二:设定不允许server ssh到client
[root@client ~]# iptables -L -n //查看客户端默认的防火墙策略,-n参数代表不进行名字解析;可以看出默认的系统策略做的相当严格,同时自定义了一条RH-Firewall-1-INPUT规则链,然后在INPUT链中引用,这样的执行效率会相对好些,同时维护起来也比较容易
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@client ~]# service iptables stop //关闭防火墙,这个操作可以用来初始化所有表中链的规则,并将链条的默认策略改为允许,也可以使用iptables -F来清空规则
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
[root@client ~]# iptables -A INPUT -s 192.168.100.254 -p tcp --dport 22 -j REJECT //设定server不允许ssh到client,-A表示在链中末尾添加
[root@client ~]# iptables -L -n INPUT //查看设置好的策略
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.100.254 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
[root@client ~]# service iptables save //使用save命令保存规则,规则文件位于/etc/sysconfig/iptables文件中
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@server ~]# ssh 192.168.100.20 //服务器端测试
ssh: connect to host 192.168.100.20 port 22: Connection refused
三:允许服务器端ssh到客户端,但需要服务器端的IP和MAC地址合法
[root@client ~]# iptables -I INPUT -i eth0 -m mac --mac-source 00:0C:29:0C:7C:4E -s 192.168.100.254 -p tcp -m multiport --dports 22,21,20 -j ACCEPT //-I参数表示在规则链最前面添加策略,iptables的工作机制是从上到下匹配,一旦匹配就根据规则来决定数据包,所以顺序很重要
[root@client ~]# iptables -L -n //查看规则
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.100.254 0.0.0.0/0 MAC 00:0C:29:0C:7C:4E multiport dports 22,21,20
REJECT tcp -- 192.168.100.254 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable
[root@server ~]# ssh 192.168.100.20 //服务器端测试
The authenticity of host '192.168.100.20 (192.168.100.20)' can't be established.
RSA key fingerprint is 3a:5d:33:3c:c5:04:8f:31:19:38:1b:9a:b4:75:4c:51.
Are you sure you want to continue connecting (yes/no)?
[root@server ~]# ftp 192.168.100.20
Connected to 192.168.100.20.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.100.20:root): ftp
331 Please specify the password.
Password:
230 Login successful.