当前位置:网站首页>Iptables firewall experiment
Iptables firewall experiment
2022-07-21 05:27:00 【51CTO】
First, explain the environment , Here are four hosts , In the middle of the Centos Acting as a firewall . In the top right corner of the win XP And the one in the lower right corner Rhel7 Acting as a server , The leftmost win7 Act as a host . The network cards between the four have been configured . And we are already Centos6.5 Port forwarding function is enabled on .
- echo 1 > /proc/sys/net/ipv4/ip_forward
- sysctl -w net.ipv4.ip_forward=1
- vim /etc/sysctl.conf , take net.ipv4.ip_forward=0 Change it to =1, then sysctl -p /etc/sysctl.conf
The firewall is on IP After forwarding function , And then empty iptables All the rules in it , Release all .win7、winXP、Rhel7 Turn off the firewall , Then the four can communicate with each other .
Configure the firewall to prohibit access ftp service
We are win xp Upper opening ftp service , adopt win7 and Rhel7 Sure ftp WinXP.
Now we need to configure the firewall , Make it forbidden FTP The traffic of the service goes through . because Win7 If you want to FTP visit WinXP, The traffic passes through the firewall first , Then forward by firewall . So we're on the firewall filter Tabular FORWARD Chain configuration , Make it refuse FTP Flow through
You can see ,filter In the table FORWARD A rejection has been added to the chain TCP Of 21 Port No Rules . And then we start with Win7 FTP WinXP, You can see , No longer FTP 了 .
Configure the firewall so that the specified network segment can be accessed FTP service
We configure on the firewall , bring Rhel7 Can access FTP service , and Win7 Cannot access FTP service .
You can see ,filter In the table FORWARD The chain rejects all traffic by default , The release source addresses are 10.0.0.0/24 and 20.0.0.0/24 Of ftp service .
prohibit PING
Configure discard on the firewall icmp Agreed request package , That is to say icmp-type by 8 My bag
You can see , already ping It doesn't work ,Windows The system displays that the request timed out , and Linux The system cannot send packages
And when we configure rejection icmp The package of the agreement passed
If you refuse ,windows Systems and Linux The system shows that the target port is unreachable .
Prohibit by network segment Ping
Configure firewall , discarded 192.168.1.0/24 The network segment icmp Request package , allow 10.0.0.0/24 The network segment icmp Request package
You can see ,Win7 No longer ping 了 , and Rhel7 Sure ping
prohibit Telnet service
The others are exactly the same as those above , Only the port of the filter rule has been changed
Prohibit by network segment Telnet service
边栏推荐
- Console C # flying chess small project
- localtime()
- Duplicate class com.amap.api.fence.DistrictItem found in modules jetified-3dmap-9.3.1.jar (com.amap.
- Openresty accesses redis and MySQL
- ACM warm-up exercise 3 in summer vacation 2022
- Fundamentals of number theory-
- openresty访问redis和mysql
- x509数字证书详解
- Common classes under JUC package
- 微信、QQ、电话下单,在线订货系统助企业走出困局
猜你喜欢
Autojs learning coin games
Qt 多线程实现的两种方式 线程实现
Autojs learning - realize transparent status bar
Leetcode force deduction solution - 30 Concatenate substrings of all words
年中总结及个人有感
IO(1)-IO的分层
微服务入门
C#:WeChat聊天软件实例(WPF+WebSocket+WebApi+EntityFramework)
![[in simple terms, play with fpga9 ----- experience drops]](/img/4c/357797d5875402215b83e9f0b1f0c1.png)
[in simple terms, play with fpga9 ----- experience drops]
Two ways of QT multithreading implementation thread implementation
随机推荐
继承(原型)
go 原子操作
tp5.0 后台admin访问
ASP.NET Core 使用Autofac
VS2017修改默认包含目录、库目录
ASP.NET Core 使用记录2
tp5.1 include 包含文件(引用公共文件)
Addition, deletion, query and modification of MySQL [advanced]
JUC进阶-NO.1 线程基础知识复习
[binary tree] rebuild the binary tree (find the root first, divide and conquer in the middle)
Using hashes to solve problems
微信、QQ、电话下单,在线订货系统助企业走出困局
VRRP中的上层回的路由
小程序毕设作品之微信运动场地预约小程序毕业设计(8)毕业设计论文模板
微服务入门
Openmv receives STM32 MCU data
Role of GCC unsed and used
【Verilog数字系统设计(夏宇闻)----Verilog的基础知识1】
go GMP模型
matlab for循环坑