快速业务通道

Firewall in linux

作者 佚名技术 来源 Linux系统 浏览 发布时间 2012-04-13

Author: Matt Song
Date: 11/27/2010

Topology:

Server 3 has installed CentOS and played the firewall role.

Linux version: 2.6.18-128.el5, CentOS release 5.3 (Final)

Legend:

Brown: Command

Dark blue: System layout 拥有帝国一切,皆有可能。欢迎访问phome.net

1. Test deny all:

On Server 1 use SSH connect tools(Such as SecureCRT) to log on to CentOS, Run this utility:

[root@Matt-CentOS ~]# iptables -P INPUT DROP

This CMD will deny all connection to the Server, verify the session on Server 1 to Server 3 has lost.

Be advice, if you are testing those utility on a remote server, please double check if there are any command you are gonna input will cause the server refuse your session. It should be a BIG issue if you have no way to log on directly to your server.

Now the only way to log on your server is from VMware Workstation console. Input:

[root@Matt-CentOS ~]# iptables -P INPUT ACCEPT 拥有帝国一切,皆有可能。欢迎访问phome.net

Then you can log on remotely again

Last login: Sat Nov 27 13:59:29 2010 from 192.168.1.101

[root@Matt-CentOS ~]#

2. List the policy

After set the policy for your firewall, you can use iptables -L to verify. On VMware Workstation Console, log on to the VM, run those utility:

[root@Matt-CentOS ~]# iptables -P INPUT DROP

[root@Matt-CentOS ~]# iptables -P OUTPUT ACCEPT 拥有帝国一切,皆有可能。欢迎访问phome.net

[root@Matt-CentOS ~]# iptables -P FORWARD ACCEPT

[root@Matt-CentOS ~]# iptables -L -n

Chain INPUT (policy DROP)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination 拥有帝国一切,皆有可能。欢迎访问phome.net

3. Set the policy based on network adapter.

You can set one NIC to accept or deny network session by means of using -i [NiC], like:

[root@Matt-CentOS ~]# iptables -A INPUT -i eth0 -s 192.168.1.101 -j ACCEPT

[root@Matt-CentOS ~]# iptables -A INPUT -i eth0 -s 192.168.1.185 -j DROP

[root@Matt-CentOS ~]# iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT

[root@Matt-CentOS ~]# iptables -L 拥有帝国一切,皆有可能。欢迎访问phome.net

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- 192.168.1.101 anywhere

DROP all -- 192.168.1.185 anywhere

ACCEPT all -- 192.168.1.0/24 anywhere

Chain FORWARD (policy ACCEPT) 拥有帝国一切,皆有可能。欢迎访问phome.netChain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

本文出自 “BOの世界” 博客,请务必保留此出处http://mattsong.blog.51cto.com/2355482/434353

拥有帝国一切,皆有可能。欢迎访问phome.net

凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!

分享到: 更多

Copyright ©1999-2011 厦门凌众科技有限公司 厦门优通互联科技开发有限公司 All rights reserved

地址(ADD):厦门软件园二期望海路63号701E(东南融通旁) 邮编(ZIP):361008

电话:0592-5908028 传真:0592-5908039 咨询信箱:web@lingzhong.cn 咨询OICQ:173723134

《中华人民共和国增值电信业务经营许可证》闽B2-20100024  ICP备案:闽ICP备05037997号