半个PostgreSQL DBA,热衷于数据库相关的技术。我的ppt分享https://pan.baidu.com/s/1eRQsdAa https://github.com/chenhuajun https://chenhuajun.github.io
分类: LINUX
2016-08-14 22:44:27
默认只开了ssh的22端口,其它端口上服务监听一律禁止。
[root@node1 ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination
这些设置保存在/etc/sysconfig/iptables
vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
解释如下:
(以下中文解释,摘自网上,但不确定原始出处)
:INPUT ACCEPT [0:0] # 该规则表示INPUT表默认策略是ACCEPT :FORWARD ACCEPT [0:0] # 该规则表示FORWARD表默认策略是ACCEPT :OUTPUT ACCEPT [0:0] # 该规则表示OUTPUT表默认策略是ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # 意思是允许进入的数据包只能是刚刚我发出去的数据包的回应,ESTABLISHED:已建立的链接状态。RELATED:该数据包与本机发出的数据包有关。 -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited # 这两条的意思是在INPUT表和FORWARD表中拒绝所有其他不符合上述任何一条规则的数据包。并且发送一条host prohibited的消息给被拒绝的主机。
增加开放3306端口
[root@node1 ~]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT [root@node1 ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination
实际上,这样设置并不生效。因为规则顺序相关的。“reject-with icmp-host-prohibited”规则在前, 就会先把连接3306的请求给拒掉,还轮不到后面的规则。所以需要改成-I插入规则到INPUT表的开头(-A是在尾部插入)。
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
新的设置只在内存里生效,如果不修改/etc/sysconfig/iptables文件,重启后会恢复默认设置。
下面保存设置使其永久生效
[root@node1 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@node1 ~]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Sun Aug 7 04:09:18 2016 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [31:4844] -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Sun Aug 7 04:09:18 2016
iptables不检查是否重复,如果下面的命令执行2次,iptables表中也会有2条记录
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT [root@node1 ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination
多余的规则可以用-D 删除,同样一次只删除一个,没有匹配记录时报错。
[root@node1 ~]# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT [root@node1 ~]# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT [root@node1 ~]# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT iptables: Bad rule (does a matching rule exist in that chain?).