A concise tutorial on Linux firewall iptables

A few days ago the micro-demon tribe was once again subjected to attacks by individual ulterior motives, by the way to recharge their own electricity, a review of the common Linux firewall iptables some of the content, but helpless online many of the tutorials are more cumbersome, in the concise learning purposes, the micro-demon for everyone to eliminate a lot of redundant content, Extract as many of the best part of the written, and common learning, this article covers the following content

A concise tutorial on Linux firewall iptables

1. Install Iptables

2. View existing iptables rules

3. Delete a iptables rule

4. Clear existing iptables rules

5. Create a rule

6. Set Boot up

7. Save Iptables Rules

Simple application of 8.iptables in manual anti-CC attack

1. Install Iptables

Many Linux have been installed by default iptables, you can use the following view command to test whether to install

Centos/redhat under Execution:

Yum install Iptablesdebian/ubuntu under execution:

Apt-get Install Iptables

2. View existing iptables rules

The line-number at the back of the command shows the line number (a rule is output, and the line number is displayed), which is convenient for deletion of the following text.

Iptables-l-N--line-numbers

3. Delete a iptables rule

For example, to delete the rule in line 12th, the line number can be viewed by the previous command

Iptables-d INPUT 12

4. Clear existing iptables rules

Iptables-f

Iptables-x

Iptables-z

5. Create a rule

a). Open ports

Command Iptables-a Input-j reject will block other unauthorized ports, so be sure to open port 22 to protect your SSH connection.

The code is as follows:

#允许本机访问

Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT

# allow established or connected traffic

Iptables-a input-m State--state established,related-j ACCEPT

#允许所有本机向外的访问

Iptables-a output-j ACCEPT

# Allow access to port 22

Iptables-a input-p TCP--dport 22-j ACCEPT

#允许访问80端口

Iptables-a input-p TCP--dport 80-j ACCEPT

#允许FTP服务的21和20端口

Iptables-a input-p TCP--dport 21-j ACCEPT

Iptables-a input-p TCP--dport 20-j ACCEPT

#如果有其他端口的话, the rules are similar, you can modify the above statement slightly

#禁止其他未允许的规则访问

Iptables-a input-j REJECT

Iptables-a forward-j REJECT

b). Shielding IP

Iptables-i input-s 123.123.123.123-j Drop can achieve the purpose of shielding IP segment by replacing IP segment above.

If you want to screen the entire IP segment (123.0.0.1 to 123.255.255.254), then change to 123.0.0.0/8

If you want to shield IP segment 123.123.0.1 to 123.123.255.254, change to 124.123.0.0/16

If you want to shield IP segment 123.123.123.1 to 123.123.123.254, then change to 123.123.123.0/24

6. Set Boot up

Generally after the installation iptables completed, the boot will automatically set up a successful, but on the individual CentOS system, seemingly there are some problems, you can use the following command to manually set

Chkconfig--level 345 iptables on

7. Save Iptables Rules

Service Iptables Save

Simple application of 8.iptables in manual anti-CC attack

There are many ways to get an attacker's IP, such as viewing a Web site log, and so on, this article will not repeat itself.

a). Establish the IP/IP segment file to be screened, named Ip.txt

#屏蔽的ip

123.4.5.6

#屏蔽的ip段 (Writing method, op. cit.)

123.4.5.6/24b). Create block_ip.sh script file

The code is as follows:

#!/bin/sh

# Filename:block_ip.sh

# purpose:blocks All IP address/network found in a text file

# The text file must have one IP address or network/

#################################################################

# change the following path/filename to match yours

Ip_list_file=/path/to/ip.txt

#################################################################

# Don ' t change anything below unless for you are a smarty pant!

#################################################################

Iptables_bin=/sbin/iptables

# get the IP address/network from the ' file and ignore any line starting with # (comments)

bad_ip_addr_list=$ (Grep-ev "^#" $IP _list_file)

# now loop through the IP address/network list and ban them using iptabels

For I in $BAD _ip_addr_list

Todo

Echo-n "Blocking $i ...";

$IPTABLES _bin-a input-s $i-j DROP

$IPTABLES _bin-a output-d $i-j DROP

echo "Done."

Done

##################################################################

# End of Script-nothing to the Here-that ' S all folks!

##################################################################

c). Run script

sh/path/to/block_ip.sh

D. See if the iptables rule is in effect/correct, this step of the command, before mentioned Oh, use your head, really forget, click here ~