iptables -L -n
#不加这个不能访问 开放了80和22端口 这些优先的一定用I ,不要用A iptables 讲排序
/sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -I INPUT -p tcp --dport 22 -j ACCEPT
service iptables save
/etc/rc.d/init.d/iptables save
有一次用A不能访问80端口的初始防火墙rule
[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.7 on Thu Oct 27 17:39:49 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [94:40838]
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Oct 27 17:39:49 2016
如果需要远程管理mysql,则使用以下指令临时打开,用完后关闭
* 打开指令
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx –dport 3306 -j ACCEPT
* 关闭指令
iptables -D INPUT -p tcp -s xxx.xxx.xxx.xxx –dport 3306 -j ACCEPT
nginx 80 端口访问不了?
添加一个本地回路
iptables -A INPUT -i lo -j ACCEPT
http://www.blogjava.net/Alpha/archive/2012/09/17/387950.html
开放22、80端口
Ssh代码
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
取消其他端口的访问规则
Ssh代码
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
允许本地回环接口(即允许本机访问本机)
Ssh代码
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
允许已建立的或相关连的通行(如数据库链接)
Ssh代码
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
允许所有本机向外的访问
Ssh代码
iptables -A OUTPUT -j ACCEPT
保存配置:
Ssh代码
service iptables save
eg
[root@vultr pieblog]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@vultr pieblog]# /etc/init.d/iptables start
iptables:应用防火墙规则: [确定]
[root@vultr pieblog]# iptables -A INPUT -p tcp –dport 22 -j ACCEPT
[root@vultr pieblog]# iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT
[root@vultr pieblog]# iptables -A INPUT -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
[root@vultr pieblog]# iptables -A OUTPUT -p tcp –sport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
[root@vultr pieblog]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:22
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state NEW,ESTABLISHED
