防火墙简单设置

iptables -A INPUT -d 192.168.1.129 -p icmp -j REJECT  #因为ping走的是icmp协议，并且ping没有固定端口，因此只能禁止icmp协议才能达到禁ping

[root@B8 ~]# ping -c 3 10.0.0.8
PING 10.0.0.8 (10.0.0.8) 56(84) bytes of data.
From 10.0.0.8 icmp_seq=1 Destination Port Unreachable
From 10.0.0.8 icmp_seq=2 Destination Port Unreachable
From 10.0.0.8 icmp_seq=3 Destination Port Unreachable

--- 10.0.0.8 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 39ms

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT       #在filter中设置，默认为filter表，仅同意内网内的主机主机访问外网
iptables -A INPUT -d 10.0.0.8 -p tcp --dport 80 -j REJECT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

[ root@B8 ~]# curl 10.0.0.18
B8

[ root@A7 ~]# curl 10.0.0.8
curl: (7) Failed to connect to 10.0.0.8 port 80: Connection refused

iptables -A INPUT -m connlimit --connlimit-above 10 -j REJECT

[ root@A7 ~]# ping -c 1 10.0.0.8   #当A7第11次pingA8的时候就无法访问了，只能等一会再去访问就好了
PING 10.0.0.8 (10.0.0.8) 56(84) bytes of data.
From 10.0.0.8 icmp_seq=1 Destination Port Unreachable

--- 10.0.0.8 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

iptables -A INPUT -s 10.0.0.1 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 192.168.1.128 -j ACCEPT
iptables -A INPUT -d 10.0.0.8 -j REJECT

[root@A7 ~]# ssh 10.0.0.8
The authenticity of host ‘10.0.0.8 (10.0.0.8)‘ can‘t be established.
ECDSA key fingerprint is SHA256:0/fO8ea0emb7MQyIR3OcKjWDDqO5m4oPNddMJeM/fTQ.
Are you sure you want to continue connecting (yes/no)?

[root@D1 ~]# ssh 10.0.0.8
ssh: connect to host 10.0.0.8 port 22: Connection refused