iptables企业级防火墙设置

L096 L097
1、首次命令行新建iptables步骤
iptables -F #清除规则
iptables -X #删除自定义链
iptables -Z #清空计数
iptables -A INPUT -p tcp --dport 22 -j ACCEPT #开放22端访问
iptables -A INPUT -i lo ACCEPT #信任回环端口
iptables -A OUTPUT -o lo -j ACCEPT
iptables -P INPUT DROP #设置INPUT链的默认规则为DROP
iptables -P OUTPUT ACCEPT #设置OUTPUT链的默认规则为DROP
iptables -P FORWARD DROP #设置FORWARD链的默认规则为DROP
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT #允许PING包
####开放信任网段
iptables -A INPUT -s 192.168.1.100,192.168.2.0/24,192.168.3.0/24 -p all -j ACCEPT
iptables -A INPUT -p tcp --dport 5900:5910 -j ACCEPT 
####开启对外服务端口
iptables -A INPUT -p tcp --dport 80 -j ACCEPT 
iptables -A INPUT -p tcp -m multiport --dport 80,8080,443 -j ACCEPT
####允许关联的包通过
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

2、查看当前运行状态的iptables的规则
iptables-save
3、查看默认iptables配置配置文件的规则
cat /etc/sysconfig/iptables
4、保存iptables配置
iptables-save > /etc/sysconfig/iptables
/etc/init.d/iptables save
5、重新执行iptables配置文件
/etc/init.d/iptables reload
iptables-restore /etc/sysconfig/iptables
6、启停防火墙
/etc/init.d/iptables start
/etc/init.d/iptables stop
7、查看详细的规则配置
[root@centos6 sysconfig]# iptables -nvL --line
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
3 247 20668 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 411 49930 ACCEPT all -- 10.8.26.0/24 0.0.0.0/0
5 0 0 ACCEPT all -- 10.8.201.0/24 0.0.0.0/0
6 0 0 ACCEPT all -- 10.9.1.1 0.0.0.0/0
7 0 0 ACCEPT tcp -- 10.8.26.0/24 0.0.0.0/0 multiport dports 6888,11034
8 0 0 ACCEPT tcp -- 10.8.201.0/24 0.0.0.0/0 multiport dports 6888,11034
9 0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
10 0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5900:5910
11 0 0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8080,443
12 0 0 ACCEPT all -- * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo 0.0.0.0/0 0.0.0.0/0
2 172 17712 ACCEPT all -- * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

8、基本配置文件示例
[root@centos6 sysconfig]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Fri Jan 19 03:14:49 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
####Trust loopback interface and Ping
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
####Trust Network
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.8.26.0/24 -j ACCEPT
-A INPUT -s 10.8.201.0/24 -j ACCEPT
-A INPUT -s 10.9.1.1/32 -j ACCEPT
-A INPUT -s 10.8.26.0/24,10.8.201.0/24 -p tcp -m multiport --dport 6888,11034 -j ACCEPT
####Open Port
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900:5910 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080,443 -j ACCEPT
####Relate Packets
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Jan 19 03:14:49 2018

本文转自 pk2008 51CTO博客，原文链接:http://blog.51cto.com/837244/2062778