iptables安装优化

2 years ago · 1388c697e0
parent 2a97c0f8b3
commit 1388c697e0
2 changed files with 7 additions and 1 deletions
--- a/class/core/firewall_api.py
+++ b/class/core/firewall_api.py
@ -359,6 +359,8 @@ class firewall_api:
            _list = mw.M('firewall').field('id,port,ps,addtime').limit(
                '0,1000').order('id desc').select()

+            mw.execShell('iptables -P INPUT DROP')
+            mw.execShell('iptables -P OUTPUT ACCEPT')
            for x in _list:
                port = x['port']
                if mw.isIpAddr(port):
--- a/scripts/install/rhel.sh
+++ b/scripts/install/rhel.sh
@ -43,7 +43,11 @@ if [ -f /usr/sbin/iptables ];then
    iptables_status=`systemctl status iptables | grep 'inactive'`
    if [ "${iptables_status}" != '' ];then
        service iptables restart
-    
+        
+        # iptables -P FORWARD DROP
+        iptables -P INPUT DROP
+        iptables -P OUTPUT ACCEPT
+
        iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
        iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
        iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT