- 清除所有规则:
iptables -F
- 开放常用tcp端口:
iptables -I INPUT -p tcp -m multiport --dports 20,21,22,3690,80,443,4443,8023,8888,25,110,30000:30999 -j ACCEPT
iptables -I OUTPUT -p tcp -m multiport --sports 20,21,22,3690,80,443,4443,8023,8888,25,110,30000:30999 -j ACCEPT
- 开放常用udp端口:
iptables -I INPUT -p udp -m multiport
- 开放特殊udp端口(如:dns):
iptables -I INPUT -p udp
- 开放vrrp协议:
iptables -I INPUT -p vrrp -j ACCEPT
- 允许服务器互ping:
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
- 允许握手成功的数据通过:
iptables -I INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
- 设置默认关闭所有端口:
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
- 防syn***:
iptables -N syn-flood
iptables -A INPUT -p tcp
- 防ddos***:
iptables -A INPUT -i eth0 -p tcp
- 防cc***:
iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j REJECT # 允许单个IP的最大连接数为30
iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 30 -j REJECT
iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --set -j ACCEPT
#单个IP在60秒内只允许最多新建30个连接
- 保存:
iptables-save > /etc/sysconfig/iptables