[root@20161018 ~]# netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2501 0.0.0.0:* LISTEN
tcp6 0 0 :::2501 :::* LISTEN
[root@20161018 ~]#
只开放22和80:
- iptables -A INPUT -p tcp –dport 22 -j ACCEPT
- iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT
- iptables -A INPUT -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -p tcp –sport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
默认全部drop
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT DROP
允许本地回环接口(即允许本机访问本机)
- iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
允许已建立的或相关连的通行(如数据库链接)
- iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
允许所有本机向外的访问
- iptables -A OUTPUT -j ACCEPT
保存配置:
- service iptables save