OpenVZ 运用iptables防火墙支持 |
| 发表者:分类:云计算容器2013-12-21 05:31:19 阅读[2276] |
OpenVZ 更加好支持iptables
在硬件节点内修改iptables挂载模组
vim /etc/sysconfig/iptables-config
vim /etc/sysconfig/vz
vzctl enter $CTID
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I INPUT -j ACCEPT -i lo
iptables -I INPUT -p tcp --dport 25 -j ACCEPT
iptables -I INPUT -p tcp --dport 110 -j ACCEPT
iptables -I INPUT -p tcp --dport 995 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 53 -j ACCRPT
iptables -I INPUT -p udp --dport 53 -j ACCEPT
service iptables save
service iptables restart
vim /etc/sysconfig/iptables-config
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"vim /etc/sysconfig/vz
IPTABLES="ipt_REJECT
ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"
重新启动VZ服务
service vz restart
放行更加多的iptables 条目
# vzctl set $CTID --numiptent 400 --savevzctl enter $CTID
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I INPUT -j ACCEPT -i lo
iptables -I INPUT -p tcp --dport 25 -j ACCEPT
iptables -I INPUT -p tcp --dport 110 -j ACCEPT
iptables -I INPUT -p tcp --dport 995 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 53 -j ACCRPT
iptables -I INPUT -p udp --dport 53 -j ACCEPT
service iptables save
service iptables restart
转载请标明出处【OpenVZ 运用iptables防火墙支持】。
《www.micoder.cc》
虚拟化云计算,系统运维,安全技术服务.
| Tags: | [阅读全文...] |
最新评论