iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 20:21 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp --sport 53 -j ACCEPT
iptables -I INPUT -p tcp --sport 53 -j ACCEPT
iptables -t filter -P INPUT DROP
[root@jyoe ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:ftp-data:ftp state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:ftp-data:ftp state ESTABLISHED
iptables -t filter -A INPUT -p tcp --dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 20:21 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp --sport 53 -j ACCEPT
iptables -I INPUT -p tcp --sport 53 -j ACCEPT
iptables -t filter -P INPUT DROP
[root@jyoe ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:ftp-data:ftp state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:ftp-data:ftp state ESTABLISHED
转载于:https://blog.51cto.com/pentaho/292214