Basic use of iptables firewall in CentOS Linux

/Etc/init. d/iptablesrestart # Restart the firewall to make the change take effect. of course, you can restart the system (Command: reboot)/etc/rc if you do not feel any trouble. d/init. d/iptablessave # save the changes. in actual applications, it is easy to add-I, but-a is not easy to use. The rules are filled in different locations. (I is suspected to be inserted from top down

/Etc/init. d/IptablesRestart

# Restart the firewall to make the change take effect. of course, you can restart the system (Command: reboot) if you do not feel any trouble)

/Etc/rc. d/init. d/iptables save

# Save the changes

In actual application, adding-I is easy to use, but-a is not easy to use, and rules are entered in different locations. (I is suspected to be inserted in the front row from the top down, but-a is added to the end of the queue)

1. install iptables firewall
If iptables is not installed, install it first, and run CentOS:

Yum install iptables

Run Debian/Ubuntu:

Apt-get install iptables

2. clear existing iptables rules
Iptables-F
Iptables-X
Iptables-Z

3. open the specified port
# Allow the local loopback interface (that is, running the local machine to access the local machine)
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# Allow established or related connections
Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT
# Allow external access from all hosts
Iptables-a output-j ACCEPT
# Allow access to port 22
Iptables-a input-p tcp -- dport 22-j ACCEPT
# Allow access to port 80
Iptables-a input-p tcp -- dport 80-j ACCEPT
# Allow port 21 and Port 20 of the FTP service
Iptables-a input-p tcp -- dport 21-j ACCEPT
Iptables-a input-p tcp -- dport 20-j ACCEPT
# If there are other ports, the rule is similar. just modify the preceding statement slightly.
# Prohibit access by other unpermitted rules
Iptables-a input-j REJECT
Iptables-a forward-j REJECT

4. shielding IP addresses
# If you only want to block the IP address, you can skip "3. open the specified port.
# The command to shield a single IP address is
Iptables-I INPUT-s 123.45.6.7-j DROP
# The Command for sealing the entire segment from 123.0.0.1 to 123.20.255.254
Iptables-I INPUT-s 123.0.0.0/8-j DROP
# An IP address segment is a command from 123.45.0.1 to 123.45.255.254.
Iptables-I INPUT-s 124.45.0.0/16-j DROP
# The Command from 123.45.6.1 to 123.45.6.254 is
Iptables-I INPUT-s 123.45.6.0/24-j DROP

5. view the added iptables rules
Iptables-L-n

V: displays details, including the number of matching packages and the number of matching bytes for each rule.
X: disable automatic unit conversion (K, M) vps detection based on v.
N: only the ip address and port number are displayed, and the ip address is not resolved as a domain name.

6. delete the added iptables rule
Display all iptables with serial numbers. run the following command:

Iptables-L-n -- line-numbers

For example, to delete the rule with serial number 8 in INPUT, execute:

Iptables-d input 8

7. start iptables and save the rules
After iptables is installed on CentOS, iptables does not start automatically after it is started. you can execute the following command:

Chkconfig -- level 345 iptables on

Add it to startup.

Service iptables save #

# On CentOS, you can execute: Save rules.

In addition, iptables on Debian/Ubuntu does not save rules.

To disable the NIC, follow these steps: save iptables rules and load iptables rules at startup:

Create the/etc/network/if-post-down.d/iptables file and add the following:

#! /Bin/bash
Iptables-save>/etc/iptables. rules

Run: chmod + x/etc/network/if-post-down.d/iptables to add execution permissions.

Create the/etc/network/if-pre-up.d/iptables file and add the following:

#! /Bin/bash
Iptables-restore </etc/iptables. rules

Run: chmod + x/etc/network/if-pre-up.d/iptables to add execution permissions.

For more instructions on iptables, run iptables -- help or search for iptables parameters online.