Linux iptables settings in detail (GO)

In any case, iptables is a need for special care to set up something, in the event that the server is not around you, and you rushed to set up to prevent SSH, then wait for the boss scold it, hehe ...

The following is written to prevent this from happening, of course, but the general server is sufficient:

1. First introduce the instructions and related configuration files
Start command: Service iptables start
Restart command: Service iptables restart
Shutdown command: Service iptables stop

Then the related configuration:/etc/sysconfig/iptables
How do I operate the configuration?
Vim/etc/sysconfig/iptables
And then go in and modify it, how to do? A lot of people here will think of/etc/rc.d/init.d/iptables save instructions, but once you do this you have just made the changes in white ...
The specific methods are:
The only way to modify/etc/sysconfig/iptables to take effect is to modify the service iptables restart before calling/etc/rc.d/init.d/iptables save.
Because/etc/rc.d/init.d/iptables save will reload when the Iptables service starts, if you call/etc/rc.d/init.d/iptables save directly before restarting, you

/etc/sysconfig/iptables configuration is rolled back to the last boot service configuration, this must be noted!!!

2. Here are some instructions to use (mainly or man iptables to see the relevant information)
-A: Specify the chain name
-P: Specify protocol type
-D: Specify the destination address
--dport: Specify the destination port (destination port destination)
--sport: Specifies the source port (source port)

-j: Specifying an action type

3. If I do not like to change the file Direct command can, of course, no problem, the steps are as follows:
For example, I gave the SSH release statement:
Add INPUT Record: iptables-a input-p TCP--dport 22-j ACCEPT
Add OUTPUT Record: iptables-a output-p TCP--sport 22-j ACCEPT

Finally, note that you need to execute/etc/init.d/iptables save so that the two statements are saved to the/etc/sysconfig/iptables file just now.

4. Next explain the steps , if the machine is not around me, I can only ssh in to do iptables rules, then I must pay attention to every step, do not make a mistake, or SSH link is not possible!

The first thing to do is to give our SSH to accept the configuration, so as not to directly connect the situation occurs:

1. If the SSH port is 22 (it is not recommended to use the default port, it is best to change the SSH port)
Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT
Note that to/etc/rc.d/init.d/iptables save, it is best to execute this statement again at each of the following steps, which is no longer described below.

2.vim/etc/sysconfig/iptables determines if the configuration has been added and can be executed after service iptables restart restart

3. The following is a very dangerous operation, if you did not do the first step will directly lead to you can not connect to SSH, this step before you remember to perform the first step!!!
Iptables-p INPUT DROP
Iptables-p OUTPUT DROP
Iptables-p FORWARD DROP
This step is to all the rules that do not conform to their own configuration of the connection all drop off, after the execution if we have not lost ssh, then thank goodness, security, restart the next iptables after the following configuration!

4. I will not elaborate on the following, specifically to see the server to open which ports or to access which ports to do the specific configuration, the following is the configuration of my own machine:

The/etc/sysconfig/iptables file is configured as follows:
# Generated by Iptables-save v1.4.7 on Fri Mar 2 19:59:43 2012
*filter
: INPUT DROP [0:0]
: FORWARD DROP [0:0]
: OUTPUT DROP [8:496]
-A input-m state--state related,established-j ACCEPT
#ping使用的端口
-A input-p icmp-j ACCEPT
-A input-i lo-j ACCEPT
-A input-s 127.0.0.1/32-d 127.0.0.1/32-j ACCEPT
-A input-s 192.168.2.200/32-d 192.168.2.200/32-j ACCEPT
#允许服务器自己的SSH (the server is the target for external requests, so use--dport)
-A input-p tcp-m tcp--dport 22-j ACCEPT
#80端口不用说了吧, server Web Access port
-A input-p tcp-m tcp--dport 80-j ACCEPT
-A input-p tcp-m tcp--dport 3306-j ACCEPT
-A input-p tcp-m tcp--dport 11211-j ACCEPT
-A input-p tcp-m tcp--dport 11212-j ACCEPT
-A forward-j REJECT--reject-with icmp-host-prohibited
#53端口是DNS相关, both TCP and UDP are configured
-A input-p tcp-m tcp--dport 53-j ACCEPT
-A input-p udp-m UDP--dport 53-j ACCEPT
#ping使用的端口
-A output-p icmp-j ACCEPT
-A output-s 127.0.0.1/32-d 127.0.0.1/32-j ACCEPT
-A output-s 192.168.2.200/32-d 192.168.2.200/32-j ACCEPT
#允许服务器SSH到其他机器 (use--dport with external ports)
-A output-p tcp-m tcp--dport 22-j ACCEPT
#允许服务器自己的SSH (use--sport for self-source output)
-A output-p tcp-m tcp--sport 22-j ACCEPT
#访问外部网站80端口 (use--dport with external ports)
-A output-p tcp-m tcp--dport 80-j ACCEPT
#如果服务器需要访问外部网站, the output also needs to be configured with Port 53 (use--dport with external ports)
-A output-p tcp-m tcp--dport 53-j ACCEPT
-A output-p udp-m UDP--dport 53-j ACCEPT
#如果有访问外部邮箱, open the mailbox-related ports (use--dport with external ports)
-A output-p tcp-m tcp--dport 465-j ACCEPT
-A output-p tcp-m tcp--dport 25-j ACCEPT
-A output-p tcp-m tcp--dport 110-j ACCEPT
#服务器网站访问端口 (use--sport for self-source output)
-A output-p tcp-m tcp--sport 80-j ACCEPT
-A output-p tcp-m tcp--sport 3306-j ACCEPT
-A output-p tcp-m tcp--sport 11211-j ACCEPT
-A output-p tcp-m tcp--sport 11212-j ACCEPT
COMMIT

# completed on Fri Mar 2 19:59:43 2012

5. May sometimes need to delete the rules , the simplest is to modify/etc/sysconfig/iptables and then service iptables restart, and finally/etc/rc.d/init.d/iptables Save.

Of course, you can also use instructions to complete:

On the internet to find a bit, delete the rule method:
The syntax is: iptables-d chain rulenum [Options]
Where: Chain is the meaning of the chain, that is, input FORWARD and the like
Rulenum is the number of the rule. Starting from 1. You can use--line-numbers to list the number of rules

So, for example, if you want to delete a rule from the input chain, you can do this: iptables-d input 3
This means deleting the 3rd rule.
There's a second way. The second approach is a mapping of the-a command, but replaces-A with-D. This is useful when the rules in your chain are complex and you don't want to count their numbers. In other words, how do you use iptables-a .... Statement defines a rule, the rule is deleted by using-D instead of-the rest of it is the same.
======================
Say the--line-numbers option above, as in the following command:
Iptables-l input--line-numbers lists all the rules of the input chain
Num Target prot opt source destination
1 REJECT TCP-anywhere anywhere TCP Dpt:microsoft-ds Reject-with icmp-port-unreachable
2 REJECT TCP-Anywhere anywhere TCP dpt:135 Reject-with icmp-port-unreachable
3 REJECT TCP-Anywhere anywhere TCP DPT:NETBIOS-SSN Reject-with icmp-port-unreachable

...
...
To delete a specified row rule:

[[email protected] rc.d]# iptables-d INPUT 4

6. Finally, if you want a separate open port for an IP, you can configure it as follows:
If I need to open a MySQL port on a single machine in the intranet, it should be configured as follows:
Iptables-a input-s 192.168.2.6-p tcp-m tcp--dport 3306-j ACCEPT

Iptables-a output-s 192.168.2.6-p tcp-m tcp--sport 3306-j ACCEPT

7. Completely prohibit an IP access:
#屏蔽单个IP的命令是
Iptables-i input-s 123.45.6.7-j DROP
#封整个段即从123.0.0.1 to 123.255.255.254 command
Iptables-i input-s 123.0.0.0/8-j DROP
#封IP段即从123.45.0.1 to 123.45.255.254 command
Iptables-i input-s 124.45.0.0/16-j DROP
#封IP段即从123.45.6.1 to 123.45.6.254 command is
Iptables-i input-s 123.45.6.0/24-j DROP
The command i is an insert instruction but the directive inserts in the correct position and does not look at your own sort position like the a directive, so use the mask because you must load the shielded IP at the beginning, so you must use the I command to load, and then pay attention to the execution of/etc/rc.d/init.d/iptables Save to restart the service after saving

Linux iptables settings in detail (GO)