1, empty the existing strategy
When you start creating a new strategy, you may want to clear all the default policies, and the existing policies, you can do this:
| The code is as follows | Copy Code |
| Iptables-f or Iptables–flush. |
|
2, set the default policy
The default chain policy is accept, which changes all chain policies to drop:
| The code is as follows | Copy Code |
| Iptables-p INPUT DROP Iptables-p FORWARD DROP Iptables-p OUTPUT DROP |
|
3, block a specified IP
| The code is as follows | Copy Code |
| block_this_ip= "x.x.x.x" Iptables-a input-s "$BLOCK _this_ip"-j DROP Iptables-a input-i eth0-s "$BLOCK _this_ip"-j DROP Iptables-a input-i eth0-p tcp-s "$BLOCK _this_ip"-j DROP |
|
4, allow SSH
allow all connections through the Eth0 interface using the SSH protocol:
| The code is as follows | Copy Code |
| Iptables-a input-i eth0-p tcp–dport 22-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp–sport 22-m state–state established-j ACCEPT |
|
5, allow a network segment to connect via SSH
| The code is as follows | Copy Code |
| Iptables-a input-i eth0-p tcp-s 192.168.100.0/24–dport 22-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp–sport 22-m state–state established-j ACCEPT |
|
6, allow HTTP and HTTPS
allow all incoming Web traffic: Port 80 of the HTTP protocol
| The code is as follows | Copy Code |
| Iptables-a input-i eth0-p tcp–dport 80-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp–sport 80-m state–state established-j ACCEPT |
|
Allow all incoming Web traffic: 443 ports for HTTPS protocol
| The code is as follows | Copy Code |
| Iptables-a input-i eth0-p tcp–dport 443-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp–sport 443-m state–state established-j ACCEPT |
|
7, multiple policies are combined together
Allow Ssh,http,https:
| The code is as follows | Copy Code |
| Iptables-a input-i eth0-p tcp-m multiport–dports 22,80,443-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp-m multiport–sports 22,80,443-m state–state established-j ACCEPT |
|
8, allow SSH to connect to other hosts
| The code is as follows | Copy Code |
| Iptables-a output-o eth0-p tcp–dport 22-m state–state new,established-j ACCEPT Iptables-a input-i eth0-p tcp–sport 22-m state–state established-j ACCEPT |
|
9, allow SSH connection to specify the network segment
| The code is as follows | Copy Code |
| Iptables-a output-o eth0-p tcp-d 192.168.100.0/24–dport 22-m state–state new,established-j ACCEPT Iptables-a input-i eth0-p tcp–sport 22-m state–state established-j ACCEPT |
|
10, allow HTTPS to go out
| The code is as follows | Copy Code |
| Iptables-a output-o eth0-p tcp–dport 443-m state–state new,established-j ACCEPT Iptables-a input-i eth0-p tcp–sport 443-m state–state established-j ACCEPT |
|
11, load balance on Web requests (three packages per package, balanced to specified server, need to extend iptables)
| The code is as follows | Copy Code |
| Iptables-a prerouting-i eth0-p tcp–dport 443-m state–state new-m nth–counter 0–every 3–packet 0-j dnat–to-dest Ination 192.168.1.101:443 Iptables-a prerouting-i eth0-p tcp–dport 443-m state–state new-m nth–counter 0–every 3–packet 1-j dnat–to-dest Ination 192.168.1.102:443 Iptables-a prerouting-i eth0-p tcp–dport 443-m state–state new-m nth–counter 0–every 3–packet 2-j dnat–to-dest Ination 192.168.1.103:443 |
|
12, Allow Ping
| The code is as follows | Copy Code |
| Iptables-a input-p icmp–icmp-type echo-request-j ACCEPT Iptables-a output-p icmp–icmp-type echo-reply-j ACCEPT |
|
13, allow ping remote
| The code is as follows | Copy Code |
| Iptables-a output-p icmp–icmp-type echo-request-j ACCEPT Iptables-a input-p icmp–icmp-type echo-reply-j ACCEPT |
|
14, allow local loop
| The code is as follows | Copy Code |
| Iptables-a input-i lo-j ACCEPT Iptables-a Output-o lo-j ACCEPT |
|
15, allow intranet access to external network
This example eth1 connect the external network, eth0 connect the internal network
| The code is as follows | Copy Code |
| Iptables-a forward-i eth0-o eth1-j ACCEPT |
|
16, allow DNS to go out
| The code is as follows | Copy Code |
| Iptables-a output-p udp-o eth0–dport 53-j ACCEPT Iptables-a input-p udp-i eth0–sport 53-j ACCEPT |
|
17, allow NIS connections
the NIS port is dynamic and allocates ports when Ypbind is started.
First run rpcinfo-p display get port number, this example uses port 850,853.
| The code is as follows | Copy Code |
| Iptables-a input-p tcp–dport 111-j ACCEPT Iptables-a input-p udp–dport 111-j ACCEPT Iptables-a input-p tcp–dport 853-j ACCEPT Iptables-a input-p udp–dport 853-j ACCEPT Iptables-a input-p tcp–dport 850-j ACCEPT Iptables-a input-p udp–dport 850-j ACCEPT |
|
The above example will fail when Ypbind is restarted and there are 2 solutions:
(1) Assigning NIS service static IP (2) using sophisticated scripting
18, allows the specified network segment to be connected to rsync
| The code is as follows | Copy Code |
| Iptables-a input-i eth0-p tcp-s 192.168.101.0/24–dport 873-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp–sport 873-m state–state established-j ACCEPT |
|
19, allow MySQL to connect from the specified network segment
| The code is as follows | Copy Code |
| Iptables-a input-i eth0-p tcp-s 192.168.100.0/24–dport 3306-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp–sport 3306-m state–state established-j ACCEPT |
|
20, allow SendMail or postfix
| The code is as follows | Copy Code |
| Iptables-a input-i eth0-p tcp–dport 25-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp–sport 25-m state–state established-j ACCEPT |
|
21, allow IMAP and IMAPS
| The code is as follows | Copy Code |
| Imap: Iptables-a input-i eth0-p tcp–dport 143-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp–sport 143-m state–state established-j ACCEPT Imaps: Iptables-a input-i eth0-p tcp–dport 993-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp–sport 993-m state–state established-j ACCEPT |
|
22, allow POP3 and pop3s
POP3:
| The code is as follows | Copy Code |
| Iptables-a input-i eth0-p tcp–dport 110-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp–sport 110-m state–state established-j ACCEPT Pop3s: Iptables-a input-i eth0-p tcp–dport 995-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp–sport 995-m state–state established-j ACCEPT |
|
23, Prevent Dos attacks
| The code is as follows | Copy Code |
| Iptables-a input-p tcp–dport 80-m limit–limit 25/minute–limit-burst 100-j ACCEPT |
|
-M: Using the iptables extension
–limit 25/minute: Limit number of minutes connection requests
–limit-burst: Trigger threshold, one influx packet number
24, Port forwarding
From 442, go to Port 22.
| The code is as follows | Copy Code |
| Iptables-t nat-a prerouting-p tcp-d 192.168.102.37–dport 422-j dnat–to 192.168.102.37:22 |
|
You must also explicitly allow 442 ports
| The code is as follows | Copy Code |
| Iptables-a input-i eth0-p tcp–dport 422-m state–state new,established-j ACCEPT Iptables-a output-o eth0-p tcp–sport 422-m state–state established-j ACCEPT |
|
25, Packet discard log
You may want to view all the logs for discarding packets.
| code is as follows | copy code |
| > First create a new chain called LOGGING Iptables-n LOGGING ensures that all connections are skipped to the LOGGING Iptables-a input-j LOGGING Record These packages through the custom name "log-prefix" IP Tables-a logging-m limit–limit 2/min-j log–log-prefix "IPTables Packet dropped:" –log-level 7 Finally discard these packets Iptab Les-a logging-j DROP |
|
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
