Basic application Tutorial of Iptables firewall on Linux

Basic Application Tutorial of Iptables firewall on Linux

1. Install iptables firewall

If you do not install iptables , you need to install it first CentOS execution:

Yum Install Iptables

Debian/ubuntu Execution:

Apt-get Install Iptables

2. Clear existing iptables rules

Iptables-f
Iptables-x
Iptables–z

3, open the specified port

The-a and -I parameters are added to the end of the rule and to the front of the rule, respectively.

# allow local loopback interface ( that is, run native access to this machine )
iptables-a input-i lo-j ACCEPT
# allow established or connected passes
iptables-a input-m State--state established,related-j ACCEPT
# allow all native outward access
iptables-a output-j ACCEPT
# Allow access to Port
iptables-a input-p tcp--dport 22-j ACCEPT
# Allow access to Port
iptables-a input-p tcp--dport 80-j ACCEPT
# Allow access to 443 Port
iptables-a input-p tcp--dport 443-j ACCEPT
# Port of FTP service allowed
iptables-a input-p tcp--dport 21-j ACCEPT
iptables-a input-p tcp--dport 20-j ACCEPT
# If there are other ports, the rules are similar, just modify the above statement slightly .
# allow ping
iptables-a input-p icmp-m ICMP--icmp-type 8-j ACCEPT
# Disallow other rules that are not allowed to access
iptables-a input-j RejecT #(Note: If The port does not join the Allow rule, theSSH link will be disconnected directly.) )
iptables-a forward-j REJECT

4. Shielded IP

# If you just want to block the IP , "3, open the specified port " can skip directly.
# the command to block a single IP is
iptables-i input-s 123.45.6.7-j DROP
# The entire section is the command from 123.0.0.1 to 123.255.255.254
iptables-i input-s 123.0.0.0/8-j DROP
# the IP segment is the command from 123.45.0.1 to 123.45.255.254
iptables-i input-s 124.45.0.0/16-j DROP
# the command to block IP segments from 123.45.6.1 to 123.45.6.254 is
iptables-i input-s 123.45.6.0/24-j DROP

5 , view the iptables rules that have been added

Iptables-l–n

V: Show details, including the number of matched packets per rule and the number of matching bytes
X: disables automatic unit conversions (K,M) on a v basis
N: Show only IP address and port number, do not resolve IP to domain name

6 , delete iptables rules that have been added

Displays all iptables as an ordinal tag, executing:

Iptables-l-N--line-numbers

For example, to delete The rule in INPUT number 8 is executed:

Iptables-d INPUT 8

7 ,iptables boot and rule saving

CentOS may exist after installing the iptables ,iptables does not boot from the boot, you can execute:

Chkconfig--level 345 iptables on

Add it to boot.

CentOS can be performed:service iptables Save the rule.

It's also more important to note that Debian/ubuntu on iptables The rule is not saved.

you need to follow the steps below so that the network card is closed to save iptables rules, loading at startup iptables Rules:

Create the/etc/network/if-post-down.d/iptables file and add the following:

#!/bin/bash
Iptables-save >/etc/iptables.rules

Execution: chmod +x/etc/network/if-post-down.d/iptables Add execute permissions.

Create /etc/network/if-pre-up.d/iptables file, add the following content:

#!/bin/bash
Iptables-restore </etc/iptables.rules

Execution: chmod +x/etc/network/if-pre-up.d/iptables Add execute permissions.

This article is from the "one small step per day" blog, so be sure to keep this source http://fenyuer.blog.51cto.com/11265169/1889348

Basic application Tutorial of Iptables firewall on Linux