本文共 2769 字,大约阅读时间需要 9 分钟。
iptables 和 SELinux 是Red Hat/ CentOS 的两个很有力的工具,如果配置的好就能起到对服务器进一步的保护作用,但是如果配置的不好往往会遭到管理员的抛弃。总有“老人”提醒我别开iptables和SELinux,但是我觉得既然开发出来还是可以加以利用的。
但是值得注意的是尽管iptables防火墙的功能很强大,但是有一个硬件防火墙还是很必要的。
因为有了其他设备,因此我既用不到转发也不用网络地址转换(NAT),我只要把握好让那些数据流可以进入哪些不能进入就行了。不过我不太清楚ROS(Router Operating System,软路由操作系统)是不是也有这个机制。
关于iptables的用法和注意事项,网上各大论坛和IT网站都进行了热烈的讨论和文章展示。在此就不赘述了!
- [root@localhost ~]# service iptables status
- Table: nat
- Chain PREROUTING (policy ACCEPT)
- num target prot opt source destination
-
- Chain POSTROUTING (policy ACCEPT)
- num target prot opt source destination
-
- Chain OUTPUT (policy ACCEPT)
- num target prot opt source destination
-
- Table: mangle
- Chain PREROUTING (policy ACCEPT)
- num target prot opt source destination
-
- Chain INPUT (policy ACCEPT)
- num target prot opt source destination
-
- Chain FORWARD (policy ACCEPT)
- num target prot opt source destination
-
- Chain OUTPUT (policy ACCEPT)
- num target prot opt source destination
-
- Chain POSTROUTING (policy ACCEPT)
- num target prot opt source destination
-
- Table: filter
- Chain INPUT (policy ACCEPT)
- num target prot opt source destination
- 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
- 2 ACCEPT udp -- 10.0.0.0/8 0.0.0.0/0 udp dpt:53
- 3 ACCEPT tcp -- 10.0.0.0/8 0.0.0.0/0 tcp dpt:443
- 4 ACCEPT tcp -- 10.0.0.0/8 0.0.0.0/0 tcp dpt:80
-
- Chain FORWARD (policy ACCEPT)
- num target prot opt source destination
- 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
-
- Chain OUTPUT (policy ACCEPT)
- num target prot opt source destination
-
- Chain RH-Firewall-1-INPUT (2 references)
- num target prot opt source destination
- 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
- 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
- 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
- 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8006
- 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8007
- 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8008
- 8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080
- 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8443
- 10 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111
- 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:111
- 12 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:892
- 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:892
- 14 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:875
- 15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:875
- 16 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:662
- 17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:662
- 18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2049
- 19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:32803
- 20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32769
- 21 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
-
- [root@localhost ~]#
转载地址:http://tyuto.baihongyu.com/