Aliyun CentOS Configuration iptables Firewall

Although Aliyun launched the Cloud Shield service, but it is always safer to add a layer of firewall, the following is my Aliyun VPS on the process of configuring the firewall, currently only configure input. Both output and ForWord are accept rules.

First, check the Iptables service status

First check the status of the Iptables service

[Root@woxplife ~]# service iptables status
Iptables:firewall is not running.
Indicates that the Iptables service is installed, but the service is not started.
If not installed, you can yum the installation directly

Yum install-y iptables

Start iptables

[Root@woxplife ~]# service iptables start
iptables:applying firewall rules: [OK]

Take a look at the current iptables configuration

[Root@woxplife ~]# iptables-l-N

Second, clear the default firewall rules

#首先在清除前要将policy input changed to accept, to accept all requests.
#这个一定要先做, or it might be a tragedy when you empty it.
Iptables-p INPUT ACCEPT
#清空默认所有规则
Iptables-f
#清空自定义的所有规则
Iptables-x
#计数器置0
Iptables-z

III. Configuration Rules

#允许来自于lo接口的数据包
#如果没有此规则, you will not be able to access local services via 127.0.0.1, such as Ping 127.0.0.1
Iptables-a input-i lo-j ACCEPT
#ssh端口22
Iptables-a input-p TCP--dport 22-j ACCEPT
#FTP端口21
Iptables-a input-p TCP--dport 21-j ACCEPT
#web服务端口80
Iptables-a input-p TCP--dport 80-j ACCEPT
#tomcat
Iptables-a input-p TCP--dport xxxx-j ACCEPT
#mysql
Iptables-a input-p TCP--dport xxxx-j ACCEPT
#允许icmp包通过, which is to allow Ping
Iptables-a input-p icmp-m ICMP--icmp-type 8-j ACCEPT
#允许所有对外请求的返回包
#本机对外请求相当于OUTPUT, the return packet must be received, which is equivalent to the input of the
Iptables-a input-m State--state established-j ACCEPT
#如果要添加内网ip信任 (Accept all of its TCP requests)
Iptables-a input-p tcp-s 45.96.174.68-j ACCEPT
#过滤所有非以上规则的请求
Iptables-p INPUT DROP
#要封停一个IP, use the following command:

Iptables-i input-s ***.***.***.***-j DROP

#要解封一个IP, use the following command:

iptables-d input-s ***.***.***.***-j DROP

IV. Preservation

First Iptables-l-N to see if the configuration is correct.
No problem, do not hurry to save, because not save is currently valid, restart does not take effect, so in case of any problems, you can force the background to restart Server recovery settings.
Open an SSH connection and make sure you can log in.

Make sure you save after no problem

#保存
[Root@woxplife ~]# Service Iptables Save
#添加到自启动chkconfig
[Root@woxplife ~]# chkconfig iptables on
Modify Firewall port: Modify/etc/sysconfig/iptables File