首先,需要对ZZSRV1的角色进行分析。它是主DNS、网站、DHCP服务器、时钟服务器。
我们决定不做出站限制,仅做入站限制,类似XP
查看当前配置
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
将以下配置写入一个脚本文件,执行
# vi /root/myfw.sh
# Clear All iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # 配置开放SSH的端口。 iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow ping iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # 允许外部主机访问服务器上的web服务 iptables -A INPUT -p tcp --dport 80 -j ACCEPT # 允许外部对本机访问服务器上DNS服务 iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT # 允许外部对本机访问服务器上NTP服务 iptables -A INPUT -p udp --dport 123 -j ACCEPT # 允许外部对本机访问服务器上fTP服务 (active and passive) iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT # DHCP服务器 iptables -A INPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT # 默认规则 iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP |
# chmod +x /root/myfw.sh
# /root/myfw.sh
# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
扫描TCP端口
C:\>nmap -sS -T 5 192.168.188.11
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-12 20:20 中国标准时间
Nmap scan report for www.bigcloud.local (192.168.188.11)
Host is up (0.00069s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
MAC Address: 00:0C:29:A4:2E:39 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds
扫描UDP端口
C:\>nmap -sU -T 5 192.168.188.11
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-12 20:21 中国标准时间
Nmap scan report for www.bigcloud.local (192.168.188.11)
Host is up (0.0010s latency).
Not shown: 998 open|filtered ports
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
MAC Address: 00:0C:29:A4:2E:39 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.82 seconds
Tip: 做实验的时候,可以使用以下命令来清除所有配置,从头来做
iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F |
RHEL 7(CetOS 7) 使用新的Firewalld来代替iptables。在本次实验中,采用的在启动时执行脚本来解决
# vi /etc/rc.local
在最后添加如下内容:
/root/myfw.sh