Alibabacloud.com offers a wide variety of articles about iptables multiport, easily find your iptables multiport information here online.
ACCEPTIptables-i input-p ICMP--icmp-type destination-unreachable-j ACCEPT10. Disable forwarding of packets from the MAC address 00:0c:29:27:55:3f and the hostIptables-a Forward-m mac--mac-source 00:0c:29:27:55:3f-j DROPDescription: A display match was called using the form "-M module keyword" in iptables. Here we use "-M mac–mac-source" to represent the source MAC address of the packet.11. Allow firewall native to open to TCP ports 20, 21, 25, 110, a
ACCEPTPay special attention here, because the Iptables configuration is written in memory, if you reboot, iptables some of the strategy will disappear, so need service iptables save, so that your written strategy is saved to the/etc/sysconfig/ Iptables inside.Fifth Quarter----------------------------the use of some of
1. Clear the existing policyWhen you start to create a new policy, you may want to clear all the default policies, and the existing policies can do so:Iptables-f or Iptables--flush2, set the default policyThe default chain policy is accept, changing all chain policies to drop:Iptables-p INPUT DROPIptables-p FORWARD DROPIptables-p OUTPUT DROP3, block a specified IPblock_this_ip= "x.x.x.x"Iptables-a input-s "
= "eth1"ROUTER = "yes"# NAT = "UPIP/dynamic"NAT = "UPIP"INTERFACES = "lo eth0 eth1"SERVICES = "80 22 25 110"Deny = ""Case "$ @" inStart)Echo-n "Starting firewall ..."Modprobe ip_nat_ftpModprobe ip_conntrack_ftpIptables-P INPUT DROPIptables-a input-I! $ {UPLINK}-j ACCEPTIptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPTIptables-A FORWARD DROPIptables-a forward-p tcp-m multiport -- dport 25 80 110-j ACCEPTIptables-a forward-d! 202.108.36.1
A Linux server cannot find the file when using the CAT/etc/sysconfig/iptables command.1. Service iptables statusUse this command to check the statusIf the configuration file cannot be found, run the command and you will see that the firewall has stopped"2. Start the firewall: Service iptables restart3. Generate iptables
matching, can be used to match a discontinuous or continuous port; Specify up to 15 ports;Dedicated options:--source-ports,--sports Port[,port,port]--destination-ports,--dports--portsExample: Iptables-i input-d 172.16.100.7-p tcp-m multiport--dports 22,80-j ACCEPT2 "IPRange: matches addresses within a specified range, and is useful for matching a contiguous address rather than the entire network;Dedicated
First, check iptables service statusCheck the status of the Iptables service first[[Email protected] ~]# service iptables statusIptables:firewall is not running.Description The Iptables service is installed, but the service is not started. if not installed, you can install it directly with Yum# yum Install-y iptablesst
IptablesIptables-a input-s 10.0.0.1/24-p all-j ACCEPTAllow NagiosIptables-a input-s 10.0.0.1/24-p TCP--dport 5666-j ACCEPTAllow MySQL and Oracle IP accessIptables-a input-s 10.0.0.1/24-p TCP--dport 3306-j ACCEPTIptables-a input-s 10.0.0.1/24-p TCP--dport 1521-j ACCEPTAllow legitimate IP connections to SSHIptables-a input-p tcp-s 10.0.0.1/24--dport 5801-j ACCEPTActivation of HTTP requests (generally no restrictions)Iptables-a input-p TCP--dport 80-j A
! Indicates reverse (for example :! -S NETWORK); (it can be omitted to indicate multiple hosts)-D DESTIONIP (target address );-P {tcp | udp | icmp };-I INTERFACE indicates the network INTERFACE from which the stream comes in. (only used for INPUT, FORWARD, POSTROUTING)-O INTERFACE indicates the network card from which the stream is sent; (only used for OUTPUT, FORWARD, PRETROUTING)Extended matching: it refers to calling the iptables module to expand t
Proxy firewall 1. iptables rule table Filter (for filtering systems): INPUT, FORWARD, and OUTPUTNAT (for address translation systems): PREROUTING, POSTROUTING, INPUT, and OUTPUTMangle (for Policy Routing and special applications ): OUTPUT, POSTROUTING2. installer iptables-1.2.7a-23. configure Firewall 1) Command Language Proxy/Firewall 1. iptables rule table Fil
. Then, the packet to the client, so that the client and the server to communicate the status of the packet to established, so the input chain allowed to pass the status of new, established, and the output chain, just established.1, set 21,22,80 port input chain and output chain, set input, ForWord, output chain default policy is drop[Plain]View PlainCopy Iptables-i input-d 10.79.32.22-p tcp-m multiport
Environment: redhat9 loaded the string time and other modules, the loading method reference http://bbs.chinaunix.net/forum/viewtopic.php? T = 525493Connect etho to the Internet-ppp0Eth1 connected to intranet-192.168.0.0/24[Color = Blue]#! /Bin/sh#Modprobe ipt_masqueradeModprobe ip_conntrack_ftpModprobe ip_nat_ftpIptables-FIptables-T nat-FIptables-xIptables-T nat-x########################### Input key ########### ########################Iptables-P inpu
connection. For example, ftp and ftp will first establish an ftp-control connection to transmit commands, what actually transfers data is a connection called ftp-data, and the connection to transmit data is RELATED to the connection to transmit control signals. Therefore, "RELATED" is used for similar special services. Under normal circumstances, for each protocol: TCP, UDP, and ICMP, The Status policy can be configured separately, but a simple and efficient method is as follows: #
The following example of their own Web server, the system's default policy is input for drop,output, forward chain for the Accept,drop set to be more relaxed, because we know that the packet is more secure; In order to verify the universality of the script, my Special The kernel and iptables versions of the server are viewed, as shown in the following commands: 12345678910 uname -a linux ud50041 2.6.9-34.elsmp #1 SMP Fri Feb
packets while in a connected state Iptables-a output-s 192.168.1.1-p TCP sport 80-m state–-state established-j Allow host to send external Web packets while in a connected state Iptables-p Intup DROP Reject all other incoming packets Iptables-p OUTPUT DROP Reject all other packets out of the way These rules can be used on the Web server, only allow custom
number of syn packets followed by-m limit -- limit n/s to limit the number of SYN packets per second. Extension options: -M multiport -- sports The port numbers are separated by commas (,), not necessarily consecutive. -M mulitport -- dports -M multiport -- ports -M -- the state can be establishednewrelated invalid. To allow external access to an internal server such as a Web server:
On-line Linux servers are basically configured to iptables to enhance security. *filter: INPUT DROP [0:0]: FORWARD ACCEPT [0:0]: OUTPUT DROP [0:0]-A input-m state--state related,established-j ACCEPT-A input-i lo-j ACCEPT-A input-i eth0-j ACCEPT-A input-s 10.0.0.0/8-j ACCEPT #这里设置允许内网IP通信-A input-p tcp-m multiport--sports 443-j ACCEPT-A input-p tcp-m multiport--d
1. Show the status of the firewallRun the following command with root privileges: # iptables-l-n-v Parameter description: -L: Lists the rules. -V: Displays detailed information. This option displays the interface name, rule options, and the TOS mask, as well as the packet and byte count. -N: Displays the IP address and port in digital form, without using DNS resolution. If you want the output to show the line number
-j ACCEPT# Prevent various port scans and limit SYN and ack syn to no more than 200 per second, so as not to exhaust the bandwidth of the server/Sbin/iptables-a input-p tcp-m tcp -- tcp-flags SYN, RST, ack syn-m limit -- limit/sec -- limit-burst-j ACCEPT# Open access to a specified host, such as the IP address of the host for Intrusion Detection#/Sbin/iptables-a input-s 122.70.x.x-j ACCEPT# Loop data must b
lists all the rules in the table-Z: Clears the counter of the rule#iptables[-ttable]{-a|-d}chainrule-specification-a:append, attach a rule rule-specification: Match conditions -j processing mechanism matching criteria: (Universal matching) -s Match Source address, can IP, also can network address: can use! The operator takes the inverse,! 172.168.0.0/16 equivalent to NBSP;--SRC, or --source-d Match Destination address, can IP, also can network ad
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
