iptables之我見

iptables 和 SELinux 是Red Hat/ CentOS 的兩個很有力的工具,如果配置的好就能起到對伺服器進一步的保護作用,但是如果配置的不好往往會遭到管理員的拋棄.總有“老人”提醒我別開iptables和SELinux,但是我覺得既然開發出來還是可以加以利用的.

但是值得注意的是儘管iptables防火牆的功能很強大,但是有一個硬體防火牆還是很必要的.

因為有了其他設備,因此我既用不到轉發也不用網路地址轉換（NAT）,我只要把握好讓那些數據流可以進入哪些不能進入就行了.不過我不太清楚ROS（Router Operating System,軟路由操作系統）是不是也有這個機制.

關於iptables的用法和注意事項,網上各大論壇和IT網站都進行了熱烈的討論和文章展示.在此就不贅述了！

[root@localhost ~]# service iptables status 
Table: nat 
Chain PREROUTING (policy ACCEPT) 
num  target     prot opt source               destination          
 
Chain POSTROUTING (policy ACCEPT) 
num  target     prot opt source               destination          
 
Chain OUTPUT (policy ACCEPT) 
num  target     prot opt source               destination          
 
Table: mangle 
Chain PREROUTING (policy ACCEPT) 
num  target     prot opt source               destination          
 
Chain INPUT (policy ACCEPT) 
num  target     prot opt source               destination                                   
 
Chain FORWARD (policy ACCEPT) 
num  target     prot opt source               destination          
 
Chain OUTPUT (policy ACCEPT) 
num  target     prot opt source               destination          
 
Chain POSTROUTING (policy ACCEPT) 
num  target     prot opt source               destination          
 
Table: filter 
Chain INPUT (policy ACCEPT) 
num  target     prot opt source               destination          
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0            
2    ACCEPT     udp  --  10.0.0.0/8           0.0.0.0/0           udp dpt:53  
3    ACCEPT     tcp  --  10.0.0.0/8           0.0.0.0/0           tcp dpt:443  
4    ACCEPT     tcp  --  10.0.0.0/8           0.0.0.0/0           tcp dpt:80  
 
Chain FORWARD (policy ACCEPT) 
num  target     prot opt source               destination          
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0            
 
Chain OUTPUT (policy ACCEPT) 
num  target     prot opt source               destination          
 
Chain RH-Firewall-1-INPUT (2 references) 
num  target     prot opt source               destination          
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255                           
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED  
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22  
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8006  
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8007  
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8008  
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080  
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8443  
10   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:111  
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:111  
12   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:892  
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:892  
14   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:875  
15   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:875  
16   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:662  
17   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:662  
18   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2049  
19   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:32803                           
20   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:32769  
21   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited  
 
[root@localhost ~]#