How To:防火墙规则去重

主要命令

iptables-save| awk ' !x[$0]++ | iptables-restore

演示:

[root@testname ~]# iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
  761 47910 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
  282 16920 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh 
   16  1852 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:rap-listen 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:x11:x11-ssh-offset 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpt:xdmcp 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:50001 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:bmcpatrolagent:csvr-proxy 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:13700:13800 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 938 packets, 74222 bytes)
pkts bytes target     prot opt in     out     source               destination         


[root@testname ~]# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1531 -j ACCEPT
[root@testname ~]# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 6000:6010 -j ACCEPT
[root@testname ~]# iptables -A INPUT -m state --state NEW -m udp -p udp --dport 177 -j ACCEPT
[root@testname ~]# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 50001 -j ACCEPT
[root@testname ~]# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3181:3190 -j ACCEPT
[root@testname ~]# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 13700:13800 -j ACCEPT

[root@testname ~]# iptables-save
# Generated by iptables-save v1.4.7 on Sun Jun 21 19:59:46 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28:5520]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1531 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6000:6010 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 177 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50001 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3181:3190 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 13700:13800 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1531 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6000:6010 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 177 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50001 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3181:3190 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 13700:13800 -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Sun Jun 21 19:59:46 2015


[root@testname ~]# iptables-save| awk ' !x[$0]++' | iptables-restore

[root@testname ~]# iptables-save
# Generated by iptables-save v1.4.7 on Sun Jun 21 20:01:09 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:636]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1531 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6000:6010 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 177 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50001 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3181:3190 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 13700:13800 -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Sun Jun 21 20:01:09 2015
posted @ 2017-02-16 13:03  syksky  阅读(515)  评论(0)    收藏  举报