CentOS 7 下使用iptables服务

禁止Filewalld开机启动

为了防止与iptables冲突,您必须先禁止Filewalld开机启动。

执行如下命令,查看服务状态。

systemctl status firewalld


当服务处于active状态,运行以下命令关闭Firewalld服务。

systemctl stop firewalld

执行如下命令,禁止Filewalld开机启动。

systemctl disable firewalld

1 安装iptables

执行如下命令,安装iptables。

yum install -y iptables-services

2 启动iptables并设置为开机启动

     执行如下命令,启动iptables。

systemctl start iptables

    执行如下命令,查看iptables是否成功启动。

systemctl status iptables

系统显示类似如下,说明iptables已经成功启动。

执行如下命令,设置iptables开机启动。

systemctl enable iptables.service

创建规则脚本,自己新建一个规则脚本iptablescript.sh

#!/bin/sh

#

#https://sharadchhetri.com/2013/06/15/how-to-protect-from-port-scanning-and-smurf-attack-in-linux-server-by-iptables/

# Script is for stoping Portscan and smurf attack

# June 15, 2013 by Sharad Chhetri

### first flush all the iptables Rules

iptables -F

# INPUT iptables Rules

# Accept loopback input

iptables -A INPUT -i lo -p all -j ACCEPT

# allow 3 way handshake

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### DROPspoofing packets

iptables -A INPUT -s 10.0.0.0/8 -j DROP

iptables -A INPUT -s 169.254.0.0/16 -j DROP

iptables -A INPUT -s 172.16.0.0/12 -j DROP

iptables -A INPUT -s 127.0.0.0/8 -j DROP

iptables -A INPUT -s 192.168.0.0/24 -j DROP

iptables -A INPUT -s 224.0.0.0/4 -j DROP

iptables -A INPUT -d 224.0.0.0/4 -j DROP

iptables -A INPUT -s 240.0.0.0/5 -j DROP

iptables -A INPUT -d 240.0.0.0/5 -j DROP

iptables -A INPUT -s 0.0.0.0/8 -j DROP

iptables -A INPUT -d 0.0.0.0/8 -j DROP

iptables -A INPUT -d 239.255.255.0/24 -j DROP

iptables -A INPUT -d 255.255.255.255 -j DROP

#for SMURF attack protection

iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP

iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP

iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

# Droping all invalid packets

iptables -A INPUT -m state --state INVALID -j DROP

iptables -A FORWARD -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state INVALID -j DROP

# flooding of RST packets, smurf attack Rejection

iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Protecting portscans

# Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)

iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP

iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Remove attacking IP after 24 hours

iptables -A INPUT -m recent --name portscan --remove

iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.

iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"

iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

# Allow the following ports through from outside

iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow ping means ICMP port is open (If you do not want ping replace ACCEPT with REJECT)

iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Lastly reject All INPUT traffic

iptables -A INPUT -j REJECT

################# Below are for OUTPUT iptables rules #############################################

## Allow loopback OUTPUT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the following ports through from outside

# SMTP = 25

# DNS =53

# HTTP = 80

# HTTPS = 443

# SSH = 22

### You can also add or remove port no. as per your requirement

iptables -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT

iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow pings

iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Lastly Reject all Output traffic

iptables -A OUTPUT -j REJECT

## Reject Forwarding  traffic

iptables -A FORWARD -j REJECT

把脚本放入如下目录

/etc/rc.d/init.d/iptablescript.sh

3. 执行如下命令,将该脚本标记为可执行文件(添加可执行的权限)

chmod +x /etc/rc.d/init.d/iptablescript.sh

4. 执行如下命令将/etc/rc.d/rc.local文标记为可执行文件

在centos7中,/etc/rc.d/rc.local文件的权限被降低了,开机的时候执行在自己的脚本是不能起动一些服务的,执行下面的命令可以文件标记为可执行的文件

chmod +x /etc/rc.d/rc.local

5. 打开/etc/rc.d/rc.local文件,在最后面添加如下脚本

/etc/rc.d/init.d/iptablescript.sh

设置完成后,执行如下命令,重启实例验证配置。

systemctl reboot

iptables常用命令

# 启动iptables            systemctl start iptables

# 查看iptables状态        systemctl status iptables

# 停止iptables              systemctl stop iptables

# 重启iptables              systemctl restart iptables

# 重载iptables                  systemctl reload iptables


最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。