通过 iptables 阻止端口 80

您应该将 INPUT 链策略设置为 DROP，将 OUTPUT 链策略设置为 ACCEPT，然后仅打开您想要允许的端口。如下所示：

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP   # Probably a good idea too.

/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

# Now allow TCP SYN packets in to certain ports.  Once they are ACK'ed,
# the above rule for ESTABLISHED connections takes over and lets traffic flow.

/sbin/iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT

不要将状态用于 DROP 规则。

如果您不知道您的 http 服务器是 tcp 还是 udp 您也应该放弃 udp。

# Q:I dont understand though why my rules keeps letting me in
# A:clean the chains 1st
iptables -F
iptables -X
iptables -Z

# Set default policy to DROP if not matched by any rule
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Accept incoming connections only if previously established.
iptables -A INPUT -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 80 -m state --state ESTABLISHED -j ACCEPT

# Allow to create/ESTABLISH outgoing connections.
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

# Default policy is set to DROP so we don't need these
#iptables -A INPUT -p udp --dport 80 -j DROP
#iptables -A INPUT -p tcp --dport 80 -j DROP