3. 如果使用iptables
RH 8.0以上开始启用iptables替代ipchains,两者非常类似,也有差别的地方。
* 启用iptables
如果/etc/sysconfig/下没有iptables文件,可以创建:
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameserversthroughthe
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport ftp -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport ssh -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport http -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport smtp -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport pop3 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport mysql -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2001 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport domain -jACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport domain -jACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn-jREJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn-jREJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -jREJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn-jREJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn-jREJECT
COMMIT
以上配置允许了ftp, ssh, http, smtp, pop3, mysql,2001(Prim@HostingACA端口),domain端口。
* 启动iptables
/etc/init.d/iptables start
* 设置iptables为自动启动
chkconfig --level 2345 iptables on
* 用iptables屏蔽IP
iptables -I RH-Lokkit-0-50-INPUT 1 -p tcp -m tcp -s213.8.166.227--dport 80 --syn -j REJECT
注意到,和ipchains的区别是:
-I后面跟的规则名称的参数和ipchains不同,不是统一的input,而是在/etc/sysconfig/iptables里定义的那个
多了-m tcp
指定端口的参数是--dport 80
多了--syn参数,可以自动检测sync攻击
使用iptables禁止ping:-A INPUT -p icmp -m icmp --icmp-type 8 -mlimit--limit 6/min --limit-burst 2 -j ACCEPT-A INPUT -p icmp -micmp--icmp-type 8 -j REJECT --reject-with icmp-port-unreachabl