{"id":79,"date":"2017-11-04T11:29:52","date_gmt":"2017-11-04T03:29:52","guid":{"rendered":"http:\/\/kkong.net\/?p=79"},"modified":"2017-11-04T15:37:50","modified_gmt":"2017-11-04T07:37:50","slug":"debian-7-iptables-%e8%a7%84%e5%88%99%e7%9a%84%e7%bc%96%e5%86%99%e4%bf%9d%e5%ad%98%e4%bf%ae%e6%94%b9","status":"publish","type":"post","link":"https:\/\/kkong.net\/?p=79","title":{"rendered":"debian 7 iptables \u89c4\u5219\u7684\u7f16\u5199\u4fdd\u5b58\u4fee\u6539"},"content":{"rendered":"<div>\u5728\u7cfb\u7edf\u4e2d\uff0c\u5f80\u5f80\u9700\u8981\u8fdb\u884ciptables\u89c4\u5219\u7684\u7f16\u5199\uff0c\u4f46\u662f\u5f53\u7cfb\u7edf\u91cd\u65b0\u542f\u52a8\u540e\u8fd9\u4e9b\u89c4\u5219\u5219\u6ca1\u6709\u4e86\uff0c\u90a3\u4e48\u5982\u4f55\u89e3\u51b3\u8fd9\u6837\u7684\u95ee\u9898\u5462\uff1f<\/div>\n<div>\n<p>\u542f\u52a8iptables<\/p>\n<p>modprobe ip_tables<\/p>\n<p>\u5173\u95ediptables\uff08\u5173\u95ed\u547d\u4ee4\u8981\u6bd4\u542f\u52a8\u590d\u6742\uff09<\/p>\n<p>iptalbes -F<\/p>\n<p>iptables -X<\/p>\n<p>iptables -Z<\/p>\n<p>iptables -P INPUT ACCEPT<\/p>\n<p>iptables -P OUTPUT ACCEPT<\/p>\n<p>iptables -P FORWARD ACCEPT<\/p>\n<p>modprobe -r ip_tables<\/p>\n<p>\u4f9d\u6b21\u6267\u884c\u4ee5\u4e0a\u547d\u4ee4\u5373\u53ef\u5173\u95ediptables\uff0c\u5426\u5219\u5728\u6267\u884cmodproble -r ip_tables\u65f6\u5c06\u4f1a\u63d0\u793a\u3000\u3000FATAL: Module ip_tables is in use.<\/p>\n<\/div>\n<div>\u89e3\u51b3\u8fd9\u6837\u7684\u95ee\u9898\u4e5f\u5373\u662f\u89e3\u51b3iptables\u89c4\u5219\u7684\u6301\u4e45\u5316\uff0c\u53ef\u80fd\u4f7f\u7528iptables-save\u4e0eiptables-restore\u4e24\u4e2a\u547d\u4ee4\u7684\u7ec4\u5408\u6765\u5b8c\u6210\uff0c\u89e3\u51b3\u65b9\u6cd5\u5982\u4e0b\uff1a<\/div>\n<div><\/div>\n<div>1\u3001\u5148\u5728\u7cfb\u7edf\u4e2d\u5c06\u9700\u8981\u4f7f\u7528\u7684iptables\u89c4\u5219\u8fdb\u884c\u914d\u7f6e\uff1b<\/div>\n<div>2\u3001\u4f7f\u7528iptables-save &gt; \/etc\/iptables.rules\uff1b<\/div>\n<div>3\u3001\u7f16\u8f91 \/etc\/network\/if-pre-up.d\/iptables \u6587\u4ef6\uff0c\u4f7f\u5176\u5728\u7f51\u5361\u8bbe\u5907\u51c6\u5907\u542f\u52a8\u7684\u9636\u6bb5\u6267\u884c\/etc\/network\/if-pre-up.d\/iptables\u4e2d\u7684\u547d\u4ee4\u8fdb\u884c\u89c4\u5219\u7684\u6062\u590d\uff0c\u7f16\u8f91\u5185\u5bb9\u5982\u4e0b\uff1a<br \/>\n#!\/bin\/bash<br \/>\niptables -F<br \/>\niptables-restore \/etc\/iptables.rules<\/div>\n<div>\n<p>#\u5f00\u653e22\u7aef\u53e3ssh<br \/>\niptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT<\/p>\n<p>#\u5f00\u653e80\u7aef\u53e3web<br \/>\niptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT<\/p>\n<p>#\u5f00\u653e21\u300120\u7aef\u53e3ftp<br \/>\niptables -A INPUT -p tcp --dport 20 -j ACCEPT<br \/>\niptables -A INPUT -p tcp --dport 21 -j ACCEPT<\/p>\n<p># \u5982\u4f7f\u7528vsftpd \u4f7f\u7528\u4e86pasv \u65b9\u5f0f\uff0c\u5982 pasv_min_port=6000 mx=7000 pasv_enable=YES\u4e4b\u7c7b<br \/>\niptables -A INPUT -p tcp --dport 6000:7000 -j ACCEPT<br \/>\niptables -A OUTPUT -p TCP --sport 6000:7000 -j ACCEPT<br \/>\n# 2\u4e2a\u90fd\u8981\u8bbe\uff0c\u53ea\u8bbe\u7b2c\u4e00\u4e2a\u4e0d\u80fd\u4e0b\u8f7d\uff0c\u53ea\u8bbe\u7b2c\u4e8c\u4e2a\u4e0d\u80fd\u4e0a\u4f20<\/p>\n<p>&nbsp;<\/p>\n<\/div>\n<div>4\u3001\u91cd\u542f\u7cfb\u7edf\u5373\u53ef\u3002<\/div>\n<div><\/div>\n<div>\u4fdd\u5b58\u89c4\u5219<br \/>\n\u6267\u884c\u5b8c\u4e4b\u540e\u4fdd\u5b58\u89c4\u5219<br \/>\ncentos\u662fservice iptables save<br \/>\ndebian\/ubuntu\u662f<br \/>\niptables-save &gt; \/etc\/iptables-rules<br \/>\n\u7f16\u8f91\/etc\/network\/interfaces\uff0c\u8ffd\u52a0\u5982\u4e0b\u5185\u5bb9<br \/>\n<strong>pre-up iptables-restore &lt; \/etc\/iptables-rules<\/strong><\/div>\n<div>\n<p>\u4fee\u6539 \/etc\/network\/interfaces \u811a\u672c\u81ea\u52a8\u5e94\u7528\u8fd9\u4e9b\u89c4\u5219(\u672b\u884c\u662f\u6dfb\u52a0\u7684)<\/p>\n<p>auto eth0<br \/>\niface eth0 inet dhcp<br \/>\n<strong>pre-up iptables-restore &lt; \u00a0\/etc\/iptables.rules<\/strong><br \/>\n<strong>post-down iptables-save &gt;\/etc\/iptables.rules #\u5173\u673a\u65f6\uff0c\u628a\u5f53\u524diptables \u50a8\u5b58<\/strong><\/p>\n<\/div>\n<p><strong>#\u6e05\u7a7a\u914d\u7f6e(\u5982\u679c\u4e0d\u7528Iptables\u4e86)<\/strong><br \/>\niptables -F<br \/>\niptables -X<br \/>\niptables -Z<br \/>\niptables -P INPUT ACCEPT<br \/>\niptables -P OUTPUT ACCEPT<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u5728\u7cfb\u7edf\u4e2d\uff0c\u5f80\u5f80\u9700\u8981\u8fdb\u884ciptables\u89c4\u5219\u7684\u7f16\u5199\uff0c\u4f46\u662f\u5f53\u7cfb\u7edf\u91cd\u65b0\u542f\u52a8\u540e\u8fd9\u4e9b\u89c4\u5219\u5219\u6ca1\u6709\u4e86\uff0c\u90a3\u4e48\u5982\u4f55\u89e3\u51b3\u8fd9\u6837\u7684\u95ee\u9898 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[10],"_links":{"self":[{"href":"https:\/\/kkong.net\/index.php?rest_route=\/wp\/v2\/posts\/79"}],"collection":[{"href":"https:\/\/kkong.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kkong.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kkong.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kkong.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=79"}],"version-history":[{"count":5,"href":"https:\/\/kkong.net\/index.php?rest_route=\/wp\/v2\/posts\/79\/revisions"}],"predecessor-version":[{"id":84,"href":"https:\/\/kkong.net\/index.php?rest_route=\/wp\/v2\/posts\/79\/revisions\/84"}],"wp:attachment":[{"href":"https:\/\/kkong.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=79"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kkong.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=79"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kkong.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=79"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}