禁止Filewalld開機啟動

為了防止與iptables沖突拭宁，您必須先禁止Filewalld開機啟動。

執(zhí)行如下命令瓣俯，查看服務狀態(tài)宿百。

systemctl status firewalld

當服務處于active狀態(tài)若贮，運行以下命令關(guān)閉Firewalld服務。

systemctl stop firewalld

執(zhí)行如下命令，禁止Filewalld開機啟動辕羽。

systemctl disable firewalld

1 安裝iptables

執(zhí)行如下命令，安裝iptables觅闽。

yum install -y iptables-services

2 啟動iptables并設置為開機啟動

? ? ?執(zhí)行如下命令珊楼，啟動iptables。

systemctl start iptables

? ? 執(zhí)行如下命令绪爸，查看iptables是否成功啟動湾碎。

systemctl status iptables

系統(tǒng)顯示類似如下，說明iptables已經(jīng)成功啟動奠货。

執(zhí)行如下命令胜茧，設置iptables開機啟動。

systemctl enable iptables.service

創(chuàng)建規(guī)則腳本仇味，自己新建一個規(guī)則腳本iptablescript.sh

#!/bin/sh

#

#https://sharadchhetri.com/2013/06/15/how-to-protect-from-port-scanning-and-smurf-attack-in-linux-server-by-iptables/

# Script is for stoping Portscan and smurf attack

# June 15, 2013 by Sharad Chhetri

### first flush all the iptables Rules

iptables -F

# INPUT iptables Rules

# Accept loopback input

iptables -A INPUT -i lo -p all -j ACCEPT

# allow 3 way handshake

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### DROPspoofing packets

iptables -A INPUT -s 10.0.0.0/8 -j DROP

iptables -A INPUT -s 169.254.0.0/16 -j DROP

iptables -A INPUT -s 172.16.0.0/12 -j DROP

iptables -A INPUT -s 127.0.0.0/8 -j DROP

iptables -A INPUT -s 192.168.0.0/24 -j DROP

iptables -A INPUT -s 224.0.0.0/4 -j DROP

iptables -A INPUT -d 224.0.0.0/4 -j DROP

iptables -A INPUT -s 240.0.0.0/5 -j DROP

iptables -A INPUT -d 240.0.0.0/5 -j DROP

iptables -A INPUT -s 0.0.0.0/8 -j DROP

iptables -A INPUT -d 0.0.0.0/8 -j DROP

iptables -A INPUT -d 239.255.255.0/24 -j DROP

iptables -A INPUT -d 255.255.255.255 -j DROP

#for SMURF attack protection

iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP

iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP

iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

# Droping all invalid packets

iptables -A INPUT -m state --state INVALID -j DROP

iptables -A FORWARD -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state INVALID -j DROP

# flooding of RST packets, smurf attack Rejection

iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Protecting portscans

# Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)

iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP

iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Remove attacking IP after 24 hours

iptables -A INPUT -m recent --name portscan --remove

iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.

iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"

iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

# Allow the following ports through from outside

iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow ping means ICMP port is open (If you do not want ping replace ACCEPT with REJECT)

iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Lastly reject All INPUT traffic

iptables -A INPUT -j REJECT

################# Below are for OUTPUT iptables rules #############################################

## Allow loopback OUTPUT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the following ports through from outside

# SMTP = 25

# DNS =53

# HTTP = 80

# HTTPS = 443

# SSH = 22

### You can also add or remove port no. as per your requirement

iptables -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT

iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow pings

iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Lastly Reject all Output traffic

iptables -A OUTPUT -j REJECT

## Reject Forwarding? traffic

iptables -A FORWARD -j REJECT

把腳本放入如下目錄

/etc/rc.d/init.d/iptablescript.sh

3. 執(zhí)行如下命令,將該腳本標記為可執(zhí)行文件(添加可執(zhí)行的權(quán)限)

chmod +x /etc/rc.d/init.d/iptablescript.sh

4. 執(zhí)行如下命令將/etc/rc.d/rc.local文標記為可執(zhí)行文件

在centos7中,/etc/rc.d/rc.local文件的權(quán)限被降低了,開機的時候執(zhí)行在自己的腳本是不能起動一些服務的,執(zhí)行下面的命令可以文件標記為可執(zhí)行的文件

chmod +x /etc/rc.d/rc.local

5. 打開/etc/rc.d/rc.local文件,在最后面添加如下腳本

/etc/rc.d/init.d/iptablescript.sh

設置完成后呻顽，執(zhí)行如下命令，重啟實例驗證配置丹墨。

systemctl reboot

iptables常用命令

# 啟動iptables? ? ? ? ? ? systemctl start iptables

# 查看iptables狀態(tài)? ? ? ? systemctl status iptables

# 停止iptables? ? ? ? ? ? ? systemctl stop iptables

# 重啟iptables? ? ? ? ? ? ? systemctl restart iptables

# 重載iptables? ? ? ? ? ? ? ? ? systemctl reload iptables