Linux note0x02
来源:互联网 发布:mac ps 转化成像素 编辑:程序博客网 时间:2024/06/07 22:48
IpTables & Firewalld
iptables
PreRouting, Input, Output, Forward, PostRouting
iptables -L
View existing iptables ruleiptables -F
Empty the rulesiptables -P INPUT DROP
Default set DROPiptables -I INPUT -p icmp -j ACCEPT
allow ping(icmp)iptables -I INPUT -s 192.168.10.0/24 -p tcp --dport 22 -j ACCEPT
Only allow appoint network segment access 22.iptables -A INPUT -p tcp --dport 22 -j REJECT
Forbidden others host flow
service iptables save
Make it effect permanently
FireWalld
firewall-cmd --get-default-zone
View current using areafirewall-cmd --get-zone-of-interface=eno16728
View eno netCard wroking areafirewall-cmd --permanent --zone=external --change-interface=eno16278
Set area as external and take effect after restarting system.firewall-cmd --panic-on
Meet an emergency, stop all connections.firewall-cmd --znoe=public --query-service=https
View whether could pass https flow, u can also use –add-service=https(protocol name) to add pass power and –remove-service=https(protocol name) to reject it.firewall-cmd --reload
Take permanent effect immediately.firewall-cmd --zone-=public --add-forward-port=port=888:proto=tcp:toport=22:toaddr=192.168.10.10
Forward access 888 port flow to 22 port.
Service access control list
# RulesMatch /etc/hosts.allow?pass :Match /etc/hosts.deny?forbidden :pass
Two Principles
Reject strategy: service name instead protocol
Reject strategy editting should be first.
hosts.deny
sshd:*
hosts.allow
sshd:192.168.10.