centos7防火墙iptables开放常用端口

时间:2022-11-22 11:35:08
  1. 清除所有规则:
    iptables  -F
  2. 开放常用tcp端口:
    iptables  -I  INPUT  -p  tcp  -m  multiport  --dports 20,21,22,3690,80,443,4443,8023,8888,25,110,30000:30999  -j  ACCEPT
    iptables -I OUTPUT -p tcp -m multiport --sports 20,21,22,3690,80,443,4443,8023,8888,25,110,30000:30999 -j ACCEPT
  3. 开放常用udp端口:
    iptables  -I  INPUT  -p  udp  -m  multiport  --dports  53,123,8571,8888  -j  ACCEPT
    iptables -I OUTPUT -p udp -m multiport --sports 53,123,8571,8888 -j ACCEPT
  4. 开放特殊udp端口(如:dns):
    iptables  -I  INPUT  -p  udp  --sport  53  -j  ACCEPT
    iptables -I OUTPUT -p udp --dport 53 -j ACCEPT
  5. 开放vrrp协议:
    iptables  -I  INPUT  -p  vrrp  -j  ACCEPT
  6. 允许服务器互ping:
    iptables  -A  OUTPUT  -p  icmp  -j  ACCEPT
    iptables -A INPUT -p icmp -j ACCEPT
  7. 允许握手成功的数据通过:
    iptables  -I  INPUT  -p  tcp  -m  state  --state  RELATED,ESTABLISHED  -j  ACCEPT
    iptables -I OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
  8. 设置默认关闭所有端口:
    iptables  -P  FORWARD  DROP
    iptables -P OUTPUT ACCEPT
    iptables -P INPUT DROP
  9. 防syn***:
    iptables  -N  syn-flood
    iptables -A INPUT -p tcp --syn -j syn-flood
    iptables -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
    iptables -A syn-flood -j REJECT
  10. 防ddos***:
    iptables  -A  INPUT  -i  eth0  -p  tcp  --syn  -m  connlimit  --connlimit-above  15 -j  DROP
    iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --syn -m limit --limit 12/s --limit-burst 24 -j ACCEPT
    iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
  11. 防cc***:
    iptables  -I  INPUT  -p  tcp  --dport  80  -m  connlimit  --connlimit-above  50  -j  REJECT  # 允许单个IP的最大连接数为30
    iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 30 -j REJECT
    iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --set -j ACCEPT
    #单个IP在60秒内只允许最多新建30个连接
  12. 保存:
    iptables-save  >  /etc/sysconfig/iptables