ce
tos防火墙iptables用shell代码来添加vimfirewallshbi
bashPATHsbi
bi
usrsbi
usrbi
exportPATH1清除规则iptablesFiptablesXiptablesZ2设定政策iptablesPINPUTDROPiptablesPOUTPUTACCEPTiptablesPFORWARDACCEPT35制订各项规则iptablesAINPUTilojACCEPTiptablesAINPUTmstatestateRELATEDESTABLISHEDjACCEPTSSH的端口不然远程不了iptablesAINPUTptcpdport22jACCEPT做了FTP服务器开启21端口iptablesAINPUTptcpdport21jACCEPTiptablesAINPUTptcpdport1000020000jACCEPTWEB服务器开启80端口iptablesAINPUTptcpdport80jACCEPTseafile服务器iptablesAINPUTptcpdport8000jACCEPTiptablesAINPUTptcpdport8082jACCEPTiptablesAINPUTptcpdport12001jACCEPTiptablesAINPUTptcpdport10001jACCEPTiptablesAINPUTptcpdport25386jACCEPTiptablesAINPUTptcpdport25389jACCEPT邮件服务器开启25110端口iptablesAINPUTptcpdport110jACCEPTiptablesAINPUTptcpdport25jACCEPT做了DNS服务器开启53端口iptablesAINPUTptcpdport53jACCEPT允许loopback不然会导致DNS无法正常关闭等问题iptablesAINPUTilopalljACCEPTiptablesAOUTPUTolopalljACCEPT允许icmp包通过也就是允许pi
giptablesAOUTPUTpicmpjACCEPT
fiptablesAINPUTpicmpjACCEPT减少不安全的端口连接iptablesAOUTPUTptcpsport31337jDROPiptablesAOUTPUTptcpdport31337jDROPsambiptablesAINPUTptcpdport137jACCEPTiptablesAINPUTptcpdport138jACCEPTiptablesAINPUTptcpdport139jACCEPTiptablesAINPUTptcpdport445jACCEPTiptablesAINPUTieth0s1921681024jACCEPT6写入防火墙规则配置文件etci
itdiptablessaveserviceiptablesrestartwqchmod700firewallsh改一下权限，避免文件被人恶意修改firewallsh执行命令后，serviceiptablesrestart重启iptables防火墙，也可以把serviceiptablesrestart加到firewallsh里面的最后地方。这样只要实行firewallsh就可以了。查询防火墙状态serviceiptablesstatus关闭防火墙1）临时生效，重启后复原开启：serviceiptablesstart关闭：serviceiptablesstop2）永久性生效，重启后不会复原开启：chkco
figiptableso
关闭：chkco
figiptablesoff查看配置文件vimetcsysco
figiptables
fr