iptables:
搭建web服务,设置任何人能够通过80端口访问。
[root@localhost ~]# systemctl stop firewalld #关闭防火墙
[root@localhost ~]# systemctl start iptables #启用iptables
[root@localhost ~]# systemctl restart httpd #启用httpd
[root@localhost ~]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT #设置80端口允许所有IP通过
[root@localhost ~]# iptables -vnL --line-numbers #查看链条
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 61 3980 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 35 packets, 2786 bytes)
num pkts bytes target prot opt in out source destination
[root@localhost ~]#
禁止所有人ssh远程登录该服务器
[root@localhost]# iptables -I INPUT -p tcp --dport 22 -j REJECT
[root@localhost]# iptables -nvL --line-numbers
可以看见端口被禁用,无法连接
禁止某个主机地址ssh远程登录该服务器,允许该主机访问服务器的web服务。服务器地址为172.24.8.128
[root@localhost ~]# iptables -I INPUT -p tcp -s 192.168.48.138 --dport 22 -j REJECT
[root@localhost ~]# iptables -I INPUT -p tcp -s 192.168.48.138 --dport 80 -j ACCEPT[root@localhost ~]# ssh 192.168.48.128
ssh: connect to host 192.168.48.128 port 22: Connection refused
[root@localhost ~]# curl 192.168.48.128
hello
[root@localhost ~]#
firewalld
禁止某个ip地址进行ssh访问
添加富规则
[root@localhost ~]# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.48.138" service name="ssh" reject'
success
[root@localhost ~]# firewall-cmd --reload
success
删除富规则
[root@localhost ~]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.48.138" service name="ssh" reject'
success
[root@localhost ~]# firewall-cmd --reload
success
配置端口转发(在172.24.8.0网段的主机访问该服务器的5423端口将被转发到80端口)
此规则将本机80端口转发到192.168.1.1的8080端口
这样就编辑完成了