Basic use of iptables firewall in CentOS Linux

Source: Internet
Author: User
/Etc/init. d/iptablesrestart # Restart the firewall to make the change take effect. of course, you can restart the system (Command: reboot)/etc/rc if you do not feel any trouble. d/init. d/iptablessave # save the changes. in actual applications, it is easy to add-I, but-a is not easy to use. The rules are filled in different locations. (I is suspected to be inserted from top down

/Etc/init. d/IptablesRestart

# Restart the firewall to make the change take effect. of course, you can restart the system (Command: reboot) if you do not feel any trouble)

/Etc/rc. d/init. d/iptables save

# Save the changes

In actual application, adding-I is easy to use, but-a is not easy to use, and rules are entered in different locations. (I is suspected to be inserted in the front row from the top down, but-a is added to the end of the queue)

1. install iptables firewall
If iptables is not installed, install it first, and run CentOS:

Yum install iptables

Run Debian/Ubuntu:

Apt-get install iptables

2. clear existing iptables rules
Iptables-F
Iptables-X
Iptables-Z

3. open the specified port
# Allow the local loopback interface (that is, running the local machine to access the local machine)
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# Allow established or related connections
Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT
# Allow external access from all hosts
Iptables-a output-j ACCEPT
# Allow access to port 22
Iptables-a input-p tcp -- dport 22-j ACCEPT
# Allow access to port 80
Iptables-a input-p tcp -- dport 80-j ACCEPT
# Allow port 21 and Port 20 of the FTP service
Iptables-a input-p tcp -- dport 21-j ACCEPT
Iptables-a input-p tcp -- dport 20-j ACCEPT
# If there are other ports, the rule is similar. just modify the preceding statement slightly.
# Prohibit access by other unpermitted rules
Iptables-a input-j REJECT
Iptables-a forward-j REJECT

4. shielding IP addresses
# If you only want to block the IP address, you can skip "3. open the specified port.
# The command to shield a single IP address is
Iptables-I INPUT-s 123.45.6.7-j DROP
# The Command for sealing the entire segment from 123.0.0.1 to 123.20.255.254
Iptables-I INPUT-s 123.0.0.0/8-j DROP
# An IP address segment is a command from 123.45.0.1 to 123.45.255.254.
Iptables-I INPUT-s 124.45.0.0/16-j DROP
# The Command from 123.45.6.1 to 123.45.6.254 is
Iptables-I INPUT-s 123.45.6.0/24-j DROP

5. view the added iptables rules
Iptables-L-n

V: displays details, including the number of matching packages and the number of matching bytes for each rule.
X: disable automatic unit conversion (K, M) vps detection based on v.
N: only the ip address and port number are displayed, and the ip address is not resolved as a domain name.

6. delete the added iptables rule
Display all iptables with serial numbers. run the following command:

Iptables-L-n -- line-numbers

For example, to delete the rule with serial number 8 in INPUT, execute:

Iptables-d input 8

7. start iptables and save the rules
After iptables is installed on CentOS, iptables does not start automatically after it is started. you can execute the following command:

Chkconfig -- level 345 iptables on

Add it to startup.

Service iptables save #

# On CentOS, you can execute: Save rules.

In addition, iptables on Debian/Ubuntu does not save rules.

To disable the NIC, follow these steps: save iptables rules and load iptables rules at startup:

Create the/etc/network/if-post-down.d/iptables file and add the following:

#! /Bin/bash
Iptables-save>/etc/iptables. rules

Run: chmod + x/etc/network/if-post-down.d/iptables to add execution permissions.

Create the/etc/network/if-pre-up.d/iptables file and add the following:

#! /Bin/bash
Iptables-restore </etc/iptables. rules

Run: chmod + x/etc/network/if-pre-up.d/iptables to add execution permissions.

For more instructions on iptables, run iptables -- help or search for iptables parameters online.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.