安装软件
安装方法 yum install iptables-services
启动服务systemctl restart iptables.service或service iptables restart
停止服务器systemctl stop iptables.service或service iptables stop
开机自动启动 systemctl enable iptables.service
控制配置
开放端口
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
限制每秒钟并发请求量,50可以调成需要控制的值
iptables -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 50/sec -j ACCEPT
查看配置
[root@VM_18_213_centos ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 50/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
保存配置
[root@VM_18_213_centos ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
查看所有连接状态
[root@VM_18_213_centos ~]# netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
LAST_ACK 3
CLOSE_WAIT 3
ESTABLISHED 87
FIN_WAIT1 3
FIN_WAIT2 22
TIME_WAIT 15
参考
网友评论