Home > Cloud Computing > Cloud Applications

Iptables firewall configuration experience

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Iptables pay attention to the following siptables parameters (-L,-F,-P), chain (INPUT, OUTPUT), target (ACCEPT, DROP) uppercase is required. the simplest and most common INPUTRULE: open telnet and ssh ########## INPUTCHAIN ##############/sbin/iptables-AIN IptablesNote the following "s" IptablesParameters (-L,-F,-P), chain (INPUT, OUTPUT), and target (ACCEPT, DROP) must be capitalized.
      The simplest and most common input rule: enable telnet and ssh

######### Input chain ##############
/Sbin/iptables-a input-m state -- state RELATED, ESTABLISHED-jACCEPT
/Sbin/iptables-a input-I $ WAN_INT-m state -- state NEW-p tcp -- dport 22-j ACCEPT
/Sbin/iptables-a input-I $ WAN_INT-m state -- state NEW-p tcp -- dport 23-j ACCEPT
/Sbin/iptables-a input-I $ LAN_INT-m state -- state NEW-p tcp -- dport 22-j ACCEPT
/Sbin/iptables-a input-I $ LAN_INT-m state -- state NEW-p tcp -- dport 23-j ACCEPT
    The simplest FW can be pinged (anti-DoS icmp flood is added)

/Sbin/iptables-a input-p icmp -- icmp-type 0-j ACCEPT
/Sbin/iptables-a input-p icmp -- icmp-type 8-m limit -- limit1/second -- limit-burst 10-j ACCEPT
No interface-I is added, that is, the firewall can be pinged from all interfaces.     Common rules for ICMP packets passing through (FORWARD) firewalls

################################# Define icmp rule #### ###/sbin/iptables-a input-p icmp -- icmp-type 0-j ACCEPT
/Sbin/iptables-a input-p icmp -- icmp-type 8-m limit -- limit1/second -- limit-burst 10-j ACCEPT
Iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT
      -M limit -- limit will cause normal PING packet loss

/Sbin/iptables-a input-p icmp -- icmp-type 0-j ACCEPT
/Sbin/iptables-a input-p icmp -- icmp-type 8-m limit -- limit1/second -- limit-burst 10-j ACCEPT
D: \> ping 10.4.3.117-tPinging 10.4.3.117 with 32 bytes of data:
Request timed out.
Reply from 10.4.3.117: bytes = 32 time <10 ms TTL = 64
Request timed out.
Request timed out.
Reply from 10.4.3.117: bytes = 32 time = 1 ms TTL = 64
Request timed out.
Reply from 10.4.3.117: bytes = 32 time = 3 ms TTL = 64
Request timed out.
Remove limit
/Sbin/iptables-a input-p icmp -- icmp-type 0-j ACCEPT
/Sbin/iptables-a input-p icmp -- icmp-type 8-JACCEPT
D: \> ping 10.4.3.117-tPinging 10.4.3.117 with 32 bytes of data:
Reply from 10.4.3.117: bytes = 32 time = 20 ms TTL = 64
Reply from 10.4.3.117: bytes = 32 time = 10 ms TTL = 64
Reply from 10.4.3.117: bytes = 32 time = 6 ms TTL = 64
Reply from 10.4.3.117: bytes = 32 time = 3 ms TTL = 64
Reply from 10.4.3.117: bytes = 32 time = 1 ms TTL = 64
Reply from 10.4.3.117: bytes = 32 time = 4 ms TTL = 64
Reply from 10.4.3.117: bytes = 32 time <10 ms TTL = 64
Reply from 10.4.3.117: bytes = 32 time <10 ms TTL = 64
      The simplest FORWARDRULE: Allow all inbound and outbound operations, and allow only dnat server operations (9001,), PING (internal and external) with anti-DoS

########## Forward chain ###########
/Sbin/iptables-a forward-I $ LAN_INT-p all-j ACCEPT/sbin/iptables-a forward-I $ WAN_INT-m state -- stateRELATED, ESTABLISHED-j ACCEPT
/Sbin/iptables-a forward-I $ WAN_INT-m state -- state NEW-p tcp -- dport 9000-j ACCEPT
/Sbin/iptables-a forward-I $ WAN_INT-m state -- state NEW-p tcp -- dport 9001-j ACCEPT
/Sbin/iptables-a forward-I $ WAN_INT-m state -- state NEW-p tcp -- dport 22-j ACCEPT
/Sbin/iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT
      The simplest internal SERVER, external DNAT

########## Forward chain ###########
/Sbin/iptables-a forward-I $ WAN_INT-m state -- stateRELATED, ESTABLISHED-j ACCEPT
/Sbin/iptables-a forward-I $ WAN_INT-m state -- state NEW-p tcp -- dport 9000-j ACCEPT
/Sbin/iptables-a forward-I $ WAN_INT-m state -- state NEW-p tcp -- dport 9001-j ACCEPT
/Sbin/iptables-a forward-I $ WAN_INT-m state -- state NEW-p tcp -- dport 22-j ACCEPT ########## NAT CHAIN ## #############
/Sbin/iptables-t nat-a postrouting-s 10.4.0.0/16-o $ WAN_INT-jSNAT -- to 124.126.86.small
/Sbin/iptables-t nat-a prerouting-d 124.126.86.138-p tcp -- dport 2022-j DNAT -- to-destination 10.4.3.150: 22
/Sbin/iptables-t nat-a prerouting-d 124.126.86.138-p tcp -- dport 9001-j DNAT -- to-destination 10.4.3.150: 9001
/Sbin/iptables-t nat-a prerouting-d 124.126.86.138-p tcp -- dport 9000-j DNAT -- to-destination 10.4.3.150: 9000
    Simple OPENVPN rule

VPN_LFC_INT = "tun0"
VPN_ZHAO_INT = "tun1" ########## input chain ##############
/Sbin/iptables-a input-m state -- state RELATED, ESTABLISHED-jACCEPT
/Sbin/iptables-a input-I $ WAN_INT-m state -- state NEW-p udp -- dport 1194-j ACCEPT
/Sbin/iptables-a input-I $ WAN_INT-m state -- state NEW-p udp -- dport 1195-j ACCEPT
/Sbin/iptables-a input-I $ VPN_LFC_INT-m state -- state NEW-p tcp -- dport 22-j ACCEPT
/Sbin/iptables-a input-I $ VPN_ZHAO_INT-m state -- state NEW-ptcp -- dport 22-j ACCEPT
########## Forward chain ###########
/Sbin/iptables-a forward-I $ WAN_INT-m state -- stateRELATED, ESTABLISHED-j ACCEPT
/Sbin/iptables-a forward-I $ LAN_INT-p all-j ACCEPT
/Sbin/iptables-a forward-I $ VPN_LFC_INT-p all-j ACCEPT
/Sbin/iptables-a forward-I $ VPN_ZHAO_INT-p all-j ACCEPT
      Enable forwarding in iptables script
Echo "1">/proc/sys/net/ipv4/ip_forward
    In linux, how does one disable the iptables firewall from active FTP?
Active FTP: establishes a TCP connection during FTP transmission and uses a fixed port
Passive FTP: a TCP critical is established during FTP transmission, and a random port is used.

Iptables is disabled for active FTP (even if ACCEPT

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More