Basic settings of iptables firewall

Source: Internet
Author: User
1. install iptables firewall if iptables is not installed need to be installed first, CentOS execute: yuminstalliptablesDebian/Ubuntu execute: apt-getinstalliptables2, clear existing iptables rule iptables-Fiptables-Xiptables-Z3, open the specified port # Allow Local 1, install IptablesFirewall
If iptables is not installed, install it first, and run CentOS:
Yum install iptables
Run Debian/Ubuntu:
Apt-get install iptables
2. clear existing iptables rules
3. open the specified port
# Allow the local loopback interface (that is, running the local machine to access the local machine)
Iptables-a input-s ACCEPT
# Allow established or related connections
Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT
# Allow external access from all hosts
Iptables-a output-j ACCEPT
# Allow access to port 22
Iptables-a input-p tcp -- dport 22-j ACCEPT
# Allow access to port 80
Iptables-a input-p tcp -- dport 80-j ACCEPT
# Allow port 21 and Port 20 of the FTP service
Iptables-a input-p tcp -- dport 21-j ACCEPT
Iptables-a input-p tcp -- dport 20-j ACCEPT
# If there are other ports, the rule is similar. just modify the preceding statement slightly.
# Prohibit access by other rules that are not allowed (note: If port 22 is not added to the permit rule, the SSH link will be disconnected directly .)
1). use the DROP method
Iptables-a input-p tcp-j DROP
2). use the REJECT method
Iptables-a input-j REJECT
Iptables-a forward-j REJECT
4. shielding IP addresses
# If you only want to block the IP address, you can skip "3. open the specified port.
# The command to shield a single IP address is
Iptables-I INPUT-s DROP
# The Command for sealing the entire segment from to
Iptables-I INPUT-s DROP
# An IP address segment is a command from to
Iptables-I INPUT-s DROP
# The Command from to is
Iptables-I INPUT-s DROP
4. view the added iptables rules
V: displays details, including the number of matching packages and the number of matching bytes for each rule.
X: disable automatic unit conversion (K, M) vps detection based on v.
N: only the ip address and port number are displayed, and the ip address is not resolved as a domain name.
5. delete the added iptables rule
Display all iptables with serial numbers. run the following command:
Iptables-L-n -- line-numbers
For example, to delete the rule with serial number 8 in INPUT, execute:
Iptables-d input 8
6. start iptables and save the rules
After iptables is installed on CentOS, iptables does not start automatically after it is started. you can execute the following command:
Chkconfig -- level 345 iptables on
Add it to startup.
On CentOS, you can run the: service iptables save rule.
Iptables on Debian/Ubuntu does not save rules.To disable the NIC, follow these steps: save iptables rules and load iptables rules at startup.
If the current user is not the root user, even if sudo is used, you will be prompted that you do not have the permission to save it. therefore, to execute this command, you must use the root user.
You can use sudo-I to quickly switch to the root account. use su username to switch to the common account in time.
To automatically load rules after the server is restarted, create the following file:
Sudo vim/etc/network/if-pre-up.d/iptables #! /Bin/bash
Iptables-save>/etc/iptables. rules
Add execution permission.
Chmod + x/etc/net/if-pre-up.d/iptables
Attach basic rules:
* Filter
: Input accept [106: 85568]
: Forward accept [0: 0]
: Output accept [188: 168166]
: RH-Firewall-1-INPUT-[0: 0]
# Allow the local loopback interface (that is, running the local machine to access the local machine)
-A input-s ACCEPT
# Allow established or related connections
-A input-m state -- state ESTABLISHED, RELATED-j ACCEPT
# Allow external access from all hosts
-A output-j ACCEPT
# Allow PPTP dial-up to overturn the wall
-A input-p tcp-m tcp -- dport 1723-j ACCEPT
# Access Rsync data synchronization service only on a specific host
-A input-s tcp-m tcp -- dport 873-j ACCEPT
# Access the WDCP management system only on a specific host
-A input-s tcp-m tcp -- dport 8080-j ACCEPT
# Allow access to SSH
-A input-p tcp-m tcp -- dport 1622-j ACCEPT
# Allow access to FTP
-A input-p tcp-m tcp -- dport 21-j ACCEPT
-A input-p tcp-m tcp -- dport 20-j ACCEPT
# Allow access to website services
-A input-p tcp-m tcp -- dport 80-j ACCEPT
# Prohibit all unauthorized connections
-A input-p tcp-j DROP
# Note: If port 22 is not added with a permit rule, the SSH link is directly disconnected.
#-A input-j REJECT
#-A forward-j REJECT
You can use the following method to load directly:
1. copy and paste the above rules here to save this file
Sudo vim/etc/iptables. test. rules
2. load the rule to make it take effect. Note that iptables does not need to be restarted, and once the rule is loaded, it becomes
Sudo iptables-restore </etc/iptables. test. rules
3. check the latest configuration. all settings should take effect.
Sudo iptables-L-n
4. Save the effective configuration to automatically load the valid configuration when the system restarts (iptables provides the function to save the currently running rules)
Iptables-save>/etc/iptables. rules
-- EOF--
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.