Alibabacloud.com offers a wide variety of articles about iptables multiport, easily find your iptables multiport information here online.
anonymous user access anon_upload_enable=yes--Anonymous user name can upload file anon_mkdir_write_enable=yes--Anonymous users can create files anon_other_write_enable=yes--Anonymous users can rename files pasv_enable=yes--turn on Passive mode pasv_min_port=30000--Passive mode min Port pasv_max_port=31000--Passive mode maximum port3. Loading the FTP module VIM/etc/modprobe.d/vsftpd.confalias ip_conntrack ip_conntrack_ftp ip_nat_ftp--Load FTP module VIM/etc/rc.local/sbin/modprobe Ip_conntract--B
As needed, the following ports can be accessed from the Internet: 80, 14490, 14500, 14460, 14470, and 24461External ports accessible to the server: 80 and 25Considering the remote management interface, add port 22 and allow port 53 for Internet access. Allow loop back interface, icmp ping.The specific configuration information is as follows: www.2cto.com[Root @ localhost sysconfig] # iptables-VIptables v1.4.7[Root @ localhost sysconfig] #
What is a firewall?Work on the edge of a host or network, and check for incoming and outgoing messages according to pre-defined rules, and the components that can be processed by the messages matched by the rules.Firewall components on the centos6.6:netfilter: Filters, frameworks working in the kernel on TCP/IP network protocol stacksiptables: The authoring tool for filtering rules, the defined rules are sent directly to the kernel through the kernel interface, immediately effective, but not per
occupy too much resources. conlimit can limit the number of these connections[!] -- Connlimit-above nIptables-p tcp-syn-dport 23-M connlimit -- connlimit-above 2-J reject Iprange limits the source CIDR Block Iptables-a forward-M iprange -- Src-range 172.16.100.1-172.16.100.100-DST-range 172.16.0.1-172.16.0.2-p tcp -- dport 80 The limit matches a specified rate, and the token-passing mechanism. It is not used to limit the bandwidth, but only for rate
-p INPUT DROP#要封停一个IP, use this command:Iptables-i input-s ***.***.***.***-j DROP#要解封一个IP, use this command:iptables-d input-s ***.***.***.***-j DROPIv. PreservationFirst Iptables-l-N to see if the configuration is correct.No problem, do not hurry to save, because no save is only currently valid, restart will not take effect, so in case there is any problem, you can force restart the server recovery settings.Also open an SSH connection to make sure yo
(including and) -- Sport: 3000 match data packets whose source port is less than 3000 (including 3000) -- Sport 1000: Match data packets whose source port is more than 1000 (including 1000) -M State -- state NEW, RELATED, ESTABLISHED, INVALID Mac -- mac-source xxxxxxx Limit -- limit 50/s -M multiport -- dports 110 -J ACCEPT DROP SNAT DNAT MASQUERADE Typical applications: Iptables-t nat-a prerouting-I ppp0-
chains, FORWARD, INPUT And OUTPUT. Common iptables options: -P indicates the protocol. -S specifies the source address-d specifies the destination address-I specifies the inbound interface -O specifies the output interface -P specifies the protocol, you can use -- sport -- Dport: specifies the port number. -- syn indicates that the syn packet can be followed by-m limit -- limit n/s to limit the number of SYN packets per second. Extension options: -M
Commonly used iptables scripts #! /Bin/bashexport PATH =/sbin:/usr/sbin:/bin:/usr/biniptables-Fiptables-Xiptables-Z # remote SSH Login, we need to enable port 22 iptables-a input-p tcp -- dport 22-j ACCEPT # WEB server, enable port 80 iptables-a input-p tcp -- dport 80-j ACCEPT # email server, and enable port 25,110. iptables
SANT; On node1 # Curl-I http: // 10.72.37.177 # Test the web service connected to node3 # Tail/var/log/nginx/access. log # view the access log on node3. the source address of the client is 10.72.37.91 after conversion. As required, node1 can only send ping, shh, and web access requests to node3. Therefore, add the following rules to the FORWARD chain of the filter table on node2: # Iptables-t filter-p forward drop #
installation Close firewall Systemctl Stop Firewalld.service #停止firewall systemctl Disable Firewalld.service #禁止firewall开机启动 Install Iptables Yum Install iptables-services systemctl start iptables.service systemctl enable Iptables.service #设置开机启动 Close SELinux Vi/etc/selinux/config #SELINUX =enforcing #注释掉 #SELINUXTYPE =targeted #注释掉 selinux=disabled #增加 Setenforce 0 #使配置立即生效
introduced by the netfilter extension module is used to expand matching conditions. Additional dedicated options are usually needed for definition) -M state: the connection status detection module. -- State new (new connection), established (confirm connection), related (join connection), invalid (invalid connection) -M multiport: multiple ports -- Source-Port: Source Port Group -- Destination-ports: Target Port Group -- Ports For example, merge the
Iptables is a firewall in Linux that can filter packets in Linux. The following is a brief introduction to the application of iptables.①iptables has five hooks in Linux (hook function)Prerouting: The packet has entered the host, but the stage has not yet been routed.INPUT: The packet goes inside the host.FORWARD: The packet will be forwarded from the host.Postrou
outbound chain Foreard forwarding chainp: Specify the rule, TCP (three-time handshake) UDP (Fast unsecured) ICMP (ping, see if it survives)watch-n1 IPTABLES-NVL--Line-numberAvsftp Service BuildingSMB file system shared in LAN ftp file sharing within the InternetYum Install vsftpd/etc/init.d/vsftpd Start/var/ftp Directory default shared directoryGraphics folder Browserftp:/192.168.1.223cmd FTP tool linked serverftp:/192.168.1.223User name: FTPPassword
original content to save the contents as follows# Generated by Iptables-save v1.3.5 on Sun Dec 12 23:55:59 2010*filter: INPUT DROP [385,263:27,864,079]: FORWARD ACCEPT [0:0]: OUTPUT ACCEPT [4,367,656:3,514,692,346]-A input-i lo-j ACCEPT-A input-m state–state related,established-j ACCEPT-A input-p icmp-j ACCEPT-A input-s 127.0.0.1-j ACCEPT-A input-p tcp-m tcp–dport 80-m state–state new-m recent–set–name Web–rsource-A input-p tcp-m tcp–dport 80-m state
-- dport 80 -- syn-m recent -- name webpool -- set-j ACCEPT# Pass is allowed within the specified range. The above is relatively simple. Next I will analyze more specific configuration methods. CentOS/Redhat/Fedora Run on the server The Code is as follows: Copy code Vi/etc/sysconfig/iptablesDelete original content input the following content to save# Generated by iptables-save v1.3.5 on Sun Dec 12 23:55:59 2010* Filter:
Linux under Iptables configuration detailed -A rh-firewall-1-input-p tcp-m State--state new-m TCP--dport 24000-j ACCEPT-A rh-firewall-1-input-s 121.10.120.24-p tcp-m tcp--dport 18612-j ACCEPT If your iptables basic knowledge is not yet known, it is recommended to take a look first.Start ConfigurationLet's configure a firewall for the filter table.(1) Check the setting of this institution in
content and enter the following content to save# generated by Iptables-save v1.3.5 on Sun Dec 12 23:55:59 2010*filter: INPUT DROP [385,263:27,864,079]: FORWARD ACCEPT [0:0]: OUTPUT ACCEPT [4,367,656:3,514,692,346]-A input-i lo-j ACCEPT-A input-m state–state related,established-j ACCEPT-A input-p icmp-j ACCEPT-A input-s 127.0.0.1-j ACCEPT-A input-p tcp-m tcp–dport 80-m state–state new-m recent–set–name Web–rsource-A input-p tcp-m tcp–dport 80-m state–
With this tutorial, make sure you can use Linux native. If you are using SSH remote, and can not directly operate the machine, then we recommend you cautious, cautious, and then cautious!With Iptables We can configure a dynamic firewall for our Linux servers that can specify and remember the status of the connections established for sending or receiving packets, a set of command packages to set up, maintain, and check the IP packet filtering rules of
Linux command: Compile and install iptablesFirst, compile and install iptables before preparing:Three documents to be backed up before uninstalling iptables : iptables startup script, Iptables-config configuration document, and established Iptables rule document[email protec
Iptables configurationIf your iptables basic knowledge is not yet known, it is recommended to take a look first.Start configurationLet's configure a firewall for the filter table.(1) Check the setting of this institution in Iptables[Email protected] ~]# iptables-l-NChain INPUT (Policy ACCEPT)Target Prot opt source dest
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
