使用Linux內建防火牆實現如下8個要求:
1. reject all ftp packets from external networks, but still allow internal ftp.2. allow ssh remote connections but deny telnet.3. deny ping.4. reject all traffic coming to port 21 and 80.5. reject all traffic coming to all UDP ports (see if you can block all of them, if youcannot then try to block some UDP ports).6. block all email coming in and out of your network. Internal email is allowed.7. block all traffic from two particular networks. You can pick any two networks you like.8. allow traffic coming to a particular port but reject traffic coming out through that port.
配置執行個體:
iptabls規則是從上往下應用,當找到能通過的規則,不管下面是否有規則衝突,也一樣通過eth0 串連內部網路的網卡eth1 串連外部網路的網卡lo 本地環路
1,丟棄所有來自外網的ftp包,內網例外iptables -A -i lo -j ACCEPT(允許本機內部所有網路通訊,必須的)iptables -A -i eht0 -p tcp --dport 21 -j ACCEPT(在本機開放21連接埠,即ftp控制連接埠)iptables -A -i eth0 -p tcp --dport 20 -j ACCEPT(在本機開放20連接埠,即ftp傳輸連接埠)iptables -A -i eth1 -j DROP(禁止所有資料包通過){禁止外部ftp}
2,允許ssh禁止telnetiptables -A -i lo -j ACCEPT(允許本機內部所有網路通訊,必須的)iptables -A -i eth0 -p tcp --dport 22 -j ACCEPTiptables -A -i eth1 -p tcp --dport 22 -j ACCEPT(在本機開放22連接埠,即ssh服務連接埠)iptables -A -i eth1 -p tcp --dport 23 -j DROP(在本機關閉23連接埠,即telnet服務連接埠)或者用iptables -A -i eth0 -j DROP
3,禁止使用ping命令,ping本機iptables -A -p icmp --icmp-type 8 -s 0/0 -j DROP(0/0所有網路)iptables -A -p icmp --icmp-type 0 -s 0/0 -j ACCEPTiptables -A OUTPUT -p icmp --icmp-type 0 -s 192.168.29.1(本機ip) -j DROPiptables -A OUTPUT -p icmp --icmp-type 8 -s 192.168.29.1 -j ACCEPT這樣的配置是你能ping別人,別人不能ping你
4,禁止訪問21連接埠(ftp)和80連接埠(web)iptables -A -i eth1 -p tcp --dprot 21 -j DROPiptables -A -i eth0 -p tcp --dprot 21 -j DROPiptables -A -i eth1 -p tcp --dprot 80 -j DROPiptables -A -i eth0 -p tcp --dprot 80 -j DROP
5,禁止所有udp連接埠iptables -A -i eth0 -p udp -j DROPiptables -A -i eth1 -p udp -j DROP
6,禁止外部郵件通訊,內部允許(禁止pop3,110和smtp,25) iptables -A -i eth0 -p tcp --dprot 25 -j ACCEPTiptables -A -i eth0 -p tcp --dprot 110 -j ACCEPTiptables -A OUTPUT -i eth1 -p tcp --sprot 25 -j DROPiptables -A OUTPUT -i eth1 -p tcp --sprot 110 -j DROP
7,禁止2個特定網路訪問本機iptables -A -i eth1 -s 192.168.1.0/24 -j DROPiptables -A -i eth1 -s 172.16.0.0/16 -j DROP
8,允許從特的連接埠進入,但禁止對外iptables -A -i eht1 --dport [連接埠號碼] -j ACCEPTiptables -A OUTPUT -i eht1 --dport [連接埠號碼] -j DROP
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
