iptables

To perform the same action in iptables, we must first ensure that firewalld doesn't interfere.

Start by disabling and stopping firewalld:

$ sudo systemctl disable --now firewalld

You should now have an empty iptables configuration, as can be seen with iptables -S:

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Because we've got an empty rule list, we're going to start by adding some basic rules.

First, we're going to block centos2 and anything else on our eth1 network from SSHing to centos1:

$ sudo iptables -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j DROP

Next, we're going to allow only incoming SSH connections from 10.0.2.0/24 sources:

$ sudo iptables -A INPUT -s 10.0.2.0/24 -p tcp -m tcp --dport 22 -j ACCEPT

Finally, we're going to change the default incoming policy from ACCEPT to DROP:

$ sudo iptables -P INPUT DROP

Because we've changed the default policy, we also need to ensure that RELATED and ESTABLISHED connections are permitted (those connections we've initiated from our box). This makes our firewall "stateful" or aware of the state:

$ sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Running iptables -S will display your rules:

$ sudo iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 10.0.2.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Our configuration here is somewhat redundant, because while it serves to show the flexibility of iptables rules, the default traffic rule is a  -P INPUT DROP, meaning that if traffic isn't accepted by any of our other rules, it won't be let in. Our eth1 DROP line is therefore pointless.
上一章目录下一章