建構簡單單機型防火牆實驗

預設進來(INPUT)的封包都Drop
清空所有filter表的所有規則
新增一筆允許進來的lookback 介面
允許從防火牆ping其他的電腦;反之不允許其他電腦ping 防火牆
允許從來源端192.168.0.0/24網段且以ICMP協定
允許以tcp 且為目的port 22 新連線進來
來源為192.168.1.0/24網段都reject掉

任何進來的都reject掉

#!/bin/bash
iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state  ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -m state --state NEW  -p tcp --dport 22 -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -j REJECT;
iptables -A INPUT  -j REJECT

測試單元

iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT

於防火牆測試loopback
```
ping 127.0.0.1 ok
```

從192.168.1.8 ping及ssh 192.168.1.254

ping 192.168.1.254 Not ok
ssh 192.168.1.254 Not ok

從192.168.0.8 ping及ssh 192.168.0.254

ping 192.168.0.254 Not ok
ssh 192.168.0.254 Not ok

從192.168.0.254 ping 192.168.0.8
```
ping 192.168.0.8 Not ok
```

iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state  ESTABLISHED,RELATED -j ACCEPT

從192.168.0.254 ping 192.168.0.8
```
ping 192.168.0.8 ok
```
反之,從192.168.0.8 ping 192.168.0.254
```
ping 192.168.0.254 not ok
```

iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state  ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -j REJECT;

從192.168.0.8 ssh 192.168.0.254
```
 ssh 192.168.0.254 not ok
```
從192.168.1.8 ssh 192.168.1.254
```
 ssh 192.168.1.254 not ok
```

從192.168.1.8 ping 192.168.1.254

 ping 192.168.1.254 not ok,且會出現 Destination Port Unreachable等訊息

iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state  ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -j REJECT;
iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT

從192.168.0.8 ping 192.168.0.254
```
 ping 192.168.0.254  ok
```
從192.168.0.8 ssh 192.168.0.254
```
 ssh 192.168.0.254 not ok
```

iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state  ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -j REJECT;
iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -m state --state NEW  -p tcp --dport 22 -j ACCEPT

從192.168.0.8 ssh 192.168.0.254
```
 ssh 192.168.0.254 ok
```
從192.168.1.8 ssh 192.168.1.254
```
 ssh 192.168.1.254 not ok
```

#!/bin/bash
iptables -P INPUT  DROP;
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state  ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -m state --state NEW  -p tcp --dport 22 -j ACCEPT
iptables -A INPUT  -s 192.168.1.0/24 -j REJECT;
iptables -A INPUT  -j REJECT

從192.168.0.8 ssh 192.168.0.254
```
 ssh 192.168.0.254 ok
```
從192.168.0.8 ping 192.168.0.254
```
 ping 192.168.0.254 ok
```
從192.168.1.8 ssh 192.168.1.254
```
 ssh 192.168.1.254 ok
```
從192.168.1.8 ping 192.168.1.254
```
 ssh 192.168.1.254 not ok
```