1.删除已有规则iptables-F2.删除INPUT第三条规则iptables-DINPUT33.在INPUT的第四条位置插入新规则,丢弃来自192.168.100.100的数据iptables-IINPUT4-s192.168.100.100-jDROP4.保存防火墙信息Iptables-save>/etc/sysconfig/iptables5.拒绝192.168.3.1使用ping测试本主机iptables-tfilter-AINPUT-s192.168.3.1-picmp-jDROP6.允许本地ping其他主机请求包,且允许其他主机的PING响应回包iptables-AOUTPUT-picmp–icmp-type8-jACCEPTiptables-AINPUT-picmp–icmp-type0-jACCEPT7.只允许192.168.3.0/24网段访问本机192.168.3.10的1394端口。iptables-tfilter-IINPUT-s192.168.3.0/24-d192.168.3.10-ptcp–dport1394-jACCEPTiptables-AINPUT!-s192.168.3.0/24-ptcp–dport1394-jDROP8.设置进站,出站,转发默认规则为拒绝所有iptables-PINPUTDROPiptables-POUTPUTDROPiptables-PFORWARDDROP9.使用SNAT使得192.168.3.0/24网段的PC通过本地eth0访问internetiptables-tnat-APOSTROUTING-s192.168.3.0/24-oeth0-jMASQUERADE10.将192.168.3.10的80端口发布到202.106.0.1的80端口上iptables-tnat-APREROUTING-d202.106.0.20-ptcp–dport80-jDNAT–to192.168.3.10:8011.允许转发目标地址192.168.3.10目标端口号80的访问流iptables-AFORWARD-d192.168.2.2-ptcp–dport80-jACCEPT12.允许已存连接的数据流转发通过iptables-AFORWARD-mstate–stateESTABLISHED,RELATED-jACCEPT13.允许访问本地的IP地址192.168.3.10的80端口iptables-tfilter-AINPUT-d192.168.3.10-ptcp–dport80-jACCEPT14.允许本地192.168.3.10的web服务响应其他连接iptables-tfilter-AOUTPUT-s192.168.3.10-ptcp–sport80-jACCEPT15.允许192.168.3.0/24网段访问本地的SSH服务,新连接与已存连接放行iptables-AINPUT-s192.168.3.0/24-ptcp–dport22-mstate–stateNEW,ESTABLISHED-jACCEPT16.允许本地放行所有已存连接返回访问源iptables-AOUTPUT-mstate–stateESTABLISHED-jACCEPT17.允许通过网卡eth0访问本机的80端口和443端口。放行请求连接和应答iptables-AINPUT-ieth0-ptcp-mmultiport–dports80,443-mstate–stateNEW,ESTABLISHED-jACCEPTiptables-AOUTPUT-oeth0-ptcp-mmultiport–sports80,443-mstate–stateESTABLISHED-jACCEPT18.允许本机从eth0出站DNS访问iptables-AOUTPUT-pudp-oeth0–dport53-jACCEPTiptables-AINPUT-pudp-ieth0–sport53-jACCEPT19.允许从eth0接收来自192.168.3.10的Mysql访问请求iptables-AINPUT-ieth0-ptcp-s192.168.3.1–dport3306-mstate–stateNEW,ESTABLISHED-jACCEPTiptables-AOUTPUT-oeth0-ptcp–sport3306-mstate–stateESTABLISHED-jACCEP20.当访问量本地80端口的访问量达到每分钟100时调整为每分钟放行25个访问量iptables-AINPUT-ptcp–dport80-mlimit–limit25/minute–limit-burst100-jACCEPT
1.删除已有规则
iptables-F
2.删除INPUT第三条规则
iptables-DINPUT3
3.在INPUT的第四条位置插入新规则,丢弃来自192.168.100.100的数据
iptables-IINPUT4-s192.168.100.100-jDROP
4.保存防火墙信息
Iptables-save>/etc/sysconfig/iptables
5.拒绝192.168.3.1使用ping测试本主机
iptables-tfilter-AINPUT-s192.168.3.1-picmp-jDROP
6.允许本地ping其他主机请求包,且允许其他主机的PING响应回包
iptables-AOUTPUT-picmp–icmp-type8-jACCEPT
iptables-AINPUT-picmp–icmp-type0-jACCEPT
7.只允许192.168.3.0/24网段访问本机192.168.3.10的1394端口。
iptables-tfilter-IINPUT-s192.168.3.0/24-d192.168.3.10-ptcp–dport1394-jAC
CEPT
iptables-AINPUT!-s192.168.3.0/24-ptcp–dport1394-jDROP
8.设置进站,出站,转发默认规则为拒绝所有
iptables-PINPUTDROP
iptables-POUTPUTDROP
iptables-PFORWARDDROP
9.使用SNAT使得192.168.3.0/24网段的PC通过本地eth0访问internet
iptables-tnat-APOSTROUTING-s192.168.3.0/24-oeth0-jMASQUERADE
10.将192.168.3.10的80端口发布到202.106.0.1的80端口上
iptables-tnat-APREROUTING-d202.106.0.20-ptcp–dport80-jDNAT–to192.1
68.3.10:80
11.允许转发目标地址192.168.3.10目标端口号80的访问流
iptables-AFORWARD-d192.168.2.2-ptcp–dport80-jACCEPT
12.允许已存连接的数据流转发通过
iptables-AFORWARD-mstate–stateESTABLISHED,RELATED-jACCEPT
13.允许访问本地的IP地址192.168.3.10的80端口
iptables-tfilter-AINPUT-d192.168.3.10-ptcp–dport80-jACCEPT
14.允许本地192.168.3.10的web服务响应其他连接
iptables-tfilter-AOUTPUT-s192.168.3.10-ptcp–sport80-jACCEPT
15.允许192.168.3.0/24网段访问本地的SSH服务,新连接与已存连接放行
iptables-AINPUT-s192.168.3.0/24-ptcp–dport22-mstate–state
NEW,ESTABLISHED-jACCEPT
16.允许本地放行所有已存连接返回访问源
iptables-AOUTPUT-mstate–stateESTABLISHED-jACCEPT
17.允许通过网卡eth0访问本机的80端口和443端口。放行请求连接和应答
iptables-AINPUT-ieth0-ptcp-mmultiport–dports80,443-mstate–state
NEW,ESTABLISHED-jACCEPT
iptables-AOUTPUT-oeth0-ptcp-mmultiport–sports80,443-mstate–state
ESTABLISHED-jACCEPT
18.允许本机从eth0出站DNS访问
iptables-AOUTPUT-pudp-oeth0–dport53-jACCEPT
iptables-AINPUT-pudp-ieth0–sport53-jACCEPT
19.允许从eth0接收来自192.168.3.10的Mysql访问请求
iptables-AINPUT-ieth0-ptcp-s192.168.3.1–dport3306-mstate–state
NEW,ESTABLISHED-jACCEPT
iptables-AOUTPUT-oeth0-ptcp–sport3306-mstate–stateESTABLISHED-j
ACCEP
20.当访问量本地80端口的访问量达到每分钟100时调整为每分钟放行25个访问量
iptables-AINPUT-ptcp–dport80-mlimit–limit25/minute–limit-burst100-j
ACCEPT