寫在前面,總感覺會影響一些服務的運行,所以這個iptables也不是我想象中的那么好用,也或許是我沒琢磨透,以下是我的使用經歷
yum install iptables-services iptables-devel -y
systemctl enable iptables
vim /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Tue Jul 9 21:09:09 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0.0]
-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j REJECT
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
//刪去上面整行后,22端口雖然掃描不出來,但是ssh也無法進行連接,建議保留並做一個fail2ban策略,文末有相應鏈接
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
//這樣就只會掃描到22,80,443端口,
實測是躲過了nmap的掃描。fail2ban策略