求iptables防火墙的屏蔽规则

光开80端口不够的，至少还要开一个22端口方便SSH远程登录操作。

具体如下：

1. 用root登录
2. 创建个firewall.sh的脚本
3. 执行

   sh setup.sh 

4. 保存配置

   service iptables save

5. 重启

   iptables service iptables restart 

6. 检查

   service iptables status

附firewall.sh脚本如下：

#!/bin/sh

########## REFLASH ###################
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t nat -Z

########## DEFAULT POLICY ###########
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

##################### localhost Policy ########################
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

########## INPUT CHAIN ##############
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/s --limit-burst 10 -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

/sbin/iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

########## FORWARD CHAIN ###########
/sbin/iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

附检查结果参考。

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 0 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 10 
   64  3912 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    1    40 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
    1    78 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 93 packets, 13628 bytes)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0