这是很长一段时间我configuration我的防火墙,现在我看到可能有一个错误,inheritance人的input部分iptables -L
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:urd ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:imap ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 你看到这条线,
ACCEPT all -- anywhere anywhere
没有任何参数,这是否意味着所有端口都打开? 我如何改变这一行?
如果您手动pipe理iptables ,则需要使用iptables-save(8)将规则写入文件:
# iptables-save > /tmp/iptables.txt
按照你的要求编辑规则,然后用iptables-restore(8)恢复这个设置:
# iptables-restore /tmp/iptables.txt
查看iptables文档( apropos iptables )和在线博客文章,了解如何使用iptablesconfiguration状态防火墙。 例如Jan Engelhardt的“走向完美的规则集” 。
如果你运行:
iptables -L --line-numbers
你将有一个行号参考:
Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 2 fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh 3 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 4 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 5 DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 6 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 7 ACCEPT all -- anywhere anywhere 8 ACCEPT tcp -- anywhere anywhere tcp dpt:http 9 ACCEPT tcp -- anywhere anywhere tcp dpt:https [...]
然后你可以运行
iptables -D INPUT 7