查看正常服务的对外端口

netstat -tlpn
iptables -V
iptables -h

#生成测试规则
cat <<EOF >/etc/iptables.test.rules
...
EOF

激活
iptables-restore < /etc/iptables.test.rules
查看
iptables -L
保存规则
iptables-save > /etc/iptables.up.rules
添加开机加载
cat <<EOF >/etc/network/if-pre-up.d/iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
EOF
cat /etc/network/if-pre-up.d/iptables
设置权限 
chmod +x /etc/network/if-pre-up.d/iptables


iptables -I INPUT -p tcp --dport 795 -j ACCEPT
iptables -I INPUT -p tcp --dport 8000:9999 -j ACCEPT

#查看全部规则
iptables -L
iptables -L --line-numbers
#查看ufw-user-input 规则
iptables -L ufw-user-input --line-numbers
  • vi /etc/iptables.test.rules
*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections 
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access 
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
  • firewalld
sudo apt update && sudo apt upgrade -y
sudo apt -y install firewalld
firewall-cmd --state
firewall-cmd --list-all
firewall-cmd --get-services
sudo systemctl start firewalld
sudo systemctl enable firewalld
#sudo systemctl status firewalld
#firewall
firewall-cmd --zone=public --permanent --add-port=22/tcp 
firewall-cmd --permanent --add-port=22/tcp 
firewall-cmd --permanent --add-port=80/tcp 
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --permanent --add-port=8000-10000/tcp 

firewall-cmd --permanent --remove-port=80/tcp 
firewall-cmd --reload
sudo systemctl restart firewalld
firewall-cmd --list-all