centos7防火墙iptables开放常用端口

发表于 |
  1. 清除所有规则:

iptables -F

1
2
3
4

2.  开放常用tcp端口:
<pre><code class="hljs css"><span class="hljs-selector-tag">iptables  <span class="hljs-selector-tag">-I  <span class="hljs-selector-tag">INPUT  <span class="hljs-selector-tag">-p  <span class="hljs-selector-tag">tcp  <span class="hljs-selector-tag">-m  <span class="hljs-selector-tag">multiport  <span class="hljs-selector-tag">--dports 20,21,22,3690,80,443,4443,8023,8888,25,110,30000<span class="hljs-selector-pseudo">:30999  <span class="hljs-selector-tag">-j  <span class="hljs-selector-tag">ACCEPT
<span class="hljs-selector-tag">iptables  <span class="hljs-selector-tag">-I  <span class="hljs-selector-tag">OUTPUT  <span class="hljs-selector-tag">-p  <span class="hljs-selector-tag">tcp  <span class="hljs-selector-tag">-m  <span class="hljs-selector-tag">multiport  <span class="hljs-selector-tag">--sports 20,21,22,3690,80,443,4443,8023,8888,25,110,30000<span class="hljs-selector-pseudo">:30999  <span class="hljs-selector-tag">-j  <span class="hljs-selector-tag">ACCEPT</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code>

3.  开放常用udp端口:
<pre><code class="hljs sql">iptables  -I  INPUT  -p  udp  -m  multiport  <span class="hljs-comment">--dports  53,123,8571,8888  -j  ACCEPT
iptables  -I  OUTPUT  -p  udp  -m  multiport  <span class="hljs-comment">--sports  53,123,8571,8888  -j  ACCEPT</span></span></code>
1
2
3
4

4.  开放特殊udp端口(如:dns):
<pre><code class="hljs sql">iptables  -I  INPUT  -p  udp  <span class="hljs-comment">--sport  53  -j  ACCEPT
iptables  -I  OUTPUT  -p  udp  <span class="hljs-comment">--dport  53  -j  ACCEPT</span></span></code>


5.  开放vrrp协议:
<pre><code class="hljs nginx"><span class="hljs-attribute">iptables  -I  INPUT  -p  vrrp  -j  ACCEPT</span></code>
1
2
3
4

6.  允许服务器互ping:
<pre><code class="hljs nginx"><span class="hljs-attribute">iptables  -A  OUTPUT  -p  icmp  -j  ACCEPT
iptables  -A  INPUT  -p  icmp  -j  ACCEPT</span></code>


7.  允许握手成功的数据通过:
<pre><code class="hljs perl">iptables  -I  INPUT  -p  tcp  -<span class="hljs-keyword">m  <span class="hljs-keyword">state  --<span class="hljs-keyword">state  RELATED,ESTABLISHED  -j  ACCEPT
iptables  -I  OUTPUT  -p  tcp  -<span class="hljs-keyword">m  <span class="hljs-keyword">state  --<span class="hljs-keyword">state  RELATED,ESTABLISHED  -j  ACCEPT</span></span></span></span></span></span></code>
1
2
3
4
5

8.  设置默认关闭所有端口:
<pre><code class="hljs sql">iptables  -P  FORWARD  <span class="hljs-keyword">DROP
iptables  -P  <span class="hljs-keyword">OUTPUT  <span class="hljs-keyword">ACCEPT
iptables  -P  <span class="hljs-keyword">INPUT  <span class="hljs-keyword">DROP</span></span></span></span></span></code>


9.  防syn***:
<pre><code class="hljs sql">iptables  -N  syn-flood 
iptables  -A  INPUT  -p  tcp  <span class="hljs-comment">--syn  -j  syn-flood 
iptables  -I  syn-flood  -p  tcp  -m  limit  <span class="hljs-comment">--limit  3/s  --limit-burst  6  -j  RETURN 
iptables  -A  syn-flood  -j  REJECT</span></span></code>
1
2
3
4
5
6

10.  防ddos***:
<pre><code class="hljs sql">iptables  -A  INPUT  -i  eth0  -p  tcp  <span class="hljs-comment">--syn  -m  connlimit  --connlimit-above  15 -j  DROP 
iptables  -A  INPUT  -p  tcp  -m  state  <span class="hljs-comment">--state  ESTABLISHED,RELATED  -j  ACCEPT
iptables  -A  INPUT  -p  tcp  <span class="hljs-comment">--syn  -m  limit  --limit  12/s  --limit-burst  24  -j  ACCEPT
iptables  -A  FORWARD  -p  tcp  <span class="hljs-comment">--syn  -m  limit  --limit  1/s  -j  ACCEPT</span></span></span></span></code>


11.  防cc***:
<pre><code class="hljs cs">iptables  -I  INPUT  -p  tcp  --dport  <span class="hljs-number">80  -m  connlimit  --connlimit-above  <span class="hljs-number">50  -j  REJECT  <span class="hljs-meta"># 允许单个IP的最大连接数为30
iptables  -A  INPUT  -p  tcp  --dport  <span class="hljs-number">80  -m  recent  --name  BAD_HTTP_ACCESS  --update  --seconds  <span class="hljs-number">60  --hitcount  <span class="hljs-number">30  -j  REJECT
iptables  -A  INPUT  -p  tcp --dport  <span class="hljs-number">80  -m  recent  --name  BAD_HTTP_ACCESS  --<span class="hljs-keyword">set  -j  ACCEPT
<span class="hljs-meta">#单个IP在60秒内只允许最多新建30个连接</span></span></span></span></span></span></span></span></span></code>
1
2
3

12.  保存:
<pre><code class="hljs javascript">iptables-save  >  <span class="hljs-regexp">/etc/sysconfig/iptables</span></code>


</pre></pre></pre></pre></pre></pre></pre></pre></pre></pre></pre>
感谢支持原创技术分享