- 論壇徽章:
- 0
|
rhce實(shí)驗(yàn)之使用iptables構(gòu)建一個(gè)防火墻
實(shí)驗(yàn)環(huán)境說明:
兩臺(tái)linux����,server4和server5,一臺(tái)windows xp。在server5上構(gòu)建防火墻策略�����,其他兩臺(tái)作為客戶端測(cè)試��。
server4:192.168.1.14
server5:192.168.1.15
windows:192.168.1.156
server5上的配置如下:
首先刪除已經(jīng)存在的chains����,重置所有chains上的默認(rèn)規(guī)則,刷新所有規(guī)則:
[root@server5 ~]# iptables -F;iptables -X
[root@server5 ~]# for chain in INPUT FORWARD OUTPUT;do iptables -P $chain ACCEPT;done;
[root@server5 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
1.阻止所有從鄰近的主機(jī)(server4)進(jìn)來的連接:
[root@server5 ~]# iptables -A INPUT -s 192.168.1.14 -m state --state NEW -j DROP
server4上做通過ssh做測(cè)試:
[root@server4 ~]# ssh server5
ssh: connect to host server5 port 22: Connection timed out
這樣���,server4上不能連接server5�����。
2.限制從鄰近的(server5)進(jìn)來的icmp echo-request(回應(yīng)請(qǐng)求)包:
[root@server5 ~]# iptables -A INPUT -s 192.168.1.156 -p icmp --icmp-type echo-request -m limit --limit 6/minute --limit-burst 3 -j ACCEPT
[root@server5 ~]# iptables -A INPUT -s 192.168.1.156 -p icmp --icmp-type echo-request -j DROP
windows上做ping測(cè)試:
C:\Documents and Settings\jacky.lee>ping server5
Pinging server5.rhel5.com [192.168.1.15] with 32 bytes of data:
Reply from 192.168.1.15: bytes=32 time
Ping statistics for 192.168.1.15:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
看�����,ping了三次��,到第四次就丟包了吧��。
server5上做測(cè)試:
[root@server5 ~]# ping xzxj
PING xzxj (192.168.1.156) 56(84) bytes of data.
.........
一直就這樣��,從server5上ping不通windows主機(jī)����!
紅色部分要是看不明白,請(qǐng)參考我的另一篇關(guān)于iptables的文檔:
http://blog.chinaunix.net/u1/36549/showart_373517.html
本文來自ChinaUnix博客��,如果查看原文請(qǐng)點(diǎn):http://blog.chinaunix.net/u1/36549/showart_1869022.html |
|
免費(fèi)注冊(cè)
發(fā)表于 2009-03-19 19:55