1, the following is my server/etc/sysconfig/iptables normal configuration, for each line to explain *filter
: Input ACCEPT [0:0] #该规则表示INPUT表默认策略是ACCEPT, input: is to access the local address of the data, plainly is to set other people can access my chain of those ports. For example: This machine opened the FTP service, there is a client connection to download FTP data, then this connection in the input chain can be controlled. : FORWARD ACCEPT [0:0] #该规则表示FORWARD表默认策略是ACCEPT, FORWARD: is the forwarding chain. If your machine is in the gateway address, then you can proxy the internal network of the machine on the Internet parameters are set here. : Output ACCEPT [0:0] #该规则表示OUTPUT表默认策略是ACCEPT, output: is from this machine out of the data, is to allow this machine out of the port. For example I can set the output chain I can access those addresses and those ports.
-A input-m state--state established,related-j ACCEPT #对于已经建立连接的数据, is a-a input-p icmp-j #允许icmp协议的访问 that is allowed access, mainly Ping-a input-i lo-j ACCEPT #接受本地的所有请求-A input-m State--state new-m tcp-p TCP--dport 22-j ACCEPT #允许22端口被外部访问- A input-j REJECT--reject-with icmp-host-prohibited-a forward-j REJECT--reject-with icmp-host-prohibited
# above two means to reject all other packets that do not conform to any of the above rules in the input and forward tables. and sends a host prohibited message to the rejected hosts.
COMMIT
2, iptables-a rule chain-I network interface-j the operation of the data
-A: Specifies the chain of rules that you want to add a rule to
-I: Specifies the network interface that the packet flows into
-P: Packet protocol
-J: Processing of packets. Accept/drop-s: Specifies to match as source address, cannot specify host name, must be IP IP | Ip/mask | 0.0.0.0/0.0.0.0 and the address can be reversed, add a "!" Indicates what IP is in addition to
For example: Add a rule in the input chain to allow all packets from the 192.168.1.0/24 in the Eth0 interface
| #iptables-A input-i eht0-s 192.168.1.0/24-j ACCEPT |
3.-M: Additional modules
Match by Package status (state)
Mac match by Source (MAC)
Match by package rate (limit)
Multi-port matching (multiport)
State Status:
-M State--state status
Status: NEW, RELATED, established, INVALID
NEW: Syn that is different from TCP
Established: Connection state
RELATED: Derivative state, associated with Conntrack (FTP)
INVALID: cannot be recognized as belonging to which connection or no State
| Specifies the status of the package to match, and currently has 4 states available: Invalid,established,new and related. Invalid means that the package does not have a known stream or connection associated with it, or that it may contain data or headers that are problematic. Established means that the package is fully valid and belongs to an established connection with data being sent at both ends of the connection. New indicates that the package is about to or has begun to establish a fresh connection, or that the package is related to a connection that has not yet been sent with data at both ends. The related description package is building a new connection that is related to an established connection. For example, FTP data transfer,icmp error is associated with a TCP or UDP connection. Note that the new state is not looking for a SYN tag in a TCP packet that is trying to establish a connection, so it should not be used without modification in a place where there is only one firewall or where load balancing is not enabled between different firewalls. |
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
