部對本機訪問伺服器上DNS服務 iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# 允許外部對本機訪問伺服器上NTP服務 iptables -A INPUT -p udp --dport 123 -j ACCEPT
# 允許外部對本機訪問伺服器上fTP服務 (active and passive) iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
# DHCP伺服器 iptables -A INPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
# 預設規則 iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP
|
# chmod +x /root/myfw.sh
# /root/myfw.sh
# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
掃描TCP連接埠
C:\>nmap -sS -T 5 192.168.188.11
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-12 20:20 中國標準時間
Nmap scan report for www.bigcloud.local (192.168.188.11)
Host is up (0.00069s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
MAC Address: 00:0C:29:A4:2E:39 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds
掃描UDP連接埠
C:\>nmap -sU -T 5 192.168.188.11
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-12 20:21 中國標準時間
Nmap scan report for www.bigcloud.local (192.168.188.11)
Host is up (0.0010s latency).
Not shown: 998 open|filtered ports
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
MAC Address: 00:0C:29:A4:2E:39 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.82 seconds
Tip: 做實驗的時候,可以使用以下命令來清除所有配置,從頭來做
iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F
|
RHEL 7(CetOS 7) 使用新的Firewalld來代替iptables。在本次實驗中,採用的在啟動時執行指令碼來解決
# vi /etc/rc.local
在最後添加如下內容:
/root/myfw.sh
本文出自 “劉瓊@天道酬勤” 部落格,請務必保留此出處http://lqiong.blog.51cto.com/8170814/1559079
CentOS項目執行個體之九--防火牆連接埠配置