![我当前的 iptable 配置不适用于 CentOS 6,全新安装 [已修复]](https://linux22.com/image/633798/%E6%88%91%E5%BD%93%E5%89%8D%E7%9A%84%20iptable%20%E9%85%8D%E7%BD%AE%E4%B8%8D%E9%80%82%E7%94%A8%E4%BA%8E%20CentOS%206%EF%BC%8C%E5%85%A8%E6%96%B0%E5%AE%89%E8%A3%85%20%5B%E5%B7%B2%E4%BF%AE%E5%A4%8D%5D%20.png)
它现在正在工作。
### Login as Super User
su
chkconfig iptables off
/etc/init.d/iptables on
### Clear/flush iptables
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
### Allow SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
### Allow YUM updates
iptables -A OUTPUT -o eth0 -p tcp --dport 80 --match owner --uid-owner 0 --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 --match owner --uid-owner 0 --state NEW,ESTABLISHED -j ACCEPT
### Add your rules form the link above, here
# ftp,smtp,imap,http,https,pop3,imaps,pop3s
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 21,25,143,80,443,110,993,995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 21,25,143,80,110,443,993,995 -m state --state NEW,ESTABLISHED -j ACCEPT
## allow dns
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT && iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# handling pings
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT && iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT && iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# manage ddos attacks
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
## Implement some logging so that we know what's getting dropped
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP
# once a rule affects traffic then it is no longer managed
# so if the traffic has not been accepted, block it
iptables -A INPUT -j DROP
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A OUTPUT -j DROP
# allow only internal port forwarding
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -P FORWARD DROP
# create an iptables config file
iptables-save > /etc/iptables.rules
### Append the following to the rc.local file
#nano /etc/rc.local
####---
#/sbin/iptables-restore < /etc/iptables.rules
####---
/etc/init.d/iptables save
## check to see if this setting is working great.
service iptables restart
## log out/in testing
chkconfig iptables on
这个设置有什么问题?
如果我重新启动服务器,它不允许我重新进入 SSH,Yum CentOS 6 可能有问题
我修改了以上内容:https://gist.github.com/Jonathonbyrd/1274837#file-instructions 我正在尝试确保 magento 在 nginx 上的安装安全
我已经安装了 php5.4、Percona Server(MySQL 替代品)、Nginx、apc、zenopcode、ioncube。除了 iptables 之外,其他一切都运行正常。
答案1
你那里缺少一个 sudo......
### Allow SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT