iptables && firewalld

小天天 · 2022-01-17 22:18:40

iptalbe遵从至上而下优先级，匹配之后即终止next

##---------for centos6.* iptables-----------
cat > /etc/sysconfig/iptables <<END
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m tcp -p tcp -s 127.0.0.1 -j ACCEPT
-A INPUT -m tcp -p tcp -s 192.164.40.0/24 -j ACCEPT
-A INPUT -m tcp -p tcp -s 192.164.132.0/24 -j ACCEPT
-A INPUT -m tcp -p tcp -s 192.166.51.0/24 -j ACCEPT
-A INPUT -m tcp -p tcp -s 192.159.63.0/24 -j ACCEPT
-A INPUT -m tcp -p tcp -s 0.0.0.0/0 -j DROP
COMMIT
END

service iptables start

firewalld 通过指定INPUT后面的标记id指定优先级，id越低优先级越高，0最高

##------ for centos7 -------
/bin/cp -f /usr/lib/firewalld/zones/trusted.xml /etc/firewalld/zones/
sed -i 's#DefaultZone=public#DefaultZone=trusted#g' /etc/firewalld/firewalld.conf
systemctl start firewalld
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -s 127.0.0.1 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -s 10.10.0.0/16 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -s 192.164.40.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -s 192.164.132.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -s 192.166.51.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -s 192.159.63.0/24 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 10 -p tcp -s 0.0.0.0/0 -j DROP
firewall-cmd --reload

最近编辑记录小天天 (2022-01-17 22:29:40)

小天天 · 2023-11-16 17:35:55

firewall.sh
#!/bin/bash

/bin/cp -f /usr/lib/firewalld/zones/trusted.xml /etc/firewalld/zones/
sed -i 's#DefaultZone=public#DefaultZone=trusted#g' /etc/firewalld/firewalld.conf
systemctl stop iptables
systemctl start firewalld
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -s 127.0.0.1 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -s 192.164.132.5 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -s 192.164.132.90 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -s 192.164.132.0/24 -m multiport --dport 6379,80,8080,8081,8090,8070,3306,873 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -s 192.164.40.0/24 -m multiport --dport 6379,80,8080,8081,8090,8070,3306,873 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 100 -p tcp -m multiport --dport 6379,80,8080,8081,8090,8070,3306,873 -j DROP

拉新网 - 挖掘京东今日特价爆款商品 - 线报平台

公告

#1 2022-01-17 22:18:40

iptables && firewalld

#2 2023-11-16 17:35:55

Re: iptables && firewalld

页脚