屏蔽端口 iptables 规则
我们仅需保留 SSH,SQL,DNS,HTTP 和 HTTPS 这些主要端口,其它的用 iptables 做下限制,这样就高枕无忧了。
环回网络
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
DNS
iptables -A OUTPUT -p udp –sport 53 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
网页 - SQL
iptables -A OUTPUT -p tcp -m multiport –dport 80,443,3306 -j ACCEPT
iptables -A INPUT -p tcp -m multiport –sport 80,443,3306 -j ACCEPT
代理 - SSH
iptables -A OUTPUT -p tcp -m multiport –sport 1080,22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport –dport 1080,22 -j ACCEPT
用户
iptables -A OUTPUT -p tcp –sport 50000:60000 -j ACCEPT
iptables -A OUTPUT -p udp –sport 50000:60000 -j ACCEPT
iptables -A INPUT -p tcp –dport 50000:60000 -j ACCEPT
iptables -A INPUT -p udp –dport 50000:60000 -j ACCEPT
连接数
iptables -A OUTPUT -p tcp –sport 50000:60000 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
iptables -A INPUT -p tcp –dport 50000:60000 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
其他
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
禁止
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
屏蔽其他端口
iptables -A OUTPUT -p tcp -m multiport –dport 21,22,23 -j REJECT –reject-with tcp-reset
iptables -A OUTPUT -p udp -m multiport –dport 21,22,23 -j DROP
屏蔽邮箱端口
iptables -A OUTPUT -p tcp -m multiport –dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j REJECT –reject-with tcp-reset
iptables -A OUTPUT -p tcp -m multiport –dport 993,995,1109,24554,60177,60179 -j REJECT –reject-with tcp-reset
iptables -A OUTPUT -p udp -m multiport –dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j DROP
iptables -A OUTPUT -p udp -m multiport –dport 993,995,1109,24554,60177,60179 -j DROP
本文转自 技术花妞妞 51CTO博客,原文链接:http://blog.51cto.com/xiaogongju/2060962
