Shulou(Shulou.com)06/02 Report--

Firewall profile name / etc/sysconfig/iptables

The default configuration for Red Hat Enterprise Linux Server release 6.0is as follows

[root@DMT-Oracle-server ~] # cat / etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

* filter

: INPUT ACCEPT [0:0]

: FORWARD ACCEPT [0:0]

: OUTPUT ACCEPT [0:0]

-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

-An INPUT-p icmp-j ACCEPT

-An INPUT-I lo-j ACCEPT

-An INPUT-m state-- state NEW-m tcp-p tcp-- dport 22-j ACCEPT

-An INPUT-j REJECT-- reject-with icmp-host-prohibited

-A FORWARD-j REJECT-- reject-with icmp-host-prohibited

COMMIT

-- iptables file configuration, which takes effect from top to bottom. Refer to the default configuration above. If service iptables start is removed from the penultimate line about REJECT, it is tantamount to releasing all permissions, which is the same as not enabling the firewall.

-- INPUT, OUTPUT, and FORWARD are all ACCEPT by default

If you do not add rules, you will be open to data from all ports.

[root@DMT-Oracle-server ~] # cat / etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

* filter

: INPUT ACCEPT [0:0]

: FORWARD ACCEPT [0:0]

: OUTPUT ACCEPT [0:0]

-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

-An INPUT-p icmp-j ACCEPT

-An INPUT-I lo-j ACCEPT

-An INPUT-m state-- state NEW-m tcp-p tcp-- dport 22-j ACCEPT

-An INPUT-p tcp-s 192.168.128.118-- dport 1521-j ACCEPT

-An INPUT-p tcp-s 192.168.131.0 dport 24-- dport 1521-j ACCEPT

-An INPUT-j REJECT-- reject-with icmp-host-prohibited

-A FORWARD-j REJECT-- reject-with icmp-host-prohibited

COMMIT

-- the above configuration means to release port 1521 of the access server of IP192.168.128.118 and network segment 192.168.131, which must be placed before two lines of REJECT

-- check whether the setting is in effect by iptables-L-n

For explanation of each parameter, refer to man iptables

-A,-- append chain rule-specification, means to add a rule

-D,-- delete chain rule-specification, which deletes a rule

-R,-- replace chain rulenum rule-specification, which means to modify a rule

-p,-- protocol protocol, indicating which protocol to use, TCP or UDP

-s,-- source address [/ mask] [,...], indicating the source IP or network segment

-j,-- jump target,This specifies the target of the rule-- followed by actions, the main actions are ACCEPT, DROP, REJECT and LOG

The difference between INPUT, OUTPUT, dport and sport:

INPUT: rules for entering this machine

OUTPUT: rules for going out of the local machine

Dport: destination port

Sport: source port

Example 1:

Iptables-An INPUT-p tcp-- dport 22-j ACCEPT

This INPUT rule can be described as follows:

1. This is a piece of data that enters the internal local server from the outside.

two。 The dport address of the packet is 22, which is to access my local port 22.

3. Allow the above data behavior to pass.

Example 2:

Iptables-An INPUT-p tcp-- sport 22-j ACCEPT

This INPUT rule can be described as follows:

1. This is a piece of data that enters the internal local server from the outside.

two。 The source port of the packet is (sport) 22, which means that the packet of the other party is sent from port 22.

3. Allow the above data behavior.

Example 3:

Iptables-An OUTPUT-p tcp-- dport 22-j ACCEPT

This OUTPUT rule can be described as follows:

1. This is a piece of data coming out from the inside.

two。 The destination (dport) port is 22.

3. Allow the above data behavior.

Example 4:

Iptables-An OUTPUT-p tcp-- sport 22-j ACCEPT

This OUTPUT rule can be described as follows:

1. This is a piece of data coming out from the inside.

two。 The source port of the packet is (sport) 22, and the data is sent from port 22 of this server.

3. Allow the above data behavior.

A script to collect the whitelist IP (that is, the IP that often connects to the database)

[root@DMT-Oracle-server ~] # cat / iso/scripts/netstat_37.sh

#! / bin/sh

Date > > / iso/scripts/log/netstat37.log

Netstat-apnT | grep DW | awk'{print $5}'| sort-u > > / iso/scripts/log/netstat37.log

Echo "+" > > / iso/scripts/log/netstat37.log

# where DW is part of the OracleSID keyword

# add-T or too long IP will be inaccurate-T,-notrim stop trimming long addresses

Cat / iso/scripts/log/netstat37.log | grep 192 | grep-v 37grep 1521 | grep-v ffff | awk-F ":"'{print $1}'

Cat / iso/scripts/log/netstat37.log | grep 192 | grep-v 37grep 1521 | awk-F ":"'{print $4}'| sort-u

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.