iptables

查看防火墙设置 iptables -L -n

设置预设规则，全部的 INPUT/OUTPUT 都丢弃，允许所有的 OUTPUT

iptables -p INPUT DROP
iptables -p OUTPUT ACCEPT
iptables -p FORWARD DROP

保证连接可以通过，这些连接很可能有机器主动连接，如果不加这条，会导致无法连接 DNS 服务器等问题

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

开放端口：

#ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

#dns
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT

#loopback
iptables  -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

保存与重启

service iptables save
service iptables restart

词汇含义：

-A: (Append), adds a rule to iptables
-L:  (List), shows the current rules
-m conntrack: allows rules to be based on the current connection state, elaborated in the the --cstate command.
--cstate: explains the states that connections can be in, there are 4: New, Related, Established, and Invalid
-p: (protocol), refers to the the protocol of the rule or of the packet to check.The specified protocol can
    be one of tcp, udp, udplite, icmp, esp, ah, sctp or the special keyword "all".
--dport: (port), refers to the the port through which the machine connects
-j: (jump), this command refers to the action that needs to be taken if something matches a  rule perfectly.
    It translates to one of four possibilities:
    -ACCEPT: the packet is accepted, and no further rules are processed
    -REJECT: the packet is rejected, and the sender is notified, and no further rules are processed
    -DROP: the packet is rejected, but the  sender is not notified, and no further rules are processed
    -LOG: the packet is accepted but logged, and the following rules are processed