-
拒绝所有主机ping 当前的主机
[root@CentOS8-1 ~]#iptables -A INPUT -p icmp -j REJECT [root@CentOS8-1 ~]#iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 测验: [root@CentOS8-2 ~]#ping 10.0.0.135 -c1 PING 10.0.0.135 (10.0.0.135) 56(84) bytes of data. From 10.0.0.135 icmp_seq=1 Destination Port Unreachable --- 10.0.0.135 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms [root@CentOS8-2 ~]# -
本机能够访问别的机器的HTTP服务,但是别的机器无法访问本机
[root@CentOS8-1 ~]#iptables -A INPUT -d 10.0.0.135 -p tcp --dport 80 -j REJECT [root@CentOS8-1 ~]#iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 10.0.0.135 tcp dpt:80 reject-with icmp-port-unreachable [root@CentOS8-1 ~]#curl 10.0.0.136 today is sunday [root@CentOS8-2 ~]#curl 10.0.0.135 curl: (7) Failed to connect to 10.0.0.135 port 80: Connection refused -
当我们发现有IP恶意攻击我们的时候,我们可以通过防火墙设定规则来进行控制,所以我们可以添加connlimit模块来实现对最大并发得控制。
[root@CentOS8-1 ~]#iptables -A INPUT -d 10.0.0.135 -p tcp --dport 22 -m connlimit --connlimit-above 10 -j REJECT