In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-03 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Firewalls
Main configuration file: vim / etc/sysconfig/iptables
To customize the firewall, you need to clear the rules here and set the permissions to DROP
Firewall name: netfilter, tool: iptables
The firewall has three tables filter,nat,mangle
There is also a chain under each table:
The filter table is mainly used to filter packets, system preset tables. Three built-in chains INPUT, OUTPUT and FORWARD,INPUT act on packets entering the machine, OUTPUT acts on packets sent by the machine, and FORWARD acts on packets that have nothing to do with the machine.
Nat table is mainly used for network address translation. The function of PREROUTING is to change the destination address of a packet just after it arrives at the firewall, and the POSTOUTING chain changes its source address before the packet leaves the firewall.
The mangle table is mainly used to mark packets and then manipulate which packets according to the tag.
-Amanda D: add and delete a rule
-I: insert a rule, which actually has the same effect as-A
-P: specify the protocol, which can be tcp,udp,icmp
-- dport: used with-p to specify the destination port / / for firewalls
-- sport: used with-P to specify the source port
-s: specify the source IP (which can be an IP segment) / / for firewalls
-d: specify the target IP (can be an IP segment)
-j: followed by the action, where ACCEPT indicates that the packet is allowed, DORP means the packet is lost, and REJECT indicates that the packet is rejected
The rules take effect sequentially. When the two rules are the same, the first rule takes effect first, and the latter rules are ignored directly.
Fire wall source IP says that if a host wants a remote server, then the host is the source IP. It wants to send packets to the server before it wants to be remote. If the server does not want to be remote, you can DROP the packets directly.
Iptables needs to understand the structure of the firewall, which is between the local network and the external network. You can clearly understand the source IP and the target IP, as well as each chain. For example, the target IP of the INPUT is the native IP. The source IP is the external IP.
1. Command
Iptables-t filter-I INPUT-p tcp-- dport80-s 192.168.134.1-j REJECT
Iptables-F / / clear firewall rules
Iptables-Z / / Zero packets and traffic
Iptables-save > / etc/sysconfig/1.ipt / / backup firewall rules
Iptables-restore / etc/sysconfig/1.ipt / / restore firewall rules
Iptables-P INPUT DROP / / change the preset policy with high security for each chain
/ / instance:
For the filter table, the preset policy INPUT chain DROP, the other two chains ACCEPT, and then open port 22 for 192.168.134.0 account 24, port 80 for all network segments, and port 21 for all network segments. The script is as follows:
Vim 1.ipt.sh
#! / bin/bash
Ipt= "/ sbin/iptables"
$ipt-F
$ipt-P INPUT DROP
$ipt-P OUTPUT ACCEPT
$ipt-P FORWARD ACCEPT
$ipt-An INPUT-s 192.168.134.0 Universe 24-p tcp--dport 22-j ACCEPT
$ipt-An INPUT-p tcp-- dport 80-j ACCEPT
$ipt-An INPUT-p tcp-- dport 21-j ACCEPT
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 214
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.