http://linux.chinaunix.net/bbs/viewthread.php?tid=910312

我的服务器是apache+mysql的ip地址为222.90.32.*
22端口和3306端口，我只想让123.234.213.223可以连接
clientip 123.234.213.223 服务器端ip 222.90.32.*
iptables -A INPUT -s ! clientip/32 -d serverip -p tcp --dport 3306 -j DROP
iptables -A INPUT -s ! clientip/32 -d serverip -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

[root@dbtest ~]# iptables -A INPUT -p tcp -s 192.168.1.198 -d 192.168.1.16 --dport 22 -j

DROP
[root@dbtest ~]# iptables-save
# Generated by iptables-save v1.2.11 on Sat Sep 29 10:38:54 2007
*mangle
:PREROUTING ACCEPT [138:10217]
:INPUT ACCEPT [138:10217]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [99:7876]
:POSTROUTING ACCEPT [99:7876]
COMMIT
# Completed on Sat Sep 29 10:38:54 2007
# Generated by iptables-save v1.2.11 on Sat Sep 29 10:38:54 2007
*filter
:INPUT ACCEPT [138:10217]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [99:7876]
-A INPUT -s 192.168.1.198 -d 192.168.1.16 -p tcp -m tcp --dport 22 -j DROP
COMMIT
# Completed on Sat Sep 29 10:38:54 2007
# Generated by iptables-save v1.2.11 on Sat Sep 29 10:38:54 2007
*nat
:PREROUTING ACCEPT [2:321]
:POSTROUTING ACCEPT [7:420]
:OUTPUT ACCEPT [7:420]
COMMIT
# Completed on Sat Sep 29 10:38:54 2007
[root@dbtest ~]# iptables-save > /etc/sysconfig/iptables
[root@dbtest ~]# /etc/init.d/iptables start
清除防火墙规则：[  确定  ]
把 chains 设置为 ACCEPT 策略：mangle filter nat [  确定  ]
正在卸载 Iiptables 模块：[  确定  ]
应用 iptables 防火墙规则：[  确定  ]
载入额外 iptables 模块：ip_nat_ftp [  确定  ]

iptables -A INPUT -i eth0  -p udp -m multiport --destination-port 135,136,137 -j DROP
iptables -A INPUT -i eth0  -p tcp -m multiport -s 192.168.1.198  -d 192.168.1.16 --

destination-port 22,3306 -j DROP

和下面这句一个意思！

iptables -A INPUT -i eth0  -p tcp -m multiport -s 192.168.1.198  -d 192.168.1.16 --dport

22,3306 -j DROP