Basic use of iptables firewall

Source: Internet
Author: User
Tags vps ssh port
Iptables is a good firewall software in Linux, this article describes how to install iptables, add and clear rules, open specified ports, and shield basic applications of iptables in CentOS, such as specified ip addresses and ip segments. 1. install yuminstalliptables for iptables. if iptables is not installed by default in CentOS, run the preceding command. How to Know IptablesIt is a good firewall software in Linux. This article mainly introduces it to you. IptablesInstall, add and clear rules, open the specified port, shield the specified ip address and ip address segment, and other basic applications of iptables in CentOS.

1. install iptables
Yum install iptables
If iptables is not installed by default in CentOS, run the preceding command. How do I know if the system has iptables? Run the following command:
Service iptables status
If iptables: unrecognized service is displayed, the system has not been installed.

II. Directory and configuration file of iptables (IP4) After iptables is installed, the configuration file is/etc/sysconfig/iptables by default.
The figure shows the default iptables configuration.

3. clear existing rules first and execute the following commands in SSH (no need to fill in the rules after "#" and)
Iptables-F # clear the selected chain. This means that all rules are deleted one by one.
Iptables-X # delete a specified custom chain.
Iptables-Z # clears the packets and byte counters of all links.

4. open the specified port
This is generally used for servers, such as common 80 (http port), 20, 21 (FTP port), 22 (SSH port), 3306 (MYSQL port, etc)

1. edit the/etc/sysconfig/iptables file. we recommend that you use WINSCP.
2. clear the default rule and add the following fields.


# Allow established or related connections
-A input-m state -- state ESTABLISHED, RELATED-j ACCEPT
# Allow local Loopback interfaces
-A input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# Allow external access from the local machine
-A output-j ACCEPT
# Allow access to the SSH Port. if the port is modified, you can change the corresponding port number.
-A input-p tcp -- dport 22-j ACCEPT
# Allow access to port 80 (HTTP)
-A input-p tcp -- dport 80-j ACCEPT
# Allowed access to FTP ports: 21 and 20
-A input-p tcp -- dport 21-j ACCEPT
-A input-p tcp -- dport 20-j ACCEPT
# Allow access to port 161 (SNMP:
-A input-p udp -- dport 161-j ACCEPT
# Prohibit access by other unpermitted rules
-A input-j REJECT
-A forward-j REJECT
# Note for VPS users using XEN and OPENVZ !!! If the last line "prohibit others" is added to the file
If you do not allow access by rules, you must add the first "allow established or connected traffic ". If
If the first entry is not added, you cannot connect to the VPS through the specified port number (such as SSH.

3. save and run the following command to restart iptables.
Service iptables restart

5. shielding specified IP addresses and IP segments 1. Shield a single IP address
Add the following rules to/etc/sysconfig/iptables to permanently BAN IP123.45.67.89.
-A input-s 123.45.67.89-j DROP
It is easy to add multiple IP addresses. press enter to start another line and modify the rules.

2. shielding IP segments
You can use the following methods to block IP addresses in a region, country, or CIDR block:
# Block the entire segment (Class A address) from 192.0.0.1 to 192.20.255.254, add the following rule.
-I INPUT-s 192.0.0.0/8-j DROP
# Add the following rules for an IP segment (Class B address) from 192.168.0.1 to 192.168.255.254.
-I INPUT-s 192.168.0.0/16-j DROP
# Add the following rules for an IP address segment (class C address) from 192.168.200.1 to 192.168.200.254.
-I INPUT-s 192.168.200.0/24-j DROP
After the preceding operations are saved, restart iptables.

6. query the added iptables rules
Iptables-L-n
Run the preceding statement in SSH. the following parameter usage is:
V: displays details, including the number of matching packages and the number of matching bytes for each rule.
X: disable automatic unit conversion (K, M) based on v)
N: only the ip address and port number are displayed, and the ip address is not resolved as a domain name.

7. delete an added iptables rule
You can use the SSH command to quickly delete a rule. first, run the following command to display the iptables rule as a numerical number.
Iptables-L-n -- line-numbers

If we want to delete 5th rules, execute the following command.
Iptables-D INPUT

8. set iptables to automatically start upon startup
Iptables does not start when it is started by default. if necessary, set it to start automatically when it is started. execute the following code in SSH.
For counter operations, change "on" to "off"
Chkconfig iptables on

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.