比较通用的iptables的设置

发表于 | 更新于 | 分类于 | 评论数:

直接上配置,centos6

#!/bin/sh -e

#———————————————————-

iptables settings

#———————————————————-

#Connection IP address

#———————-Standard part—————————

Stop iptables service first

#service iptables stop
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z

Inital chains default policy

/sbin/iptables -F -t filter
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT

Enable Native Network Transfer

/sbin/iptables -A INPUT -i lo -j ACCEPT

Accept Established Connections

/sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

ICMP Control

/sbin/iptables -A INPUT -p icmp -m limit –limit 1/s –limit-burst 10 -j ACCEPT

SSH Service

/sbin/iptables -A INPUT -d x.x.x.x -p tcp –dport 22 -j ACCEPT

#———————–Custom part———————–

HTTP Service

/sbin/iptables -A INPUT -d x.x.x.x -p tcp –dport 80 -j ACCEPT

Games Service

#/sbin/iptables -A INPUT -p tcp –dport 8681:8683 -j ACCEPT

#/sbin/iptables -A INPUT -p tcp -m multiport –dport 8706,8708 -j ACCEPT

#deny all Service
/sbin/iptables -A INPUT -j REJECT –reject-with icmp-host-prohibited
/sbin/iptables -A FORWARD -j REJECT –reject-with icmp-host-prohibited

service iptables save

centos7要先关闭firewalld:

With RHEL 7 / CentOS 7, firewalld was introduced to manage iptables. IMHO, firewalld is more suited for workstations than for server environments.

It is possible to go back to a more classic iptables setup. First, stop and mask the firewalld service:
systemctl disable firewalld
systemctl stop firewalld
systemctl mask firewalld
Then, install the iptables-services package:
yum install iptables-services
Enable the service at boot-time:
systemctl enable iptables
Managing the service
systemctl [stop|start|restart] iptables
Systemctl doesn’t seem to manage the save action like you were able to do in the past with service:
/usr/libexec/iptables/iptables.init save

ubuntu 系统的:

#!/bin/sh -e

#———————————————————-

iptables settings

#———————————————————-

#Connection IP address

#———————-Standard part—————————

Stop iptables service first

#service iptables stop
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z

Inital chains default policy

iptables -F -t filter
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

Enable Native Network Transfer

iptables -A INPUT -i lo -j ACCEPT

Accept Established Connections

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

ICMP Control

iptables -A INPUT -p icmp -m limit –limit 1/s –limit-burst 10 -j ACCEPT

SSH Service

iptables -A INPUT -d 121.199.41.177 -p tcp –dport 22 -j ACCEPT

#———————–Custom part———————–

HTTP Service

iptables -A INPUT -d 121.199.41.177 -p tcp –dport 80 -j ACCEPT

Games Service

#iptables -A INPUT -p tcp –dport 8681:8683 -j ACCEPT

#iptables -A INPUT -p tcp -m multiport –dport 8706,8708 -j ACCEPT

#deny all Service
iptables -A INPUT -j REJECT –reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT –reject-with icmp-host-prohibited

iptables-save
iptables-save > /etc/iptables.up.rules