荆轲刺秦王
Linux系统在当做网站服务器运行时,具有很高的效率和运行稳定性。windows系统下可以通过系统防火墙来限制外部计算机对服务器端口的访问,而Linux是通过iptables来允许或限制端口访问的。
一:命令:vi /etc/sysconfig/iptables
[root@admin ~]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:syn-flood - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT #(ssh端口)
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT #(web端口)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT #(ftp端口)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20000:30000 -j ACCEPT #(ftp被动模式端口范围)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT #(mysql端口)
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8888 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
-A INPUT -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN
-A syn-flood -j REJECT --reject-with icmp-port-unreachable
COMMIT
"/etc/sysconfig/iptables" 23L, 1147C 23,1 All
二:修改完防火墙iptables后,需要重新启动:
/etc/init.d/iptables restart
或者:
service iptables restart
注意:iptables配置文件存放位置是:/etc/sysconfig/iptables
保存命令:service iptables save
使用命令:iptables -L -n 可以查看当前iptables的开放端口情况。
检查iptables服务:
[root@admin ~]# chkconfig --list iptables
iptables 0:off 1:off 2:off 3:on 4:off 5:off 6:off
iptables服务开机自动启动:
[root@admin ~]# chkconfig iptables on
上面开放的端口后面都有注明,有一个要注意的地方,就是FTP端口,FTP的默认端口21肯定要开放,但是一般的ftp
软件都是默认先尝试几次被动模式PASV连接,在PASV模式连接失败后,才会进行主动模式PORT连接。
如果我们仅仅开放21端口,这里就有问题了。FTP PASV模式下,还会随机使用一个空闲端口,这个端口范围在20000-30000之间。所以,我们需要把这个端口范围加入防火墙:
关于FTP的PASV被动模式和PORT主动模式的说明详情见:http://dutianzhao.iteye.com/blog/2154006
接下来就需要找到我们的:pure-ftpd.conf
[root@admin ~]# cd /usr/local
[root@admin local]# ls
bin imagemagick lib64 memcached openssl python share
etc include libexec mysql php redis src
games lib man nginx pureftpd sbin
[root@admin local]# cd pureftpd
[root@admin pureftpd]# ls
bin etc sbin share
[root@admin pureftpd]# cd etc
[root@admin etc]# ls
pure-ftpd.conf pureftpd.passwd pureftpd.pdb pureftpd_psss.tmp
[root@admin etc]# vim pure-ftpd.conf
然后就可以看到:
[root@admin etc]# vim pure-ftpd.conf
# AntiWarez yes
#
#
#
# # IP address/port to listen to (default=all IP and port 21).
#
Bind ,2121 (就是这里,注意把注释去掉!!!否则没有效果)
# (可以使用"/Bind"搜索)
#
#
# # Maximum bandwidth for anonymous users in KB/s
#
# # AnonymousBandwidth 8
#
#
#
# # Maximum bandwidth for *all* users (including anonymous) in KB/s
# # Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.
#
# # UserBandwidth 8
# "pure-ftpd.conf" 444L, 10938C 216,0-1 48%
#
-- INSERT -- 242,3 49%
AntiWarez yes
# IP address/port to listen to (default=all IP and port 21).
Bind ,2121
# Maximum bandwidth for anonymous users in KB/s
# AnonymousBandwidth 8
# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.
# UserBandwidth 8
"pure-ftpd.conf" 444L, 10938C 216,0-1 48%
最后重启Pure-Ftpd:
service pureftpd {start|stop|restart|status}
[root@admin oneinstack]# service pureftpd restart (注意是在oneinstack目录下)
Stopping pure-ftpd:
Starting pure-ftpd: