iptables 和 SELinux 是Red Hat/ CentOS 的兩個很有力的工具,如果配置的好就能起到對伺服器進一步的保護作用,但是如果配置的不好往往會遭到管理員的拋棄.總有“老人”提醒我別開iptables和SELinux,但是我覺得既然開發出來還是可以加以利用的.
但是值得注意的是儘管iptables防火牆的功能很強大,但是有一個硬體防火牆還是很必要的.
因為有了其他設備,因此我既用不到轉發也不用網路地址轉換(NAT),我只要把握好讓那些數據流可以進入哪些不能進入就行了.不過我不太清楚ROS(Router Operating System,軟路由操作系統)是不是也有這個機制.
關於iptables的用法和注意事項,網上各大論壇和IT網站都進行了熱烈的討論和文章展示.在此就不贅述了!
- [root@localhost ~]# service iptables status
- Table: nat
- Chain PREROUTING (policy ACCEPT)
- num target prot opt source destination
- Chain POSTROUTING (policy ACCEPT)
- num target prot opt source destination
- Chain OUTPUT (policy ACCEPT)
- num target prot opt source destination
- Table: mangle
- Chain PREROUTING (policy ACCEPT)
- num target prot opt source destination
- Chain INPUT (policy ACCEPT)
- num target prot opt source destination
- Chain FORWARD (policy ACCEPT)
- num target prot opt source destination
- Chain OUTPUT (policy ACCEPT)
- num target prot opt source destination
- Chain POSTROUTING (policy ACCEPT)
- num target prot opt source destination
- Table: filter
- Chain INPUT (policy ACCEPT)
- num target prot opt source destination
- 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
- 2 ACCEPT udp -- 10.0.0.0/8 0.0.0.0/0 udp dpt:53
- 3 ACCEPT tcp -- 10.0.0.0/8 0.0.0.0/0 tcp dpt:443
- 4 ACCEPT tcp -- 10.0.0.0/8 0.0.0.0/0 tcp dpt:80
- Chain FORWARD (policy ACCEPT)
- num target prot opt source destination
- 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
- Chain OUTPUT (policy ACCEPT)
- num target prot opt source destination
- Chain RH-Firewall-1-INPUT (2 references)
- num target prot opt source destination
- 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
- 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
- 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
- 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8006
- 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8007
- 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8008
- 8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080
- 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8443
- 10 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111
- 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:111
- 12 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:892
- 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:892
- 14 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:875
- 15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:875
- 16 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:662
- 17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:662
- 18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2049
- 19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:32803
- 20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32769
- 21 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
- [root@localhost ~]#
[火星人 ] iptables之我見已經有819次圍觀