通过 iptables 为 Linux 设备设置过滤的 TCP 端口

配置如下：

iptables -A INPUT -p tcp --dport 8888 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 8888 -m state --state ESTABLISHED -j ACCEPT
iptables -P INPUT DROP  
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

以及 Linux 设备上给定配置的结果：

[root@jibe-eek /ecr]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8888 state NEW,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:8888 state ESTABLISHED
[root@jibe-eek /ecr]#

以下是该设备的 nmap 扫描（为了快速响应，我只扫描了 8800 - 9000 个端口）：

change@ubuntu ~$ sudo nmap -sS -sU -PN -O -p 8800-9000 192.168.20.196

Starting Nmap 5.21 ( http://nmap.org ) at 2017-02-01 08:49 EET
Nmap scan report for 192.168.20.196
Host is up (0.0011s latency).
Not shown: 201 open|filtered ports, 200 filtered ports
PORT     STATE  SERVICE
8888/tcp closed sun-answerbook
MAC Address: 9C:14:65:10:0F:C3 (Unknown)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.97 seconds
change@ubuntu ~$ 

如您所见，我的 8888 端口已打开，但我想将其打开 | 过滤。有办法吗？在下面您将看到一个 ubuntu nmap 扫描示例。

以下是 ubuntu 计算机 nmap 扫描的示例：

change@ubuntu ~$ sudo nmap -sS -sU -PN -O -p 8800-9000 192.168.20.251

Starting Nmap 5.21 ( http://nmap.org ) at 2017-01-31 16:59 EET
Nmap scan report for 192.168.20.251
Host is up (0.000048s latency).
All 402 scanned ports on 192.168.20.251 are closed
Too many fingerprints match this host to give specific OS details
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds
change@ubuntu ~$ sudo nmap -sS -sU -PN -O -p 1-9000 192.168.20.251

Starting Nmap 5.21 ( http://nmap.org ) at 2017-01-31 17:00 EET
Nmap scan report for 192.168.20.251
Host is up (0.000057s latency).
Not shown: 17992 closed ports
PORT     STATE         SERVICE
22/tcp   open          ssh
111/tcp  open          rpcbind
2049/tcp open          nfs
68/udp   open|filtered dhcpc
111/udp  open          rpcbind
601/udp  open|filtered unknown
2049/udp open          nfs
5353/udp open|filtered zeroconf
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.21%D=1/31%OT=22%CT=1%CU=1%PV=Y%DS=0%DC=L%G=Y%TM=5890A68C%P=i686
OS:-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)OPS(O1=M400CS
OS:T11NW4%O2=M400CST11NW4%O3=M400CNNT11NW4%O4=M400CST11NW4%O5=M400CST11NW4%
OS:O6=M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y
OS:%DF=Y%T=40%W=8018%O=M400CNNSNW4%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%
OS:O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=4
OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.04 seconds
change@ubuntu ~$ 

如您所见，一些端口状态是打开的|过滤的。我可以在我的 Linux 设备上使用过滤的 TCP 端口吗？

您还可以在图片中看到我想要更清楚地表达的内容： 设备和 IPTABLES 的图像