既存のFireWallを止める
# systemctl stop firewalld.service
# systemctl mask firewalld.service
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
確認
# systemctl list-unit-files | grep firewalld
firewalld.service masked
# dnf install -y iptables-services
# systemctl start iptables.service
Created symlink /etc/systemd/system/basic.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.
# systemctl list-unit-files | grep iptables
iptables.service enabled
# systemctl start ip6tables.service
# systemctl enable ip6tables.service
Created symlink /etc/systemd/system/basic.target.wants/ip6tables.service → /usr/lib/systemd/system/ip6tables.service.
# systemctl list-unit-files | grep ip6tables
ip6tables.service enabled
——————————————
#clear
/sbin/iptables -F
/sbin/iptables -X
#policy
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
#http
/sbin/iptables -A INPUT -p tcp –dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 8080 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 8000 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 10000 -j ACCEPT
#ssh
/sbin/iptables -A INPUT -p tcp –dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p tcp –dport 22 -j ACCEPT
# rails
/sbin/iptables -A INPUT -p tcp –dport 3000 -j ACCEPT
# django
/sbin/iptables -A INPUT -p tcp –dport 8000 -j ACCEPT
#webmin
/sbin/iptables -A INPUT -s 192.168.1.1/24 -p tcp –dport 10000 -j ACCEPT
# for samba
/sbin/iptables -A INPUT -s 192.168.1.1/24 -p tcp –dport 139 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.1/24 -p udp –dport 137 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.1/24 -p udp –dport 138 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.1/24 -p tcp –dport 445 -j ACCEPT
/sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
systemctl restart iptables.service
———
#systemctl restart iptables.service
CentOS 8 iptables 利用
投稿者: