Shulou(Shulou.com)06/03 Report--

Temporary iptables, selinux

Service iptables stop

Setenforce 0

Permanently shut down iptables and selinux

Chkconfig iptables off

Sed-I 'SELINUX=/enforcing/disabled' / etc/selinux/config

Iptables

/ etc/sysconfig/iptables file does not exist

# iptables-P OUTPUT ACCEPT

# service iptables save

# iptables-F clears rules for all rule chains in the preset table filter

# iptables-X clears the rules in the user-customized chain in the preset table filter

Nmap can scan the port of a server

Yum install-y nmap

Command format # nmap ip

Netfilter/iptables, similar to the relationship between ipvs and LVS

There are three kinds of rule chains in iptables: input, forwarding, and output.

Configure rules / etc/sysconfig/iptables

: fliter

: INPUT ACCEPT [0:0]

: FORWARD ACCEPT [0:0]

: OUTPUT ACCEPT [0:0]

These three colons have the lowest priority. ACCEPT is passed by default, and the firewall is virtually nonexistent. There are three modes:

1. All ACCEPT

2. All DROP, only newly added and specified ones can be ACCEPT

3. INPUT is set to DROP, and only specified ones can be entered. OUTPUT is set to ACCEPT, and all can go out by default.

-An INPUT-m state-- state ESTABLISHED.RELATED-j ACCEPT

The command is iptables-An INPUT-p tcp-- dport 80-j ACCEPT

Disable an IP access, join-An INPUT-S 192.168.1.1-j DROP

#-An INPUT-j REJECT (discard)-reject-with icmp-host-prohibited (icmp forbids returning information)

Except for the above INPUT chain, all other and lower chains will be prohibited, and the priority is higher than the above three colons.

#-An OUTPUT-j REJECT (discard)-reject-with icmp-host-prohibited (icmp forbids returning information)

# iptables-list to see which services can pass the firewall

Nat table for native port forwarding, prerouting chain in

Iptables-t nat-A PREROUTING-p tcp-- dport 80-j REDIRECT-- to-port 8080

Iptables-t nat-A PREROUTING-d 192.168.2.102-p tcp-- dport 80-j DNAT-- to-destination 192.168.2.103 dport 8080

Iptables-t nat-An OUTPUT-d 192.168.2.1-p tcp-- dport 80-j REDIRECT-- to-port 8080

(- t is the selected table, prerouting is a chain in the nat table)

Allow yum

Iptables-An INPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT

Iptables-An INPUT-p udp-- sport 53-j ACCEPT

Iptables-An OUTPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT

Iptables-An OUTPUT-p udp-- dport 53-j ACCEPT

Iptables-An OUTPUT-p tcp-- sport 10000 tcp 65535-j ACCEPT

/ etc/rc.d/init.d/iptables save

Service iptables restart

Allow ping

-An INPUT-p icmp-j ACCEPT

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.