Fedora17中iptables防火墙配置

来源：互联网发布：linux配置svn服务器编辑：程序博客网时间：2024/06/05 23:45

Fedora17 Live Desktop默认安装后开启了防火墙

查看规则

使用iptables -L查看现有规则

# iptables -LChain INPUT (policy ACCEPT)target     prot opt source               destination         ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHEDACCEPT     icmp --  anywhere             anywhere            ACCEPT     all  --  anywhere             anywhere            ACCEPT     udp  --  anywhere             224.0.0.251          state NEW udp dpt:mdnsREJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT)target     prot opt source               destination         REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT)target     prot opt source               destination

防火墙3个链的默认策略均为ACCEPT

INPUT链最后一条规则会拒绝所有连接

开启ssh

需要使用ssh登陆时要开启ssh端口

若使用 -A 命令会在最后增加一条规则

这样因为前面REJECT目标已经拒绝了所有连接而使新增的允许规则无效

这里使用 -I 命令在INPUT链最前面插入一条规则允许ssh访问

iptables -I INPUT -p tcp --dport 22 -j ACCEPT

# iptables -LChain INPUT (policy ACCEPT)target     prot opt source               destination         ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sshACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHEDACCEPT     icmp --  anywhere             anywhere            ACCEPT     all  --  anywhere             anywhere            ACCEPT     udp  --  anywhere             224.0.0.251          state NEW udp dpt:mdnsREJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT)target     prot opt source               destination         REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT)target     prot opt source               destination

配置保存

使用iptables-save保存防火墙规则到配置文件

iptables-save > /etc/sysconfig/iptables

保存前的/etc/sysconfig/iptables

# cat /etc/sysconfig/iptables# Firewall configuration written by system-config-firewall# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT

保存后的# cat /etc/sysconfig/iptables

# cat /etc/sysconfig/iptables# Generated by iptables-save v1.4.12.2 on Fri May  3 18:05:57 2013*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [126:15426]-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -d 224.0.0.251/32 -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT# Completed on Fri May  3 18:05:57 2013