The company's products have been running on the cloud server, so fortunate to have contacted AWS's EC2, the Grand Cloud server, recently prepared to use Aliyun elastic calculations (cloud server). The first two cloud servers in the security policy this piece is better, providing a simple and clear configuration interface, but also to the default security policy, Aliyun Server, security policy needs to configure themselves, and even centos machines are not pre-installed iptables (at least we have not applied to both platforms), This can be done using Yum to install, the installation commands are as follows:
The iptables is ready to configure the rules after installation. Because it is used as a Web server, so external to open 80 ports, and also must be through SSH server management, 22 ports also to open up, of course, the SSH service is best to change the default port, on the public network will be a lot of people trying to crack the password, if you modify the port, remember to put the port to develop external, Otherwise, it's not even a tragedy. The following provides a detailed description of the configuration rules:
first step: empty all rules when policy is executed when chain INPUT (/sbin/iptables-f DROP), you will disconnect from the server all before emptying all the rules Polic Y drop should be input to prevent tragedies, be careful and careful/sbin/iptables-p INPUT ACCEPT empty All the rules/sbin/iptables-f/sbin/iptables-x counter set 0/sbin/iptable S-z Step Two: Set the rule to allow packets from the Lo interface, without which you would not be able to access the local service via 127.0.0.1, such as ping 127.0.0.1/sbin/iptables-a input-i lo-j ACCEPT Open t CP Protocol 22 Port so that you can ssh, if you are in a fixed IP location, you can use-s to qualify the client's ip/sbin/iptables-a input-p TCP--dport 22-j ACCEPT Open TCP protocol 80-Port confession Web service/SB In/iptables-a input-p TCP--dport 80-j ACCEPT 10.241.121.15 is the intranet IP of another server, which accepts all TCP requests from 10.241.121.15 due to communication between/SBIN/IPTA Bles-a input-p tcp-s 10.241.121.15-j ACCEPT accept ping/sbin/iptables-a input-p icmp-m ICMP--icmp-type 8-j this Rule see: Http://www.netingcn.com/iptables-localhost-not-access-internet.html/sbin/iptables-A input-m State--state
Established-j ACCEPT masks All requests that are considered above, the firewall does not have any filtering functionality/sbin/iptables-p INPUT DROP can use Iptables-l-N to see if the rule takes effect
At this point the firewall is configured, but this is temporary, when restarting the iptables or restarting the machine, the above configuration will be emptied, to be permanently effective, you need to do the following:
/etc/init.d/iptables Save
or
service iptables save
performs the above command to see the configuration in file/etc/sysconfig/iptables
The following provides a clean configuration script:
/sbin/iptables-p INPUT ACCEPT
/sbin/iptables-f
/sbin/iptables-x
/sbin/iptables-z
/sbin/iptables- A input-i lo-j ACCEPT/sbin/iptables-a input-p tcp--dport 22-j ACCEPT/sbin/iptables-a input-p
TCP--dpor T 80-j ACCEPT/sbin/iptables-a input-p tcp-s 10.241.121.15-j ACCEPT/sbin/iptables-a input-p icmp-m
ICMP --icmp-type 8-j ACCEPT
/sbin/iptables-a input-m State--state established-j ACCEPT/sbin/iptables-p
INPUT DROP
The final implementation of the service Iptables save, first to ensure that the SSH connection is not a problem, to prevent rule errors, resulting in the server can not be connected, because there is no save, restart the server rules are invalid, otherwise only to the room to modify the rules. Also can refer to: Ubuntu iptables configuration script to write.
Finally again, be careful before emptying the rules to ensure chain INPUT (policy ACCEPT).
Cloud-dwelling community supplemental Aliyun linux_drop_port.sh
#!/bin/bash ######################################### #Function: Linux drop port #Usage: Bash linux_drop_port.sh #Autho R:customer Service Department #Company: Alibaba Cloud Computing #Version: 2.0 ######################################## # check_os_release () {While true doing os_release=$ (grep "Red Hat Enterprise Linux Server release"/etc/issue 2>/dev/ NULL) os_release_2=$ (grep "Red Hat Enterprise Linux Server release"/etc/redhat-release 2>/dev/null) if [$os _release "] && [" $os _release_2 "] then if echo" $os _release "|grep" Release 5 ">/dev/null2>&1 then Os_rel Ease=redhat5 echo "$os _release" elif echo "$os _release" |grep "Release 6" >/dev/null 2>&1 then os_release= Redhat6 echo "$os _release" Else os_release= "echo" $os _release "fi break fi os_release=$ (grep" Aliyun Linux Release "/etc/issue2>/dev/null" os_release_2=$ (grep "Aliyun Linux release"/etc/aliyun-release2>/dev/null) if [ $os _release "] && ["$os _release_2"] then if echo "$os _release" |grep "Release 5" >/dev/null2>&1 then Os_release=aliyun5 echo "$os _release" elif echo "$os _release" |grep "Release 6" >/dev/null 2>&1 then os_release=aliyun6 Echo "$os _release" Else os_release= "" echo "$os _release" fi break fi os_release=$ (grep "CentOS release"/etc/issue 2>/dev/null) os_release_2=$ (grep "CentOS release"/etc/*release2>/dev/null) if ["$os _release"] && ["$o S_release_2 "] Then if echo" $os _release "|grep" Release 5 ">/dev/null2>&1 then os_release=centos5 Echo "$os _release" elif echo "$os _release" |grep "Release 6" >/dev/null 2>&1 then Os_release=centos6 echo "$os _ Release "Else os_release=" "echo" $os _release "fi-break fi os_release=$ (grep-i" ubuntu "/etc/issue 2>/dev/ NULL) os_release_2=$ (grep-i "Ubuntu"/etc/lsb-release2>/dev/null) if ["$os _release"] && ["$os _release_2" ] Then if echo "$os _rElease "|grep" Ubuntu ">/dev/null2>&1 then Os_release=ubuntu10 echo" $os _release "elif echo" $os _relea Se "|grep" Ubuntu 12.04 ">/dev/null 2>&1 then os_release=ubuntu1204 echo" $os _release "elif echo" $os _rele ASE "|grep" Ubuntu 12.10 >/dev/null 2>&1 then os_release=ubuntu1210 echo "$os _release" Else os_release= "Echo" $os _release "fi break fi os_release=$ (grep-i" Debian "/etc/issue 2>/dev/null) os_release_2=$ (grep-i "Debian"/proc/version 2>/dev/null) if ["$os _release"] && ["$os _release_2"] then if echo "$os _release" |grep "Linux 6" >/dev/null2>&1 then os_release=debian6 echo "$os _release" Else os_release= "" echo "$ Os_release "Fi break fi os_release=$ (grep" OpenSUSE "/etc/issue 2>/dev/null) os_release_2=$ (grep" OpenSUSE "/etc /*release 2>/dev/null) If ["$os _release"] && ["$os _release_2"] then if echo "$os _release" |grep "13.1" &G
T;/dev/null 2>&1 Then os_release=opensuse131 echo "$os _release" Else os_release= "" echo "$os _release" fi break fi break Done} exit_script () {ECHO-E "\033[1;40;31minstall $ error,will exit.\n\033[0m" Rm-f $LOCKfile exit 1} config_i Ptables () {iptables-i output 1-p tcp-m multiport--dport21,22,23,25,53,80,135,139,443,445-j DROP iptables-i output 2-p tcp-m multiport--dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186-j DROP iptables-i OUTPUT 3-p udp-j D ROP IPTABLES-NVL} ubuntu_config_ufw () {Ufwdeny out proto TCP to any port 21,22,23,25,53,80,135,139,443,445 Ufwdeny
Out proto TCP to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 Ufwdeny out proto UDP to any ufwstatus} ################### #Start ################### #check lock file, one time is let Thescript run one time lockfile=/tmp/.$ ( BaseName $ if [f "$LOCKfile] then Echo-e" \033[1;40;31mthe script is already exist,please next Timeto run this SCR ipt.\n\033[0m "Exit ElsE echo-e "\033[40;32mstep 1.No lock File,begin to create lock Fileand continue.\n\033[40;37m" Touch $LOCKfile fi #che CK user If [$ (id-u)!= "0"] then ECHO-E "\033[1;40;31merror:you must is root to run this script,please use root to E Xecute this script.\n\033[0m "rm-f $LOCKfile exit 1 fi echo-e" \033[40;32mstep 2.Begen tocheck the OS issue.\n\033[40 ; 37m "os_release=$ (check_os_release) if [" X$os_release "=" X "] then ECHO-E" \033[1;40;31mthe OS does not identify,so t His script isnot executede.\n\033[0m "Rm-f $LOCKfile exit 0 Else Echo-e" \033[40;32mthis OS is $os _release.\n\033[40;3 7m "fi echo-e" \033[40;32mstep 3.Begen toconfig firewall.\n\033[40;37m "case" $os _release "in Redhat5|centos5|redhat6|c
ENTOS6|ALIYUN5|ALIYUN6) service iptables start config_iptables;;
DEBIAN6) config_iptables;;
ubuntu10|ubuntu1204|ubuntu1210) ufwenable <<eof y EOF ubuntu_config_ufw;;
opensuse131) config_iptables;; Esac echo-e "\033[40;32mconfig firewallsuccess,tHis script now exit!\n\033[40;37m "Rm-f $LOCKfile
The above files are downloaded to the machine for direct execution.