Created
September 28, 2014 05:23
-
-
Save Wind4/73de1f141c8a1c007554 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| IPT="/sbin/iptables" | |
| $IPT -delete-chain | |
| $IPT -flush | |
| $IPT -P INPUT DROP #1 | |
| $IPT -P FORWARD DROP #1 | |
| $IPT -P OUTPUT DROP #1 | |
| $IPT -A INPUT -m state -state RELATED,ESTABLISHED -j ACCEPT #2 | |
| $IPT -A INPUT -p tcp -m tcp -dport 80 -j ACCEPT #3 | |
| $IPT -A INPUT -p tcp -m tcp -dport 22 -j ACCEPT #3 | |
| $IPT -A INPUT -p tcp -m tcp -dport 21 -j ACCEPT #3 | |
| $IPT -A INPUT -p tcp -m tcp -dport 873 -j ACCEPT #3 | |
| $IPT -A INPUT -i lo -j ACCEPT #4 | |
| $IPT -A INPUT -p icmp -m icmp -icmp-type 8 -j ACCEPT #5 | |
| $IPT -A INPUT -p icmp -m icmp -icmp-type 11 -j ACCEPT #5 | |
| $IPT -A OUTPUT -m state -state RELATED,ESTABLISHED -j ACCEPT #6 | |
| $IPT -A OUTPUT -p udp -m udp -dport 53 -j ACCEPT #7 | |
| $IPT -A OUTPUT -o lo -j ACCEPT #4 | |
| $IPT -A OUTPUT -p tcp -m tcp -dport 80 -j ACCEPT #8 | |
| $IPT -A OUTPUT -p tcp -m tcp -dport 25 -j ACCEPT #9 | |
| $IPT -A OUTPUT -p icmp -m icmp -icmp-type 8 -j ACCEPT #10 | |
| $IPT -A OUTPUT -p icmp -m icmp -icmp-type 11 -j ACCEPT #10 | |
| service iptables save | |
| service iptables restart | |
| #1、设置INPUT,FORWARD,OUTPUT链默认target为DROP,也就是外部与服务器不能通信。 | |
| #2、设置当连接状态为RELATED和ESTABLISHED时,允许数据进入服务器。 | |
| #3、设置外部客户端连接服务器端口80,22,21,873。 | |
| #4、允许内部数据循回。 | |
| #5、允许外部ping服务器 。 | |
| #6、设置状态为RELATED和ESTABLISHED的数据可以从服务器发送到外部。 | |
| #7、允许服务器使用外部dns解析域名。 | |
| #8、设置服务器连接外部服务器端口80。 | |
| #9、允许服务器发送邮件。 | |
| #10、允许从服务器ping外部 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment