CentOS Server Iptables configuration Simple tutorial _linux

Iptables is a Linux Class Server important network security system tools, considering that most servers have dedicated team hosting, server administrators most of the time only through SSH remote management, in the case of security, to ensure the legitimate SSH unicom, need to do the following configuration.

Iptables-p INPUT ACCEPT
iptables-f
iptables-a input-i lo-j ACCEPT iptables-a
input-m State--state ESTA Blished,related-j ACCEPT
iptables-a input-p TCP--dport 22-j the ACCEPT
INPUT DROP
iptables-p for WARD DROP
iptables-p OUTPUT ACCEPT
iptables-l-V

This ensures that SSH's 22 ports are legally accessible, and finally executes the service iptables save, saving the configuration just now.

You can view the information of the Iptables profile through Cat/etc/sysconfig/iptables, and you can edit the file directly, and then delete the configuration entries.

View the running Iptables rule directives as: Lsmod | grep ip_tables or Iptables-l.

Small series to add a knowledge point: Anti-simple attack iptables strategy

#!/bin/sh Iptables=/sbin/iptables # Clear $IPTABLES-F # If Pkg type is allow, then accept # $IPTABLES-A input-m STA Te--state established,related-j ACCEPT # If the number of connections at 80 ports is greater than 10, drop this IP Netstat-an | grep:80 | Awk-f: ' {print $} ' | Sort | uniq-c | Awk-f\ ' $1>10 && $2!= ' {print $} ' >>/etc/fw.list less/etc/fw.list | Sort | uniq-c |  Awk-f\ ' $2!= ' {print $} ' >/etc/fw.list2 less/etc/fw.list2 >/etc/fw.list while read-do t= ' echo "$line" ' $IPTABLES-a input-p tcp-s $t-j DROP done </ETC/FW.LIST2 # IP Forwarding $IPTABLES-a input-p TCP--dport 20 002-j ACCEPT $IPTABLES-A input-d 172.16.204.7-p tcp-m tcp--dport 20002-i eth0-j ACCEPT $IPTABLES-T nat-a prerout ing-d 211.100.39.44-p tcp-m tcp--dport 20002-j dnat--to-destination 172.16.204.7:20002 $IPTABLES-T nat-a POSTROUTI ng-d 172.16.204.7-p tcp-m tcp--dport 20002-j SNAT--to-source 10.6.39.44 # If PKG visit 80,7710 Port then accept $I Ptables-a InpuT-p TCP--dport 80-j ACCEPT $IPTABLES-a input-p tcp--dport 8080-j ACCEPT $IPTABLES-a input-p tcp--dport 22-j ACC  EPT $IPTABLES-A input-p tcp--dport 873-j ACCEPT # $IPTABLES-A input-i eth0-m limit--limit 1/sec--limit-burst 5-j ACCEPT $IPTABLES-A input-p tcp--tcp-flags syn,ack,fin,rst syn-m limit--limit 30/m--limit-burst $IPTABLE 2-j ACCEPT  S-a forward-p tcp--syn-m limit--limit 10/s-j ACCEPT $IPTABLES-A forward-f-M limit--limit 100/s--limit-burst 100 -j ACCEPT # If pkg from allow IP then ACCEPT $IPTABLES-A input-p tcp-s 127.0.0.1-j ACCEPT # If pkg not above t Hen deny $IPTABLES-A input-p TCP--syn-j DROP The following firewall test results are more correct, can play a certain function of preventing attacks #!/bin/sh iptables= "/sbin/iptables" EC Ho "1" >/proc/sys/net/ipv4/ip_forward $IPTABLES-P INPUT drop $IPTABLES-P forward drop $IPTABLES-p OUTPUT drop $IPT Ables-f $IPTABLES-X $IPTABLES-a input-m state--state established,related-j ACCEPT $IPTABLES-a Input-p TCP--dpor T 22-j ACCEPT $IPTABLES -A Input-p TCP--dport--tcp-flags syn,ack,fin,rst syn-m limit--limit 30/m--limit-burst 2-j ACCEPT $IPTABLES-A Output-p tcp-s 127.0.0.1-j ACCEPT $IPTABLES-a output-p tcp-s 192.168.1.102-j-ACCEPT $IPTABLES-a output-p udp-s
 127.0.0.1-j ACCEPT $IPTABLES-a output-p udp-s 192.168.1.102-j ACCEPT $IPTABLES-a input-p TCP--syn-j DROP

The above is the entire content of this article, I hope to help you learn, but also hope that we support the cloud habitat community.