vim /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

以上是防火墙设置文件的初始值。

下面需要增加的:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

-A INPUT -s 115.28.46.84/32 -p tcp -m tcp --dport 3306 -j ACCEPT  //115.28.46.84是从数据库地址

 

 

实例:

[danny@ay-sc-hz-02 ~]$ sudo cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Sep 30 14:47:08 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44:6143]
:BLACKLIST - [0:0]
-A INPUT -s 115.28.46.84/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 112.124.7.82/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 121.199.2.108/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s 54.204.167.252/32 -j ACCEPT
-A INPUT -s 54.226.209.220/32 -j ACCEPT
-A INPUT -s 180.166.51.234/32 -j ACCEPT
-A INPUT -s 174.129.49.94/32 -j ACCEPT
-A INPUT -s 75.101.181.183/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 10.160.2.32/32 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A BLACKLIST -j DROP
COMMIT
# Completed on Tue Sep 30 14:47:08 2014

 

[danny@ay-db-qd-01 log]$ sudo cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Mon Aug 25 17:48:21 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [184452044:15279824631]
:BLACKLIST - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 54.204.167.252 -j ACCEPT
-A INPUT -s 54.226.209.220 -j ACCEPT
-A INPUT -s 180.166.51.234 -j ACCEPT
-A INPUT -s 174.129.49.94 -j ACCEPT
-A INPUT -s 75.101.181.183 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -s 10.144.38.91 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A BLACKLIST -j DROP
COMMIT
# Completed on Mon Aug 25 17:48:21 2014

 

[danny@ay-wifi-hz-01 ~]$ sudo cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Wed Aug 6 14:55:42 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [91064865:14245935000]
:BLACKLIST - [0:0]
-A INPUT -s 112.5.193.46 -j DROP
-A INPUT -s 112.5.193.47 -j DROP
-A INPUT -s 115.168.77.68 -j DROP
-A INPUT -s 115.238.225.110 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 23.22.208.66 -j ACCEPT
-A INPUT -s 54.226.209.220 -j ACCEPT
-A INPUT -s 180.166.51.234 -j ACCEPT
-A INPUT -s 174.129.49.94 -j ACCEPT
-A INPUT -s 75.101.181.183 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -s 10.122.68.87 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A BLACKLIST -j DROP
COMMIT
# Completed on Wed Aug 6 14:55:42 2014

 

[root@ay-xf-hz-01 ~]# sudo cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Sep 24 17:11:18 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [86:9522]
:BLACKLIST - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8089 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 180.166.51.234/32 -j ACCEPT
-A INPUT -s 174.129.49.94/32 -j ACCEPT
-A INPUT -s 75.101.181.183/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A BLACKLIST -j DROP
COMMIT
# Completed on Wed Sep 24 17:11:18 2014

posted @ 2014-10-05 09:07  chromebook  阅读(1930)  评论(0编辑  收藏  举报