写在前面,总感觉会影响一些服务的运行,所以这个iptables也不是我想象中的那么好用,也或许是我没琢磨透,以下是我的使用经历
yum install iptables-services iptables-devel -y
systemctl enable iptables
vim /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Tue Jul 9 21:09:09 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0.0]
-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j REJECT
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
//删去上面整行后,22端口虽然扫描不出来,但是ssh也无法进行连接,建议保留并做一个fail2ban策略,文末有相应链接
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
//这样就只会扫描到22,80,443端口,
实测是躲过了nmap的扫描。fail2ban策略