Basic usage of Linux Firewall iptables is a common firewall software in Linux, which is usually integrated in VPS systems by default. 1. install iptables firewall www.2cto.com. If iptables is not installed, run CentOS: yum install iptablesDebian/Ubuntu: apt-get install iptables 2. Clear existing iptables rules iptables-Fiptables-Xiptables-Z3. Open the specified port # Allow the local loopback interface (that is, run the local machine to access the local machine) iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT # Allow ESTABLISHED or connected traffic through iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT # Allow all local machines to access iptables-a output-j ACCEPT # Allow access to port 22 iptables-a input-p tcp -- dport 22-j ACCEPT # Allow access to 80 port iptables-a input-p tcp -- dport 80-j ACCEPT # Allow ports 21 and 20 of the FTP service
Iptables-a input-p tcp -- dport 21-j ACCEPTiptables-a input-p tcp -- dport 20-j ACCEPT # If there are other ports, the rules are similar, modify the preceding statement slightly. # prohibit access by other rules that are not allowed. (Note: if port 22 is not added to the permit rule, the SSH link is directly disconnected .) 1 ). use the DROP method iptables-a input-p tcp-j DROP2 ). use the REJECT method iptables-a input-j REJECTiptables-a forward-j REJECT 4. mask the IP address # If you only want to shield the IP address, you can skip "3. Open the specified port. # The command to shield a single IP address is iptables-I input-s 123.45.6.7-j DROP # The command iptables-I INPUT-s 123.0.0.1 to 123.20.254 from 123.0.0.1 to 123.255.255.254 # The command iptables-I input-s 124.45.0.0/16-j DROP # iptables-I input-s 124.45.0.0/16-j DROP from 123.45.6.1 to 123.45.6.254 is iptables-I INPUT- s 123.45.6.0/24-j DROP
4. view the added iptables rule iptables-L-n v: displays detailed information, including the number of matching packets and number of matching bytes for each rule x: Based on v, disable auto unit conversion (K, M) vps detective n: only the IP address and port number are displayed, do not resolve the ip address to the domain name 5. Delete the added iptables rule www.2cto.com and display all iptables with serial numbers. Execute: iptables-L-n -- line-numbers. For example, to delete a rule with the serial number 8 in INPUT, run: iptables-d input 86. After iptables is installed, it may not start automatically after iptables is installed on CentOS. You can execute the following command: chkconfig -- level 345 iptables on. On CentOS, you can run the: service iptables save rule. Iptables On Debian/Ubuntu does not save rules. To disable the NIC, follow these steps: Save iptables rules and load iptables rules at startup. If the current user is not the root user, even if sudo is used, you will be prompted that you do not have the permission to save it. Therefore, to execute this command, you must use the root user. you can use sudo-I to quickly switch to the root account. Use su username to switch to the common account in time. in order to restart the server, the rules automatically load, we create the following file: sudo vim/etc/network/if-pre-up.d/iptables #! /Bin/bashiptables-save>/etc/iptables. rules add execution permission. Chmod + x/etc/network/if-pre-up.d/iptables www.2cto.com attach basic rules: * filter: input accept [106: 85568]: forward accept [0: 0]: output accept [188: 168166]: RH-Firewall-1-INPUT-[0: 0] # Allow local loopback interface (that is, run the local machine to access the local machine) -a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT # Allow ESTABLISHED or connected traffic-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT # Allow all external accesses from the local machine-a output-j ACCEPT # Allow PPTP to dial to the Internet-a input-p tcp-m tcp -- dport 1723-j ACCEPT # Only access from specific hosts Rsync Data Synchronization Service-a input-s 8.8.8.8/32-p tcp-m tcp -- dport 873-j ACCEPT # access the WDCP management system only on A specific host-a input-s 6.6.6.6/32 -p tcp-m tcp -- dport 8080-j ACCEPT # Allow access to SSH-A INPUT-p tcp-m tcp -- dport 1622-j ACCEPT # Allow access to FTP-A INPUT-p tcp-m tcp -- dport 21-j ACCEPT-A INPUT-p tcp-m tcp -- dport 20-j ACCEPT # Allow access to WebSite Services-a input-p tcp-m tcp -- dport 80-j ACCEPT # disable all unpermitted connections-a input-p tcp-j DROP # Note: SSH The link is directly disconnected. #-A input-j REJECT #-a forward-j REJECTCOMMIT www.2cto.com can be directly loaded using the following method: 1. copy and paste the above rule here, save sudo vim/etc/iptables in this file. test. rules2: load the rule to make it take effect. Note that iptables does not need to be restarted. Once the rule is loaded, it becomes sudo iptables-restore </etc/iptables. test. rules3. Check the latest configuration. All settings should take effect. sudo iptables-L-n4: Save the effective configuration to automatically load the valid configuration when the system restarts (iptables provides the function of saving the currently running rules) iptables-save>/etc/iptables. rules