======建構簡單單機型防火牆實驗======
{{:linux:security:wiki_防火牆lab.gif?250 |}}
  - 預設進來(INPUT)的封包都Drop
  - 清空所有filter表的所有規則
  - 新增一筆允許進來的lookback 介面
  - 允許從防火牆ping其他的電腦;反之不允許其他電腦ping 防火牆
  - 允許從來源端192.168.0.0/24網段且以ICMP協定
  - 允許以tcp 且為目的port 22 新連線進來
  - 來源為192.168.1.0/24網段都reject掉
  - 任何進來的都reject掉<code 1bash>#!/bin/bash
iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state  ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -m state --state NEW  -p tcp --dport 22 -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -j REJECT;
iptables -A INPUT  -j REJECT</code>

======測試單元======
<code>iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT</code>
  * 於防火牆測試loopback<code>ping 127.0.0.1 ok</code>
  * 從192.168.1.8 ping及ssh 192.168.1.254<code>ping 192.168.1.254 Not ok
ssh 192.168.1.254 Not ok
</code>
  * 從192.168.0.8 ping及ssh 192.168.0.254<code>ping 192.168.0.254 Not ok
ssh 192.168.0.254 Not ok</code>
  * 從192.168.0.254 ping 192.168.0.8<code>ping 192.168.0.8 Not ok</code>

<code>iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state  ESTABLISHED,RELATED -j ACCEPT
</code>
  * 從192.168.0.254  ping 192.168.0.8<code>ping 192.168.0.8 ok</code>
  * 反之,從192.168.0.8  ping 192.168.0.254<code>ping 192.168.0.254 not ok</code>
<code>iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state  ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -j REJECT;
</code>
  * 從192.168.0.8  ssh 192.168.0.254 <code> ssh 192.168.0.254 not ok</code>
  * 從192.168.1.8  ssh 192.168.1.254 <code> ssh 192.168.1.254 not ok</code>
  * 從192.168.1.8  ping 192.168.1.254 <code> ping 192.168.1.254 not ok,且會出現 Destination Port Unreachable等訊息</code>
<code>iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state  ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -j REJECT;
iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT
</code>
  * 從192.168.0.8  ping 192.168.0.254 <code> ping 192.168.0.254  ok</code>
  * 從192.168.0.8  ssh 192.168.0.254 <code> ssh 192.168.0.254 not ok</code>
<code>iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state  ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -j REJECT;
iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -m state --state NEW  -p tcp --dport 22 -j ACCEPT
</code>
  * 從192.168.0.8  ssh 192.168.0.254 <code> ssh 192.168.0.254 ok</code>
  * 從192.168.1.8  ssh 192.168.1.254 <code> ssh 192.168.1.254 not ok</code>

<code>#!/bin/bash
iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state  ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -m state --state NEW  -p tcp --dport 22 -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -j REJECT;
iptables -A INPUT  -j REJECT</code>
  * 從192.168.0.8  ssh 192.168.0.254 <code> ssh 192.168.0.254 ok</code>
  * 從192.168.0.8  ping 192.168.0.254 <code> ping 192.168.0.254 ok</code>
  * 從192.168.1.8  ssh 192.168.1.254 <code> ssh 192.168.1.254 ok</code>
  * 從192.168.1.8  ping 192.168.1.254 <code> ssh 192.168.1.254 not ok</code>