1、首先關閉Centos7自帶的firewalld
[root@node ~]# systemctl disable firewalld.service &&?systemctl stop firewalld.service
2、安裝iptables服務
[root@node ~]# yum install iptables-services iptables-devel? -y
[root@node ~]# systemctl enable iptables?
3、添加防止nmap掃描規則
3.1通修改配置添加
[root@node ~]# vim /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Tue Jul? 9 21:09:09 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]?
-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j REJECT
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#開放端口
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
?COMMIT
# Completed on Tue Jul? 9 21:09:09 2019
?[root@node ~]#?systemctl start iptables
3.3 使用iptables服務防止nmap掃描
[root@node ~]#?iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
[root@node ~]#?iptables?-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
[root@node ~]#?iptables?-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
[root@node ~]#?iptables?-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@node ~]# iptables -A INPUT -p icmp -j ACCEPT
[root@node ~]# iptables -A INPUT -i lo -j ACCEPT
[root@node ~]# iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
[root@node ~]# iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
[root@node ~]# service iptables save
注:DROP:丟棄返回超時連接,REJECT:明示拒絕,ACCEPT:接受
)
)
)
