Firewall in linux
Author: Matt Song Topology: Server 3 has installed CentOS and played the firewall role. Linux version: 2.6.18-128.el5, CentOS release 5.3 (Final) Legend: Brown: Command Dark blue: System layout 拥有帝国一切,皆有可能。欢迎访问phome.net
1. Test deny all: On Server 1 use SSH connect tools(Such as SecureCRT) to log on to CentOS, Run this utility: [root@Matt-CentOS ~]# iptables -P INPUT DROP This CMD will deny all connection to the Server, verify the session on Server 1 to Server 3 has lost. Be advice, if you are testing those utility on a remote server, please double check if there are any command you are gonna input will cause the server refuse your session. It should be a BIG issue if you have no way to log on directly to your server. Now the only way to log on your server is from VMware Workstation console. Input: [root@Matt-CentOS ~]# iptables -P INPUT ACCEPT 拥有帝国一切,皆有可能。欢迎访问phome.net Then you can log on remotely again Last login: Sat Nov 27 13:59:29 2010 from 192.168.1.101 [root@Matt-CentOS ~]#
2. List the policy After set the policy for your firewall, you can use iptables -L to verify. On VMware Workstation Console, log on to the VM, run those utility: [root@Matt-CentOS ~]# iptables -P INPUT DROP [root@Matt-CentOS ~]# iptables -P OUTPUT ACCEPT 拥有帝国一切,皆有可能。欢迎访问phome.net [root@Matt-CentOS ~]# iptables -P FORWARD ACCEPT [root@Matt-CentOS ~]# iptables -L -n Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination 拥有帝国一切,皆有可能。欢迎访问phome.net
3. Set the policy based on network adapter. You can set one NIC to accept or deny network session by means of using -i [NiC], like: [root@Matt-CentOS ~]# iptables -A INPUT -i eth0 -s 192.168.1.101 -j ACCEPT [root@Matt-CentOS ~]# iptables -A INPUT -i eth0 -s 192.168.1.185 -j DROP [root@Matt-CentOS ~]# iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT [root@Matt-CentOS ~]# iptables -L 拥有帝国一切,皆有可能。欢迎访问phome.net Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.1.101 anywhere DROP all -- 192.168.1.185 anywhere ACCEPT all -- 192.168.1.0/24 anywhere Chain FORWARD (policy ACCEPT) 拥有帝国一切,皆有可能。欢迎访问phome.netChain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
本文出自 “BOの世界” 博客,请务必保留此出处http://mattsong.blog.51cto.com/2355482/434353 拥有帝国一切,皆有可能。欢迎访问phome.net |
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |
