1、配置说明
iptables [-t table] -A/I INPUT/OUTPUT -p tcp -s 192.168.19.0/24 --dport 22 -j drop/accept/reject
table有以下三种方式。
nat:PREROUTING和POSTROUTING两个规则链,主要做源地址和目的地址转换工作。
filter:默认规则,针对INPUT,FORWARD和OUTPUT,3个规则连。
-A : 在尾部增加一条记录
-I : 在头部增加一条记录
iptables -F 清楚所有规则
iptables -t nat -F 只清楚nat表所有规则
2、开放允许的端口访问
iptables -I INPUT -p tcp -s 192.168.187.0/24 --dport 22 -j ACCEPT
3、关闭其他端口访问
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
4、允许本地回环地址访问(即本地对本地访问)
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
5、允许所有本机向外访问
iptables -A OUTPUT -j ACCEPT
6、保存配置
service iptables save
7、修改配置文件
vim /etc/sysconfig/iptables
-A INPUT -s 192.168.187.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
CentOS 7.0版本以上配置:
systemctl status firewalld #查看防火墙服务状态。
[root@localhost ~]# firewall-cmd --list-all
#查看防火墙规则(只显示/etc/firewalld/zones/public.xml中防火墙策略)
[root@localhost ~]# firewall-cmd --list-all-zones
#查看防火墙规则(只显示/etc/firewalld/zones/下所有的防火墙策略)
[root@localhost ~]# firewall-cmd --reload
#重新加载配置文件
firewalld 切换至iptables方法:
systemctl stop firewalld
systemctl disable firewalld
systemctl start iptables
systemctl enable iptables
systemctl start ip6tables #如果使用ipv6,也要开启。
systemctl enable ip6tables
配置文件范本:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<!-- service name="ssh"/ --> #把所有的22端口都禁止掉了。
<service name="dhcpv6-client"/>
<rule family="ipv4">
<source address="192.168.127.19"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.10.32"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.10.33"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.100.100.0/24"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.122.18"/>
<port protocol="tcp" port="10050"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="101.71.246.196"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="115.236.173.94"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="211.140.31.50"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="218.108.21.122"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="60.192.70.89"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.150.155"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.150.11/24"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="192.168.150.12/24"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.100.61.45/32"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.100.100.0/24"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
</zone>