C/C++Linux服务器开发/后台架构师【零声教育】-学习视频教程-腾讯课堂
场景示例1
1.员工在公司内部(10.0.0.0/24、10.8.0.0/24)能访问服务器上任何服务
2.当员工出差外地,通过vpn连接到公司,也可以访问内部上的任何服务
3.公司有门户网站需要允许公网用户访问http 80/tcp、https 443/tcp
配置思路:
1.允许本地lo访问
2.允许10.0.0.0、10.8.0.0网段访问任何服务
3.允许其他网段主机可以访问80、443
4.允许已建立的数据包通过(ESTABLISHED)
4.拒绝所有未允许的数据包
[root]# iptables -F
[root]# iptables -I INPUT -i lo -j ACCEPT
[root]# iptables -A INPUT -s 10.0.0.0/24,10.8.0.0/24 -j ACCEPT
[root]# iptables -A INPUT -m state --state "ESTABLISHED" -j ACCEPT
[root]# iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
[root]# iptables -A INPUT -j DROP
root@kaka-virtual-machine:/home/kaka# iptables -t filter -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT all -- * * 10.0.0.0/24 0.0.0.0/0
3 0 0 ACCEPT all -- * * 10.8.0.0/24 0.0.0.0/0
4 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
场景示例2
1.对所有的地址开放本机的tcp(80、22、8080-9090)端口的访问
2.允许对所有的地址开放本机的基于ICMP协议的数据包访问
3.其他未被允许的端口禁止访问
实现思路:
1.先允许端口、协议
2.配置拒绝规则
# INPUT
[root]# iptables -F
[root]# iptables -I INPUT -p tcp -m multiport --dports 22,80,8080:9090 -m state --state NEW,ESTABLISHED -j ACCEPT
[root]# iptables -I INPUT -p icmp -j ACCEPT
[root]# iptables -I INPUT -i lo -j ACCEPT
[root]# iptables -A INPUT -j DROP
# OUTPUT
[root]# iptables -I OUTPUT -p tcp -m multiport --sport 80,22,8080:9090 -m state --state ESTABLISHED,RELATED -j ACCEPT
[root]# iptables -I OUTPUT -p icmp -j ACCEPT
[root]# iptables -A OUTPUT -j DROP
root@kaka-virtual-machine:/home/kaka# iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,80,8080:9090 state NEW,ESTABLISHED
4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,22,8080:9090 state RELATED,ESTABLISHED
3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0