http://jackxiang.com/index.php zh-cn http://jackxiang.com/post// jack <xdy108@126.com> Sun, 07 Dec 2014 02:37:11 +0000 http://jackxiang.com/post//

用IPTABLES封锁某IP的简单用法
基本语法:
---------------------------------------------------------------
(1)插进(INSERT)到开头(先生效):
iptables -I INPUT -s [来源IP] -j DROP; #封锁来源IP对本机的来访
iptables -D INPUT -s [来源IP] -j DROP; #对应的取消此IP封锁命令
iptables -I OUTPUT -d [目标IP] -j DROP; #封锁目标IP对外机的出访
iptables -D OUTPUT -d [目标IP] -j DROP; #对应的取消此IP封锁命令

(2)附加(APPEND)到后面(后生效):
iptables -A INPUT -s [来源IP] -j DROP; #封锁来源IP对本机的来访
iptables -D INPUT -s [来源IP] -j DROP; #对应的取消此IP封锁命令
iptables -A OUTPUT -d [目标IP] -j DROP; #封锁目标IP对外机的出访
iptables -D OUTPUT -d [目标IP] -j DROP; #对应的取消此IP封锁命令
===============================================================

参照例子:

===============================================================
1)针对所有端口的完全封锁;
---------------------------------------------------------------
iptables -I INPUT -s 65.55.44.100 -j DROP; (封锁65.55.44.100对本机所有端口的访问)
iptables -I OUTPUT -d 65.55.44.100 -j DROP; (封锁本机对65.55.44.100所有端口的访问)
===============================================================

===============================================================
2)针对特定协议及端口的完全封锁;
---------------------------------------------------------------
iptables -I INPUT -p TCP --dport 25 -j DROP; (封锁25端口的INPUT,本机将不能接收邮件)
iptables -I OUTPUT -p TCP --dport 25 -j DROP; (封锁25端口的OUTPUT,本机将不能发送邮件)
iptables -I INPUT -s 65.55.44.100 -p TCP --dport 25 -j DROP; (封锁65.55.44.100对本机25端口的访问)
===============================================================

===============================================================
3)针对特定协议的部分封锁;
---------------------------------------------------------------
#禁止所有TCP连接,只允许某些IP可以通过TCP访问本机:
iptables -I INPUT -p TCP -j DROP; (禁止所有通过TCP协议进入本机的连线)
iptables -I INPUT -s 137.189.3.8 -p TCP -j ACCEPT; (允许137.189.3.8通过TCP协议进入本机)
iptables -I INPUT -s ! 137.189.3.8 -p TCP -j DROP; (只允许137.189.3.8进入,等效于上两句,但只能开放一个IP)

#开放所有TCP连接,但禁止某 些IP可以通过TCP访问本机:
iptables -I INPUT -p TCP -j ACCEPT; (允许所有通过TCP协议进入本机的连线)
iptables -I INPUT -s 137.189.3.8 -p TCP -j DROP; (禁止137.189.3.8通过TCP协议进入本机)
iptables -I INPUT -s ! 137.189.3.8 -p TCP -j ACCEPT; (等效于前两句,但只能禁止一个IP)
===============================================================

===============================================================
4)针对特定协议及端口的部分封锁;
---------------------------------------------------------------
#开放TCP连接80端口,但禁止某些IP通过TCP访问80端口:
iptables -I INPUT -p TCP --dport 80 -j ACCEPT; (允许所有IP对本机80端口的访问)
iptables -I INPUT -s 210.245.191.162 -p TCP --dport 80 -j DROP; (禁止210.245.191.162对80端口的访问)
iptables -I INPUT -s ! 210.245.191.162 -p TCP --dport 80 -j ACCEPT; (等效于前两句,但只能禁止一个IP)

#禁止TCP连接80端口,只开放某些IP通过TCP访问80端口:
iptables -I INPUT -p TCP --dport 80 -j DROP; (禁止所有IP对本机80端口的访问)
iptables -I INPUT -s 210.245.191.162 -p TCP --dport 80 -j ACCEPT; (允许210.245.191.162对80端口的访问)
iptables -I INPUT -s ! 210.245.191.162 -p TCP --dport 80 -j DROP; (等效于前两句,但只能开放一个IP进入)

#禁止本机通过TCP的80端口浏览外部网站,只允许访问203.194.162.10网站:
iptables -I OUTPUT -p tcp --dport 80 -j DROP; (封锁80端口的OUTPUT,本机将不能浏缆外部网站)
iptables -I OUTPUT -p tcp -d 203.194.162.10 --dport 80 -j ACCEPT; (允许本机访问203.194.162.10的80端口)
iptables -I OUTPUT -p tcp -d ! 203.194.162.10 --dport 80 -j DROP; (等效于前两句,但只能允许访问一个IP)
===============================================================

请注意: 在逻辑上,用!来排除目标,只适用于针对单个目标IP,要针对两个以上IP,必须用两句命令结合的方法.


===============================================================
编辑修改IPTABLES组态档(适用于RedHat家族系统):
===============================================================
vi /etc/sysconfig/iptables;
---------------------------------------------------------------
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 60993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1024:65534 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -s 215.235.191.122 --dport 10080 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT ]]> http://jackxiang.com/post//#blogcomment <user@domain.com> Thu, 01 Jan 1970 00:00:00 +0000 http://jackxiang.com/post//#blogcomment