# cat /etc/iptables.rules
#############################################################
# Generated by iptables-save v1.4.21 on Sun Oct 11 16:00:53 2020
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -s {{ ip }} --dport 22:65535 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp -s {{ ip }} --dport 22:65535 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Oct 11 16:00:53 2020
###############################################################
注意: /etc/iptables.rules文件中不能有空行
# sed -i '/^\s*$/d' /etc/iptables.rules
# cat /etc/systemd/system/iptables.service
################################################################
[Unit]
Description=iptables rules service
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables-restore /etc/iptables.rules
ExecStop=/usr/sbin/iptables -P INPUT ACCEPT
ExecStop=/usr/sbin/iptables -F
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
################################################################
# systemctl daemon-reload
# systemctl start iptables.service
# systemctl enable iptables.service
# systemctl status iptables.service
# iptables -nvL --line
网友评论