1、首先关闭Centos7自带的firewalld
[root@node ~]# systemctl disable firewalld.service && systemctl stop firewalld.service
2、安装iptables服务
[root@node ~]# yum install iptables-services iptables-devel -y
[root@node ~]# systemctl enable iptables
3、添加防止nmap扫描规则
3.1通修改配置添加
[root@node ~]# vim /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Tue Jul 9 21:09:09 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j REJECT
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#开放端口
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Jul 9 21:09:09 2019
[root@node ~]# systemctl start iptables
3.3 使用iptables服务防止nmap扫描
[root@node ~]# iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
[root@node ~]# iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
[root@node ~]# iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
[root@node ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@node ~]# iptables -A INPUT -p icmp -j ACCEPT
[root@node ~]# iptables -A INPUT -i lo -j ACCEPT
[root@node ~]# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
[root@node ~]# iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
[root@node ~]# service iptables save
注:DROP:丢弃返回超时连接,REJECT:明示拒绝,ACCEPT:接受
)
)
)
