Normal
0
7.8 磅
0
2
false
false
false
EN-US
ZH-CN
X-NONE
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:普通表格;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:””;
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.5pt;
mso-bidi-font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-font-kerning:1.0pt;}
vCloud Director 5.1.1安装环境RHEL 6.2
/etc/sysconfig/iptables内容
# Generated by iptables-save v1.4.7 on Tue Mar 26 15:52:56 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
#Simple
# Begin listing vCloud Director Ports Needed
# vCloud WebServices & vCenter/ESX Connections
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
# vCloud Optional
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
# SSH
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
# vCloud Remote Console
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 902 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 903 -j ACCEPT
#NFS
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –sport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –sport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –sport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –sport 920 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –sport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –sport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 662 -j ACCEPT
#DNS
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 53 -j ACCEPT
#NTP
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 123 -j ACCEPT
#LDAP
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 389 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 389 -j ACCEPT
#SMTP
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 25 -j ACCEPT
#Syslog
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 514 -j ACCEPT
#vCenter & ESX
#-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 902 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 903 -j ACCEPT
#Default Microsoft SQL Connections
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 1433 -j ACCEPT
#Default Oracle Port Connections
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 1521 -j ACCEPT
#AMQP Messaging (if Server exists)
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 5672 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 5672 -j ACCEPT
#ActiveMQ
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 61611 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 61616 -j ACCEPT
# End listing vCloud Director Ports Needed
COMMIT
# Completed on Tue Mar 26 15:52:56 2013
配置文件详解:
# Generated by iptables-save v1.4.7 on Tue Mar 26 15:52:56 2013
#注释说明
*filter
#使用filter表
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:RH-Firewall-1-INPUT – [0:0]
#上面四条内容定义了内建的INPUT、FORWAARD、ACCEPT链,还创建了一个名为RH-Firewall-1-INPUT 的新链
-A INPUT -j RH-Firewall-1-INPUT
#上面这条规则将添加到INPUT链上,所有发往INPUT链上的数据包将跳转到RH-Firewall-1 链上。
-A FORWARD -j RH-Firewall-1-INPUT
#上面这条规则将添加到FORWARD链上,所有发往FORWARD链上的数据包将跳转到RH-Firewall-1 链上。
-A OUTPUT -j RH-Firewall-1-INPUT
#上面这条规则将添加到OUTPUT链上,所有发往OUTPUT链上的数据包将跳转到RH-Firewall-1 链上。
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
#上面这条规则将被添加到RH-Firewall-1-input链,它可以匹配所有的数据包,其中流入接口(-i)是一个环路接口(lo),匹配这条规则的数据包将全部通过(ACCEPT),不会再使用别的规则来和它们进行比较。
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
#上面这条规则是允许所有的icmp包,-p后是协议如:icmp、tcp、udp,端口是在-p后面–sport源端口,–dport目的端口,-j 指定数据包发送目的地址后的动作如:ACCEPT、DROP、QUEUE等。
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
#-m state –state ESTABLISHED,RELATED这个条件表示所有处于ESTABLISHED或者RELATED状态的包,策略都是接受的。
-A RH-Firewall-1-INPUT -m state –state NEW
#-A RH-Firewall-1-INPUT -m state –state NEW这个条件是当connection的状态为初始连接(NEW)时候的策略。
其他策略见注释说明。
附件:http://down.51cto.com/data/2362545
