Add and delete ports to the Centos iptables Firewall

Linux Firewall startup and Shutdown

I

1.1 start command

[Root @ singledb ~] # Service iptables stop

Flushing firewall rules: [OK]

Setting chains to policy ACCEPT: filter nat [OK]

Unloading iptables modules: [OK]

[Root @ singledb ~] # Service iptables start

Applying iptables firewall rules: [OK]

Loading additional iptables modules: ip_conntrack_netbios_n [OK]

1.2 set auto-start upon startup

[Root @ singledb ~] # Chkconfig iptables off

[Root @ singledb ~] # Chkconfig -- list iptables

Iptables 0: off 1: off 2: off 3: off 4: off 5: off 6: off

[Root @ singledb ~] # Chkconfig iptables on

[Root @ singledb ~] # Chkconfig -- list iptables

Iptables 0: off 1: off 2: on 3: on 4: on 5: on 6: off

[Root @ singledb ~] #

The chkconfig -- list command lists the statuses of 0 to 6 numbers. There are 7 Linux Startup modes. The data represents the status of iptables in these modes. 3 is the command line mode, and 5 is the interface.

For more information about these modes, see my BLog:

Linux boot and Shutdown Process

Http://blog.csdn.net/tianlesoftware/archive/2010/10/24/5962460.aspx

5.1 init and Operation Level

The traditional init defines seven run levels, each of which represents some specific services that the system should supplement:

(1) level 0 is the level at which the system is completely shut down

(2) Level 1 or level S represents the single-user mode

(3) Level 2-5: multi-user level

(4) level 6 is the level of reboot

Ii. Iptables Parameters

Iptalbes is used to set, maintain, and check the IP packet filtering rules of the Linux kernel. Different tables can be defined. Each table contains several internal chains and user-defined chains. Each chain is a rule list that matches the corresponding package: each rule specifies how the matching package should be processed. This is called a 'target' (target) and can also jump to a user-defined chain in the same table.

[Root @ singledb ~] # Iptables -- help

Iptables v1.3.5

Usage: iptables-[AD] chain rule-specification [options]

Iptables-[RI] chain rulenum rule-specification [options]

Iptables-D chain rulenum [options]

Iptables-[LFZ] [chain] [options]

Iptables-[NX] chain

Iptables-E old-chain-name new-chain-name

Iptables-P chain target [options]

Iptables-h (print this help information)

Commands:

Either long or short options are allowed.

-- Append-A chain Append to chain

-- Delete-D chain Delete matching rule from chain

-- Delete-D chain rulenum

Delete rule rulenum (1 = first) from chain

-- Insert-I chain [rulenum]

Insert in chain as rulenum (default 1 = first)

-- Replace-R chain rulenum

Replace rule rulenum (1 = first) in chain

-- List-L [chain] List the rules in a chain or all chains

-- Flush-F [chain] Delete all rules inchain or all chains

-- Zero-Z [chain] Zero counters in chain or all chains

-- New-N chain Create a new user-defined chain

-- Delete-chain

-X [chain] Delete a user-defined chain

-- Policy-P chain target

Change policy on chain to target

-- Rename-chain

-E old-chain new-chain

Change chain name, (moving any references)

Options:

-- Proto-p [!] Proto protocol: by number or name, eg. 'tcp'

-- Source-s [!] Address [/mask]

Source specification

-- Destination-d [!] Address [/mask]

Destination specification

-- In-interface-I [!] Input name [+]

Network interface name ([+] for wildcard)

-- Jump-j target

Target for rule (may load target extension)

-- Goto-g chain

Jump to chain with no return

-- Match-m match

Extended match (may load extension)

-- Numeric-n numeric output of addresses and ports

-- Out-interface-o [!] Output name [+]

Network interface name ([+] for wildcard)

-- Table-t table to manipulate (default: 'filter ')

-- Verbose-v verbose mode

-- Line-numbers print line numbers when listing

-- Exact-x expand numbers (display exact values)

[!] -- Fragment-f match second or further fragments only

-- Modprobe = <command> try to insert modules using this command

-- Set-counters pkts bytes set the counter during insert/append

[!] -- Version-V print package version.

[Root @ singledb ~] #

2.1 TARGETS

Firewall rules specify the characteristics and objectives of the checked packets. If the package does not match, it is sent to the next rule check in the chain. If yes, the next rule is determined by the target value. the target value can be a user-defined chain name or a specific value, such as ACCEPT [pass], DROP [delete], QUEUE [QUEUE], or RETURN [RETURN].

ACCEPT indicates that the package passes. DROP indicates dropping this package. QUEUE indicates to pass this package to the user space. RETURN indicates that the matching of the chain is stopped and the rule of the previous chain starts again. If a built-in chain is reached, or the rule of the built-in chain is RETURN, the fate of the package will be determined by the target specified by the chain criterion.

2.2 TABLES

There are currently three tables (which table is the current table depends on the Kernel configuration option and the current module ).

-T table: Specifies the table of matching packages to be operated by the command. If the kernel is configured to automatically load modules, if the modules are not loaded, the system will try to load the appropriate modules (for this table. These tables are as follows:

(1) filter table: This is the default table, which contains the built-in chain INPUT (the packet to be processed) and FORWORD (the packet to be processed) and OUTPUT (processing locally generated packages ).

(2) nat table: When this table is queried, it indicates that a new connection package is generated, which consists of three built-in chains: PREROUTING (modify the incoming package), OUTPUT (the local package before the route is modified), and POSTROUTING (the package to be modified ).

(3) mangle table: This table is used to modify the specified package. It has two built-in rules: PREROUTING (the package before the route is modified) and OUTPUT (the local package before the route is modified ).

2.3 OPTIONS:

These options that can be recognized by iptables can be different types.

2.4 COMMANDS

These options specify to execute a specific action: If there is no other rule under the command line, this row can only specify one option. for long-Format Commands and option names, you only need to ensure that the iptables command can be distinguished from other options.

(1)-A-append

Add one or more rules at the end of the selected chain. When the source (Address) or/and destination (Address) are converted to multiple addresses, this rule is added to all possible addresses (combinations.

(2)-D-delete

Delete one or more rules from the selected chain. This command can be used to specify the deleted rule as the serial number in the chain (the first serial number is 1) or as the rule to be matched.

(3)-R-replace

Replaces a rule from the selected chain. If the source (Address) or/and destination (Address) are converted to multiple addresses, this command fails. The rule sequence number starts from 1.

(4)-I-insert

Insert one or more rules to the selected Chain Based on the given rule sequence number. Therefore, if the rule number is 1, the rule will be inserted into the chain header. This is the default method when no rule serial number is specified.

(5)-L-list

Displays all the rules of the selected chain. If no link is selected, all links are displayed. It can also be used with the z option, and the chain will be automatically listed and zeroed. Precise output is affected by other parameters.

(6)-F-flush

Clear the selected chain. This means that all rules are deleted one by one.

(7) -- Z-zero

Clears the packets and byte counters of all links. It can be used with-L to view the counter before clearing. See the previous article.

(8)-N-new-chain

Create a new user-defined Chain Based on the given name. This must ensure that no chain with the same name exists.

(9)-X-delete-chain

Deletes a specified user-defined chain. This chain must not be referenced. If it is referenced, you must delete or replace the relevant rules before deleting it. If no parameter is provided, this command will try to delete each non-built chain.

(10)-P-policy

Set the target rule of the chain.

(11)-E-rename-chain

Rename the specified Chain Based on the name given by the user. This is only a modifier and does not affect the structure of the entire table. The TARGETS parameter provides a valid target. Rules can be used only for non-user-defined chains, and both built-in and user-defined chains cannot be the target of rules.

(12)-h Help.

Help. The syntax of the current command is very short.

2.5 PARAMETERS

The following parameters constitute detailed rules, such as the add, delete, replace, append, and check commands.
(1)-p-protocal [!] Protocol

Protocol for rule or package check (package to be checked. The specified protocol can be either one or all of tcp, udp, or icmp, or a numerical value, representing one of these protocols. You can also use the Protocol name defined in/etc/protocols. Add "! "Indicates the opposite rule. The number 0 is equivalent to all. Protocol all matches all protocols, and this is a time-saving option. When combined with the check command, all can be disabled.

(2)-s-source [!] Address [/mask]

Specifies the source address, which can be the host name, network name, and clear IP address. The mask can be a network mask or a clear number. specify the number of "1" on the left of the network mask. Therefore, the value of the mask is 24 or 255.255.255.0. Add "! "Indicates that the opposite address segment is specified. Flag -- src is short for this option.

(3)-d -- destination [!] Address [/mask]

Specify the target address. For more information, see the description of the-s flag. The flag-dst is short for this option.

(4)-j -- jump target

-J: Jump to the target, specifying the target of the Rule; that is, what to do if the package matches. The target can be a user-defined chain (not where this rule is located), a private built-in target that will immediately determine the fate of the package, or an extension (see EXTENSIONS below ). If the rule option is ignored, the matching process will not affect the package, but the rule counter will increase.

(5)-I-in-interface [!] [Name]

I-access (network) interface [!] [Name]. This is the optional entry name received by the package through this interface. The package is received through this interface (the package entered in the chain INPUT, FORWORD, and PREROUTING ). Before the Interface Name, use "! "After description, it refers to the opposite name. If the interface name is followed by "+", all interfaces starting with this interface name will be matched. If this option is ignored, it is assumed to be "+", then any interface will be matched.

(6)-o -- out-interface [!] [Name]

-O -- OUTPUT interface [name], which is the optional outlet name sent by the package through this interface. The package is OUTPUT through this port (the package sent in the chain FORWARD, OUTPUT, and POSTROUTING ). Before the Interface Name, use "! "After description, it refers to the opposite name. If the interface name is followed by "+", all interfaces starting with this interface name will be matched. If this option is ignored, it is assumed as "+", then all arbitrary interfaces will be matched.

(7) [!] -F, -- fragment

[!] -F -- fragment, which means that in the package of the fragment, the rule only queries the second and later parts. Since then, because the source port or target port (or ICMP type) of the packet cannot be determined, such packets cannot match any rules specified for matching them. If "! "The description is used before the"-f "sign to indicate the opposite.

2.6 OTHER OPTIONS

You can also specify the following additional options:

(1)-v -- verbose

-V -- Detailed, detailed output. This option allows the list command to display the interface address, rule option (if any), and TOS (Type of Service) mask. The package and byte counters will also be displayed. K, M, and G (prefix) are used to indicate 1000, 1,000,000, and 1,000,000,000 times respectively (but refer to the-x flag to change it). For addition, insert, delete, and replace commands. This prints detailed information about one or more rules.

(2)-n -- numeric

-N -- number, number output. The IP address and port are printed in numbers. By default, the program displays the host name, network name, or service (as long as it is available ).

(3)-x-exact

-X-precision, extended number. Display the exact value of the package and byte counter, instead of the approximate number expressed in K, M, G. This option can only be used for the-L command.

(4) -- line-numbers

When a rule is displayed in the list, add a row number before each rule to match the rule's position in the chain.

2.7 MATCH EXTENSIONS

Iptables can use some extension packages that match the module. The following are the extension packages included in the basic package, and most of them can be added in front! To indicate the opposite.

2.7.1 tcp

When -- protocol tcp is specified and other matching extensions are not specified, these extensions are loaded. It provides the following options:

(1) -- source-port [!] [Port [ort]

Specifies the source port or port range. This can be the service name or port number. Format port: You can specify the port range. If the first port number is ignored, the default value is "0". If the end port number is ignored, the default value is "65535". If the second port number is greater than the first port number, it is switched. You can use the -- sport alias for this option.

(2) -- destionation-port [!] [Port: [port]

Specify the target port or port range. This option can be replaced by the -- dport alias.

(3) -- tcp-flags [!] Mask comp

Matches the specified TCP tag. The first parameter is the tag we want to check, a list separated by commas, and the second parameter is a tag table separated by commas, which must be set. Mark as follows: syn ack fin rst urg psh all none. Therefore, this command: iptables-a forward-p tcp -- tcp-flags SYN, ACK, FIN, rst syn only matches the packets whose SYN flag is set but the ACK, FIN, and RST tags are not set.

(4) [!] -- Syn

Only TCP packets whose SYN bit is set and ACK and FIN bit are cleared. These packages are used to send requests during TCP connection initialization. For example, a large number of such packages will block the TCP connection when an interface is blocked, and the outgoing TCP connection will not be affected. This is equal to -- tcp-flags SYN, RST, and ack syn. If "-- syn" is preceded "! "Mark, indicating the opposite.

(5) -- tcp-option [!] Number

Match the TCP option.

2.7.2udp

When protocol udp is specified and other matching extensions are not specified, these extensions are loaded and provide the following options:

(1) -- source-port [!] [Port: [port]

Specifies the source port or port range. For details, see the description of the TCP extended -- source-port option.
(2) -- destination-port [!] [Port: [port]

Specify the target port or port range. For details, see the -- destination-port option of TCP extension.

2.7.3icmp

When protocol icmp is specified and other matching extensions are not specified, the extension is loaded. It provides the following options:

(1) -- icmp-type [!] Typename

This option allows you to specify the ICMP type, which can be a numeric ICMP type, or an icmp type name displayed by the command iptables-p ICMP-h.

2.7.4mac

-- Mac-source [!] Address
Match the physical address. The format must be XX: XX. Note that it is only valid for packets from the Ethernet device that enter the PREROUTING, FORWORD, and INPUT chains.

2.7.5 limit

This module matching flag matches with a tag bucket filter at a certain speed. It is used with LOG targets to provide a limited number of logins. when the limit value is reached, the rules that use this extension package will match. (Unless "! "Mark)

(1) -- limit rate

Maximum average matching rate: The value can be assigned to units such as '/second','/minute ','/hour', or '/Day'. The default value is 3/hour.

(2) -- limit-burst number

Maximum initial number of packages to be matched: if the limit specified earlier has not reached this value, the total number is increased by 1. The default value is 5.

2.7.6 multiport

This module matches a group of source or target ports. You can specify up to 15 ports. It can only be used with-p tcp or-p udp.

(1) -- source-port [port [, port]
If the source port is one of the given ports
(2) -- destination-port [port [, port]
If the target port is one of the given ports, it matches
(3) -- port [port [, port]
If the source port and destination port are the same and are the same as a given port, they match.

2.7.7 mark

This module matches the netfilter tag field (you can set MARK as below ).

-- Mark value [/mask]
Match those unsigned tag values (if the mask is specified, a logical tag is added to the mask before comparison ).

2.7.8 owner

This module generates a local package to match different features of the package creator. It can only be used for OUTPUT chains, and even some packets (such as ICMP ping responses) may not have owners, so they will never match.

(1) -- uid-owner userid
If a valid user id is provided, it matches the package generated by the process.
(2) -- gid-owner groupid
If a valid group id is provided, it matches the package generated by the process.
(3) -- sid-owner seessionid
Match the packets generated by the process according to the given session group.

2.7.9state

This module allows the connection trace status of the access package when used in conjunction with the connection trace.
-- State
The state is a comma-separated list of matched connection statuses. The possible status is: INVALID indicates that the package is an unknown connection, ESTABLISHED indicates a two-way transmission connection, and NEW indicates that the package is a NEW connection. Otherwise, the package is not transmitted in two directions, RELATED indicates that the package starts from a new connection, but is connected with an existing connection, such as FTP data transmission or an ICMP error.

2.7.10unclean

This module has no options, but it tries to match those strange and uncommon packages. In the lab.

2.7.11tos

This module matches the eight-bit tos (service type) field (that is, included in the priority) of the IP package header ).
-- Tos
This parameter can be a standard name (view the list with iptables-m tos-h) or a value.

2.8LOG

Enable the kernel record for the matching package. After this option is set in the rule, the Linux kernel prints some information about all matching packages (such as the IP header field) through printk ).

(1) -- log-level
Record level (numeric or see syslog. conf (5 )).
(2) -- log-prefix
Add a specific prefix before the record information: a maximum of 14 letters are used to distinguish it from other information in the record.
(3) -- log-tcp-sequence
Record the TCP serial number. If records can be read by users, this poses a security risk.
(4) -- log-tcp-options
Record the options from the TCP header.
(5) -- log-ip-options
Record the options from the IP packet header.
2.9 MARK
Set the netfilter flag value of the package. Only applicable to mangle tables.

-- Set-mark

2.10 REJECT

As a response to the matched package, an error package is returned: the package is the same as the DROP in other cases. This target applies only to INPUT, FORWARD, and OUTPUT chains, and user-defined chains that call these chains. These options control the returned error Package features:

-- Reject-with type
The Type can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-nreachable, icmp-proto-unreachable, icmp-net-prohibited, or icmp-host-prohibited, this type will return the corresponding ICMP error message (default: port-unreachable ). The echo-reply option is also allowed. It can only be used to generate a ping response in the rule that specifies the ICMP ping packet. Finally, the tcp-reset option can be used in the INPUT chain or in the Rules called by the self-INPUT chain. Only the TCP protocol is matched: a tcp rst packet will be returned.

2.11 MIRROR

This is a test demonstration target. It can be used to convert the source address and target address in the IP address header field, and then transfer the package. It is only applicable to INPUT, FORWARD, and OUTPUT chains, and user-defined chains that only call them.

2.12 SNAT

This target only applies to the POSTROUTING chain of the nat table. It specifies to modify the source address of the package (all packages will be affected after this connection) and stop checking the rule. It includes the following options:

(1) -- to-source [-] [ort-port]
You can specify a single new IP address, a range of IP addresses, or a port range (only in rules specifying-p tcp or-p udp ). If no port range is specified, ports lower than 512 in the source port will be placed as other ports lower than 512; ports between 512 and 1024 will be placed below 1024, other ports are placed as 1024 or above. If possible, the port is not modified.
(2) -- to-destiontion [-] [ort-port]
You can specify a single new IP address, a range of IP addresses, or a port range (only in rules specifying-p tcp or-p udp ). If no port range is specified, the target port is not modified.

2.13 MASQUERADE
Only used for the POSTROUTING chain of the nat table. It can only be used to dynamically obtain IP (dial-up) connections: If you have a static IP address, you must use SNAT. Disguise is equivalent to setting an image for the IP address of the interface through which the packet is sent. When the interface is closed, the connection will be terminated. This is because the current dial-up may not be the same interface address (all established connections will be closed later ). It has an option:

-- To-ports [-port>]

Specify the source port range to be used, and overwrite the default SNAT source address selection (see the above ). This option applies only to rules with-p tcp or-p udp specified.

2.14 REDIRECT

Only applicable to the PREROUTING and OUTPUT chains of nat tables, and user-defined chains that only call them. It modifies the target IP address of the package to send the package to the machine itself (the locally generated package is placed at 127.0.0.1 ). It contains an option:
-- To-ports []

Specified destination port or port range: If this parameter is not specified, the target port is not modified. Only rules with-p tcp or-p udp can be specified.

2.15 DIAGNOSTICS

Diagnosis. Different error messages are printed as standard errors: Exit code 0 to indicate correct. If the command line parameter is incorrect or the command line parameter is abused, error code 2 is returned, and other error codes are returned as 1.

2.16 COMPATIBILITY WITH IPCHAINS

Iptables is similar to Rusty Russell's ipchains. The main difference is that the INPUT chain is only used to enter the package of the local host, and the OUTPUT is only used to generate the package from the local host. Therefore, each packet passes through only one of the three chains. The previously forwarded packet passes through all three chains. The other major difference is that-I references the incoming interface;-o references the output interface, both of which are applicable to the packets that enter the FORWARD chain. When the default filter table is used with the optional extension module, iptables is a pure package filter. This can greatly reduce the previous obfuscation of IP camouflage and packet filtering, so the following options are different:

-J MASQ

-M-S

-M-L

Iii. Iptables example

1. view the settings of IPTABLES on the local machine:

[Root @ singledb ~] # Iptables-L-n

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

ACCEPT all -- 0.0.0.0/0192.168.122.0/24 state RELATED, ESTABLISHED

ACCEPT all -- 192.168.122.0/24 0.0.0.0/0

The IP address and network number are displayed. The network number is/24. For details about IP addresses, refer to Blog:

IP (Internet Protocal) Address description

Http://blog.csdn.net/tianlesoftware/archive/2011/02/25/6207289.aspx

2. Save Iptables

The configuration of iptables is the same as that of other commands to configure IP addresses. You can save the IP addresses in the following two ways to restart the IP address.

# Service iptables save

Or:

# Iptables-save>/etc/sysconfig/iptables

/Etc/sysconfig/iptables is the default storage location. There is also an iptables configuration file in the/etc/sysconfig Directory: etc/sysconfig/iptables-config

Note: It is generally not recommended that you manually modify the content of this file. This file is only used to save the firewall rules that need to be automatically applied when iptables is started.

After saving, restart the firewall to make it take effect.

# Service iptables restart

3. Clear the original rules (with caution ):

# Iptables-F --> clear rules of all rule chains in the filter of the preset table

# Iptables-X --> clear the rules in the User-Defined chain in the filter of the preset table

4. Set preset rules

View the rule status:

[Root @ localhost ~] # Iptables-L

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

Change rules:

[Root @ tp ~] # Iptables-P INPUT DROP

[Root @ tp ~] # Iptables-P OUTPUT ACCEPT

[Root @ tp ~] # Iptables-P FORWARD DROP

If it is an ssh connection, the connection will be interrupted.

The above means that when two chain rules (INPUT, FORWARD) in the filter table in IPTABLES are exceeded, the data packets not in these two rules will be dropped (abandoned ). it should be said that the configuration is safe. we need to control inbound data packets. For the OUTPUT chain, that is, the outgoing package, we do not need to impose too many restrictions, but adopt ACCEPT.

The INPUT and FORWARD chains use packages that are allowed to pass, while the OUTPUT chain uses packages that are not allowed to pass. This setting is quite reasonable. Of course you can also DROP all three links, but I don't think it is necessary to do so, and the rules to be written will increase. but if you only want a limited number of rules, for example, only WEB servers. we recommend that all three links be DROP.

5. Add Rules.

First, add the INPUT chain. For example, we want to enable port 22:

# Iptables-a input-p tcp -- dport 22-j ACCEPT

Note: If you set OUTPUT to DROP, you need to write the upper and lower rules. Many people forget to write this rule, which leads to SSH failure.

# Iptables-a output-p tcp -- sport 22-j ACCEPT

6. Example of port operations:

6.1 add Port

(1) allow hosts with the source address x. x/x to use port 22 (ssh.

Iptables-a input-p tcp-s x. x/x -- dport 22-j ACCEPT

(2) Allow inbound packets from port 80 (http)

Iptables-a input-p tcp -- dport 80-j ACCEPT

(3) allow incoming packets from port 110 (pop3). If this rule is not added, emails can only be received through web pages (OE Or Foxmail cannot be used)

Iptables-a input-p tcp -- dport 110-j ACCEPT

(4) allow incoming packets from port 25 (smtp). If this rule is not added, emails can only be sent through web pages (OE Or Foxmail cannot be used)

Iptables-a input-p tcp -- dport 25-j ACCEPT

(5) Allow inbound data packets from port 21 (ftp)

Iptables-a input-p tcp -- dport 21-j ACCEPT

(6) allow data packets on Port 20 (ftp) to enter (execute ftp commands, such as dir)

Iptables-a input-p tcp -- dport 20-j ACCEPT

(7) Allow 53 (dns) port data packets to enter (tcp)
Iptables-a input-p tcp -- dport 53-j ACCEPT

(8) Allow 53 (dns) port data packets to enter (udp)
Iptables-a input-p udp -- dport 53-j ACCEPT

(9) Allow ICMP packets to pass, that is, allow ping

Iptables-a input-p icmp-j ACCEPT

(10) Support for connection status using iptables

Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT

(11) set the default rule of the INPUT chain to DROP

Iptables-P INPUT DROP

6.2 view port information

[Root @ singledb ~] # Iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 22

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 2222

After adding the port information to the trusted chain, you can view it, such as the previously added 22 port. It is in the INPUT chain.

6.3 delete port information

[Root @ singledb ~] # Iptables-d input-p tcp -- dport 22-j ACCEPT

[Root @ singledb ~] # Iptables-d input-p tcp -- dport 2222-j ACCEPT

[Root @ singledb ~] # Iptables-L-n

After deletion, we can view the information in the INPUT chain.

7. iptables restrict IP addresses from accessing specific ports

7.1 allow SSH connection to a machine with an IP address (192.168.6.100:

[Root @ singledb ~] # Iptables-a input-s 192.168.6.100-p tcp -- dport 22-j ACCEPT

[Root @ singledb ~] # Iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT tcp -- 192.168.6.100 0.0.0.0/0 tcp dpt: 22

7.2 allow a certain segment of IP address to access SSH

[Root @ singledb ~] # Iptables-d input-s 192.168.6.100-p tcp -- dport 22-j ACCEPT

[Root @ singledb ~] # Iptables-a input-s 192.168.6.0/24-p tcp -- dport 22-j ACCEPT

[Root @ singledb ~] # Iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT tcp -- 192.168.6.0/24 0.0.0.0/0 tcp dpt: 22

Because this port has been added before, the configuration of 22 is deleted first and then added. Here we use 192.168.6.0/24. It indicates that all IP addresses of 192.168.6.1-192.168.6.254 can be accessed. Here 24 represents the network number. For details, refer:

IP (Internet Protocal) Address description

Http://blog.csdn.net/tianlesoftware/archive/2011/02/25/6207289.aspx

7.3 restrict access to SSH from an IP address

[Root @ singledb ~] # Iptables-a input-p tcp-s! 192.168.6.100 -- dport 22-j ACCEPT -- note! There is a space

[Root @ singledb ~] # Iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT tcp -- 192.168.6.0/24 0.0.0.0/0 tcp dpt: 22

8. configure a NAT table

8.1 view local NAT settings

[Root @ singledb ~] # Iptables-t nat-L

Chain PREROUTING (policy ACCEPT)

Target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

Target prot opt source destination

MASQUERADEall -- 192.168.122.0/24! 192.168.122.0/24

MASQUERADEall -- 192.168.122.0/24! 192.168.122.0/24

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

You can also view the information in the iptables configuration file (/etc/sysconfig/iptables.

8.2 clear the NET table information:

[Root @ singledb ~] # Iptables-F-t nat

[Root @ singledb ~] # Iptables-X-t nat

[Root @ singledb ~] # Iptables-Z-t nat

8.3 Add Rules

(1) prevent Internet spoofing using Intranet IP addresses

[Root @ singledb ~] # Iptables-t nat-a prerouting-I eth0-s 10.0.0.0/8-j DROP

[Root @ singledb ~] # Iptables-t nat-a prerouting-I eth0-s 172.16.0.0/12-j DROP

[Root @ singledb ~] # Iptables-t nat-a prerouting-I eth0-s 192.168.0.0/16-j DROP

(2) disallow all connections to 211.101.46.253

[Root @ singledb ~] # Iptables-t nat-a prerouting-d 211.101.46.253-j DROP

(3) disable FTP (21) Port

[Root @ singledb ~] # Iptables-t nat-a prerouting-p tcp -- dport 21-j DROP

In this way, the write range is too large, so we can define it more accurately.

[Root @ singledb ~] # Iptables-t nat-a prerouting-p tcp -- dport 21-d 211.101.46.253-j DROP

In this way, only the FTP connection of the 211.101.46.253 address is disabled. Other connections can also be. For example, web (port 80) connections.

(4) drop illegal connection

[Root @ singledb ~] # Iptables-a input-m state -- state INVALID-j DROP

[Root @ singledb ~] # Iptables-a output-m state -- state INVALID-j DROP

[Root @ singledb ~] # Iptables-a forward-m state -- state INVALID-j DROP

(5) Allow all established and related connections

[Root @ singledb ~] # Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT

[Root @ singledb ~] # Iptables-a output-m state -- state ESTABLISHED, RELATED-j ACCEPT

9. Save

[Root @ singledb ~] # Service iptables save

Saving firewall rules to/etc/sysconfig/iptables: [OK]

[Root @ singledb ~] # Service iptables restart

Flushing firewall rules: [OK]

Setting chains to policy ACCEPT: filter nat [OK]

Unloading iptables modules: [OK]

Applying iptables firewall rules: [OK]

Loading additional iptables modules: ip_conntrack_netbios_n [OK]

[Root @ singledb ~] #