Skip to content


iptables小记

开启 /etc/init.d/iptables start

关闭 /etc/init.d/iptables stop

设定每次开启不启动该服务项目,可以使用 chkconfig 来关闭。 chkconfig iptables off

查看当前iptables iptables -L

保存规则 iptables-save > /etc/sysconfig/iptables

恢复规则 iptables-restore < /etc/sysconfig/iptables

禁止123.456.789.0-123.456.789.255的流进和流出 iptables -t filter -A INPUT -s 123.456.789.0/24 -j DROP iptables -t filter -A OUTPUT -d 123.456.789.0/24 -j DROP

删除规则 iptables -t filter -D OUTPUT -d 123.456.789.0/24 -j DROP

禁止流进ip段 iptables -I INPUT -s 211.0.0.0/8 -j DROP

iptables -I INPUT -s 211.1.0.0/16 -j DROP iptables -I INPUT -s 211.2.0.0/16 -j DROP iptables -I INPUT -s 211.3.0.0/16 -j DROP

iptables -I INPUT -s 61.37.80.0/24 -j DROP iptables -I INPUT -s 61.37.81.0/24 -j DROP

默认策略: iptables -P INPUT ACCEPT iptables -P OUTPUT DROP iptables -P FORWARD DROP 接受所有ssh连接: iptables -A INPUT -p tcp -m tcp -s 0/0 –dport 22 -j ACCEPT 管理FTP连接: iptables -A INPUT -p tcp -m tcp –dport 21 -j ACCEPT iptables -A INPUT -p tcp -s 127.0.0.1/8 -d 0/0 –destination-port 20 –syn -j ACCEPT iptables -A INPUT -p tcp -s 127.0.0.1/8 -d 0/0 –destination-port 21 –syn -j ACCEPT

监视SNMP: iptables -A INPUT -p udp -m udp –dport 161 -j ACCEPT iptables -A INPUT -p udp -m udp –sport 1023:2999 -j ACCEPT 管理POP电子邮件: iptables -A INPUT -p tcp -m tcp –dport 110 -j ACCEPT –syn HTTPS服务: iptables -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT –syn SMTP连接: iptables -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT –syn 管理HTTP: iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT –syn 管理MySQL数据库: iptables -A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT –syn iptables -A INPUT -p udp -m udp –dport 3306 -j ACCEPT

IMAP邮件服务: iptables -A INPUT -p tcp -m tcp –dport 143 -j ACCEPT –syn

管理DNS服务: iptables -A INPUT -p tcp -m tcp –dport 53 -j ACCEPT –syn iptables -A INPUT -p udp -m udp –dport 53 -j ACCEPT iptables -A INPUT -p udp -m udp -s 0/0 -d 0/0 –sport 53 -j ACCEPT

管理本地主机连接: iptables -A INPUT -i lo -j ACCEPT -m tcp

丢弃所有其它的新请求: iptables -A INPUT -p tcp -m tcp -j REJECT –syn iptables -A INPUT -p udp -m udp -j REJECT

防止SYN洪水攻击: iptables -A INPUT -p tcp –syn -m limit –limit 5/second -j ACCEPT

屏蔽恶意主机(比如,192.168.0.8): iptables -A INPUT -p tcp -m tcp -s 192.168.0.8 -j DROP

检查防火墙日志: iptables -A INPUT -j LOG –log-level alert iptables -A INPUT -j LOG –log-prefix “Dropped: ”

做 NAT: iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j MASQUERADE iptables -A FORWARD -t filter -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

清空所有规则: iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X

http://bbs.chinaunix.net/thread-216752-1-1.html

Posted in Linux 命令, 技术.

Tagged with .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.