Centos3 Linux server environment Configuration Optimization

Original post:

Centos3 Linux server environment configuration optimization explanation Wikipedia, free encyclopedia

Directory [Hide]

1 Content Overview 1.1 adjustments and settings after centos3 Installation 1.2 Upgrade OpenSSL and OpenSSH to enhance security 1.3 install and configure Apache + PHP + MySQL + Zend Optimizer 1.4 change the Apache running account and create a VM 1.5 server Optimization

[Edit]

Content Overview

This article describes how to change from initial system adjustment to l.a installation after a Linux server is installed. m.p environment to server optimization, security policies, and other operation steps, by reading this article, you will be able to easily and quickly complete the environment configuration of the centos3 server!

1) This article includes the following main content:

• Adjustments and settings after centos3 Installation
• Upgrade OpenSSL and OpenSSH to enhance security
• Install the Apache + PHP + MySQL + Zend optimizer environment
• Configure Apache and create a VM
• Server Optimization
• Server iptables firewall security policy customization reference

2) Conventions in this article

• Location of the downloaded RPM package and source code package:/usr/local/src
• MySQL database location:/var/lib/MySQL
• Apache website root directory:/home/www/wwwroot
• Apache running account: www

[Edit]

Adjustments and settings after centos3 Installation

1. Check whether the system is normal

# More/var/log/messages (check for system kernel-level errors) # dmesg (check for hardware errors) # ifconfig (check whether the NIC settings are correct) # Ping www.discuz.net (check whether the network is normal)

2. disable unnecessary services

  ntsysv

Only the services to be started are listed below. All services not listed can be closed:

Crond irqbalance (enabled only when the server CPU supports the S. m.p-symmetric multi-processor architecture,
For example, there are two or more CPUs. Otherwise close) microcode_ctl network random Sendmail sshd Syslog

3. Adjust TCP/IP network parameters to enhance the anti-syn_flood capability

  # echo 'net.ipv4.tcp_syncookies = 1' >> /etc/sysctl.conf  # sysctl –p

4. Configure yum

  1) rpm --import /usr/share/doc/centos-release-3/RPM-GPG-KEY-CentOS-3  2) yum list | tee /etc/yum.list

Explanation: Yum is a powerful tool that allows you to conveniently manage RPM packages in the system. You can use Yum to upgrade and install RPM packages in the system for free through the network, during the upgrade and installation process, the system automatically resolves the dependency issue. You can also uninstall and delete the RPM package. For details, see discuz! The Linux section in the Knowledge Base provides a detailed description of Yum (Http://kb.discuz.com/index.php? Title = % E4 % BD % BF % E7 % 94% a8yum % E7 % AE % a1 % E7 % 90% 86centos_rpm)

5. Install the required rpm

Before installation, use rpm-Qa | grep name to check whether the following has been installed.
(Replace the name in the command with the following package name ).
If you have installed this RPM package, you do not need to use Yum to install it again! GCC gcc-C + + NTP flex bzip2-devel ncurses-devel libjpeg-devel libpng-devel LibTIFF-devel FreeType-devel Pam-devel Perl-cgi Perl-DBI zlib-devel Yum install name (replace name with the RPM package name in the above list to start automatic network installation)

6. Check the system time and set the regular time synchronization.

1) Date (confirm whether the system time is correct) 2) ntpdate 210.72.145.44 (time correction with China National Time Service Center) 3) add crontab-e to a task and synchronize time every 30 minutes: */30 * ntpdate 210.72.145.44>/dev/null 2> & 1

7. restart the system

   init 6

8. software required for the source code compilation and installation environment

1) libxml2

   # cd /usr/local/src   # wget http://download.discuz.net/env/libxml2-2.6.24.tar.bz2   # tar xjvf libxml2-2.6.24.tar.bz2   # cd libxml2-2.6.24   # ./configure --prefix=/usr/local/libxml2   # make   # make install

2) GD2

   # cd /usr/local/src   # wget http://download.discuz.net/env/gd-2.0.33.tar.gz   # tar xzvf gd-2.0.33.tar.gz   # cd gd-2.0.33   # ./configure --prefix=/usr/local/gd2 --mandir=/usr/share/man   # make   # make install

[Edit]

Upgrade OpenSSL and OpenSSH to enhance security

1) Upgrade OpenSSL

   # cd /usr/local/src   # wget http://download.discuz.net/env/openssl-0.9.7j.tar.gz   # wget http://download.discuz.net/env/openssh-4.2p1.tar.gz   # tar xzvf openssl-0.9.7j.tar.gz   # cd openssl-0.9.7j   # ./config --prefix=/usr/local/openssl   # make   # make test   # make install   # cd ..

2) Upgrade OpenSSH

   # tar xzvf openssh-4.2p1.tar.gz   # cd openssh-4.2p1   # ./configure --prefix=/usr --with-pam --with-zlib --with-ssl-
      dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man   # make   # make install

3) prohibit direct root login. Create a common system user here:

# Useradd username # passwd username # vi/etc/passwd (change the username logon shell in the passwd file to/bin/sh) # vi/etc/ssh/sshd_config (change # Protocol 1 and 2 to Protocol 2) # vi/etc/ssh/sshd_config (change # permitrootlogin yes to permitrootlogin No) # vi/usr/etc/sshd_config (change # Protocol 1 and 2 to Protocol 2) # vi/usr/etc/sshd_config (change # permitrootlogin yes to permitrootlogin No) #/etc/rc. d/init. d/sshd restart

[Edit]

Install and configure Apache + PHP + MySQL + Zend Optimizer

1) Download Software

   # cd /usr/local/src   # wget http://download.discuz.net/env/httpd-2.0.58.tar.bz2   # wget http://download.discuz.net/env/mysql-standard-5.0.22-linux-i686.tar.gz   # wget http://download.discuz.net/env/php-5.1.4.tar.bz2   # wget http://download.discuz.net/env/ZendOptimizer-3.0.1-linux-glibc21-i386.tar.gz

2) install MySQL

   # tar xzvf mysql-standard-5.0.22-linux-i686.tar.gz   # useradd mysql   # mv mysql-standard-5.0.22-linux-i686 /usr/local/mysql   # cd /usr/local/mysql   # scripts/mysql_install_db --user=mysql   # chown -R root .   # chown -R mysql data   # chgrp -R mysql .   # mv data /var/lib/mysql   # ln -s /var/lib/mysql ./data   # cp support-files/my-large.cnf /etc/my.cnf   # bin/mysqld_safe --user=mysql &   # bin/mysqladmin -u root password newpassword_for_root   # bin/mysqladmin -u root -p shutdown   # cp support-files/mysql.server /etc/init.d/mysqld   # chkconfig --add mysqld   # /etc/rc.d/init.d/mysqld start

3) Compile and install Apache

   # cd /usr/local/src   # tar xjvf httpd-2.0.58.tar.bz2   # cd httpd-2.0.58   # ./configure --prefix=/usr/local/apache2 --mandir=/usr/
     share/man --enable-module=so --enable-deflate=shared
      --enable-expires=shared  --enable-rewrite=shared
      --enable-gzip --enable-cache --enable-file-cache
      --enable-mem-cache --enable-disk-cache   # make   # make install

4) Compile and install PHP

   # cd /usr/local/src   # tar xjvf php-5.1.4.tar.bz2   # cd php-5.1.4   # ./configure --prefix=/usr/local/php --with-apxs2=/usr/local/
     apache2/bin/apxs --with-zlib --with-bz2 --with-tiff-dir
      --with-libxml-dir=/usr/local/libxml2 --with-gd=/usr/local/
     gd2 --with-freetype-dir --with-jpeg-dir --with-png-dir
      --with-ttf --enable-mbstring --with-mysql=/usr/local/mysql 
     --with-config-file-path=/etc --disable-ipv6 --enable-gd-
     native-ttf   # make   # make install   # cp php.ini-dist /etc/php.ini

5) install Zend Optimizer

   # cd /usr/local/src   # tar xzvf ZendOptimizer-3.0.1-linux-glibc21-i386.tar.gz   # ./ZendOptimizer-3.0.1-linux-glibc21-i386/install.sh

6) Integrate Apache and PHP

   # vi /usr/local/apache2/conf/httpd.conf

Search:

   DirectoryIndex index.html index.html.var

Change it:

   DirectoryIndex index.html index.htm index.php

Search:

   AddType application/x-gzip .gz .tgz

Add a row below:

   AddType application/x-httpd-php .php

Restart Apache after saving AND EXITING

   # /usr/local/apache2/bin/apachectl restart

[Edit]

Change the Apache running account and create a VM

1. Change the Apache running account. By default, Apache runs on Linux using the nobody account. We will change the Running Account to improve Apache Security and permission controllability.

   # useradd www   # su www   $ mkdir -p /home/www/wwwroot/discuz   $ exit   # vi /usr/local/apache2/conf/httpd.conf

Find:

   User nobody   Group #-1

Changed:

   User www   Group www

2. Create a VM. Here we create a VM for Apache.

   # vi /usr/local/apache2/conf/httpd.conf

Find:

   #NameVirtualHost *

Call the "#" sign to open the comment and run Apache in VM mode. Add a virtual host at the end of the configuration file, and the log file storage directory of the virtual host is/home/www/logs.

<Virtualhost *> servername www.your-domain.com DocumentRoot/home/www/wwwroot/discuz errorlog/home/www/logs/discuz-error_log customlog/home/www/logs/discuz-access_log combined # create discuz! Rewrite Rules required by the Forum <ifmodule mod_rewrite.c> rewriteengine on rewriterule ^ (. *)/archiver/([a-z0-9/-] + /. html) $1/archiver/index. PHP? $2 rewriterule ^ (. *)/Forum-([0-9] +)-([0-9] +)/. html $1/Forumdisplay. php? FID = $2 & page = $3 rewriterule ^ (. *)/thread-([0-9] +)-([0-9] +)-([0-9] + )/. HTML $1/viewthread. PHP? Tid = $2 & extra = page/% 3d $4 & page = $3 rewriterule ^ (. *)/profile-(username | UID )-(. + )/. HTML $1/viewpro. PHP? $2 = $3 </ifmodule> </virtualhost>

Save and exit file editing. The log storage directory is created below:

   # mkdir /home/www/logs

Restart Apache:

   # /usr/local/apache2/bin/apachectl restart

So far, a virtual host has been created!

[Edit]

Server Optimization

1. Apache Optimization

After the preceding operations, Apache can run properly. However, for sites with a higher access volume, these default configurations of Apache cannot meet the requirements. We still need to adjust some Apache parameters so that Apache can deliver better performance in a large traffic environment. The following describes the parameters that have a major impact on the performance in the Apache configuration file httpd. conf.

(1) Timeout this parameter specifies the maximum waiting time (in seconds) before Apache receives a request or sends the requested content. If Apache does not process the request and releases the connection. The default value of this parameter is 120. We recommend that you set this parameter to 60. For websites with large traffic volumes, you can set this parameter to 30.

(2) keepalive this parameter controls whether Apache allows multiple requests in a connection. It is enabled by default. However, for most Forum sites, it is usually set to off to disable this support.

(3) MPM-prefork. C by default, Apache uses the prefork (process) working mode. It can be said that this part of parameter settings is the core and key to the impact on Apache performance. You can find the following configuration sections in the configuration document:

   <IfModule prefork.c>       StartServers         5       MinSpareServers      5       MaxSpareServers     10       MaxClients          15       MaxRequestsPerChild  0   </IfModule>

This is the configuration section for controlling Apache process work. To better understand the parameters in the above configuration, let's first understand how Apache controls process work. We know that in Unix systems, daemon creates a process at startup to prepare for responding to possible connection requests, the Service enters the port listening status. When a request from the client is sent to the listening port of the service, the service process processes the request, this process is exclusive. That is to say, if other requests arrive at this time, these requests can only be queued up until the current request is processed and the service process is released. In this way, more and more requests are waiting in the queue. The actual performance is that the service processing capability is very low. Apache uses the prefork mode to solve this problem. Next let's take a look at how Apache works efficiently.

When apache is started, Apache starts startspareservers idle processes and prepares to receive and process requests. When multiple requests arrive, starspareservers will be fewer and fewer. When idle processes are reduced to minspareservers, to continue processing requests with ample processes, Apache starts startsservers processes for backup, which greatly reduces the possibility of waiting in the Request queue and improves service efficiency, this is also why pre-fork is called. Let's continue tracking Apache's work. We assume that Apache has started 200 processes to process requests. Theoretically, at this time, Apache has a total of 205 processes. After a while, assuming that 100 requests have received Apache responses and processing, the 100 processes will be released as idle processes, in this case, Apache has 105 idle processes. For the service, too many idle processes do not make any sense, but it will reduce the overall performance of the server. Does Apache actually have 105 idle processes? Of course not! In fact, Apache is checking itself at any time. When it finds that there are more than maxspareservers idle processes, it will automatically stop and close some processes to ensure that there are too many idle processes. Here, you should have a certain understanding of how Apache works. For more details, see the Apache manual.

We have two other parameters not introduced: maxclients and maxrequestperchild; maxclients specifies the maximum number of clients allowed to connect to Apache within the same time period. If maxclients connections are exceeded, the client will get a "busy server" error page. We can see that maxclients is set to 15 by default, which is far from enough for some medium-sized and large sites! You may need to allow 512 client connections at the same time to meet application requirements. Well, let's change maxclients to 512 and save httpd. conf and quit, restart Apache. Sorry, you saw some error prompts during the restart process, and the restart of Apache failed. The error message tells you that the maximum value of maxclients can be set to 256. We believe you will be disappointed. But don't be frustrated. Apache, as a world-class Web server, will never be so thin! By default, maxclients can only be set to an integer of no more than 256. However, if you want to customize it, use the serverlimit parameter, in short, serverlimit is like a bucket, while maxclients is like water. You can replace a larger bucket (set serverlimit to a larger bucket) to accommodate more water (maxclients ), note that the value of maxclients cannot be greater than that of serverlimit!

Next let's take a look at the maxrequestperchild parameter, which specifies how many threads can work in a connection process at the same time. This explanation may be too professional, so you only need to think about "multi-point Simultaneous download" in "Network ant" and "Internet Express flash get". This parameter actually limits the maximum number of "points ". The default value is 0, that is, no limit. However, if you set this value too small, it will cause access problems. If there is no special need or the traffic pressure is not great, you can keep the default value. If the traffic volume is large, it is recommended to set it to 2048.

Well, I have explained so much. Let's take a look at the recommended configuration of the latest K. C configuration segment after modification:

   <IfModule prefork.c>       StartServers         5       MinSpareServers      5       MaxSpareServers     10       ServerLimit       1024       MaxClients        768       MaxRequestsPerChild  0   </IfModule>

After completing the above adjustments to Apache, Apache has achieved great performance improvement. Remember, after modifying any parameters, you must restart Apache to take effect. There are far more optimizations related to Apache. If you are interested, you can read the Apache manual documents or find some documents to learn.

2. PHP Optimization for PHP is mainly for PHP. the main parameters in ini are adjusted and set properly. Let's take a look at PhP below. how to set parameters that have a greater impact on performance in ini.

   # vi /etc/php.ini

(1) Disable finding PHP functions:

   disable_functions =

This option can be used to set which PHP functions are not allowed to be used. Some functions in PHP are highly risky. You can directly execute some system-level script commands. If these functions are allowed to be executed, when a PHP program has a vulnerability, the loss is very serious! The recommended function settings are as follows:

   disable_functions = phpinfo,passthru,exec,system,popen,
chroot,escapeshellcmd,escapeshellarg,shell_exec,proc_open,
proc_get_status

NOTE: If your server contains PHP programs for system status detection, do not disable shell_exec, proc_open, proc_get_status, and other functions.

(2) Find the PHP script execution time:

   max_execution_time = 30

This option sets the maximum execution time of the PHP program. If a PHP script is requested and cannot be executed within max_execution_time, PHP will not continue to run, a timeout error is returned directly to the client. If this option is not required, the default setting is 30 seconds. If your PHP script needs to be executed for a long time, you can increase the setting accordingly.

(3) Find the memory occupied by PHP script processing:

   memory_limit = 8M

This option specifies the maximum memory occupied by PHP script processing. The default value is 8 Mb. If your server memory is more than 1 GB, this option can be set to 12 Mb for faster PHP script processing efficiency.

(4) PHP global function declaration:

   register_globals = Off

Many articles on PHP settings on the network recommend that you set this option to on. In fact, this is an extremely dangerous setting method, which may cause serious security problems. If you do not have special requirements, we strongly recommend that you keep the default settings!

(5) limit on the size of PHP files to be uploaded:

   upload_max_filesize = 2M

This option sets the maximum file size that PHP can upload. The default value is 2 MB. You can increase the setting as needed.

(6) Find the session storage medium:

   session.save_path

If your PHP program uses session dialogs, you can set the session storage location to/dev/SHM./dev/SHM is a tmpfs File System exclusive to the Linux system, the file system is mainly stored in memory, which is better than ramdisk, because diskswap can be used as a supplement and is a built-in function module of the system without additional configuration. Think about the speed from disk I/O operations to memory operations? Note that all data stored in/dev/SHM is lost after the server is restarted. However, this is insignificant for the session.

3. MySQL Optimization

In the architecture of Apache, PHP, and MySQL, MySQL has the greatest impact on performance and is also a key core component. For discuz! The same is true for Forum programs. Whether MySQL settings are reasonably optimized directly affects the speed and carrying capacity of the Forum! At the same time, MySQL is also the most difficult part of optimization. It not only needs to understand some MySQL professional knowledge, but also requires a long period of observation statistics and judgment based on experience, and then set reasonable parameters.

Next, let's take a look at some of the basics of MySQL optimization. MySQL optimization is divided into two parts: one is the optimization of the physical hardware of the server, and the other is the optimization of Mysql itself (My. CNF.

(1) Impact of server hardware on MySQL Performance

A) disk tracing capability (disk I/O). Taking the current high-speed SCSI hard disk (7200 RPM) as an example, this hard disk is theoretically found 7200 times per second, which is determined by the physical characteristics, there is no way to change. MySQL performs a large number of complex query operations every second. You can imagine the disk read/write volume. Therefore, we usually think that disk I/O is one of the biggest factors restricting MySQL performance. For discuz with an average daily access volume of more than 1 million PVS! Forum, due to disk I/O constraints, MySQL performance will be very low! You can consider the following solutions to solve this constraint:

• Use a raid-0 + 1 disk array. Do not try raid-5. The efficiency of MySQL on a raid-5 disk array is not as fast as you expected;
• Abandon traditional hard disks and use faster flash storage devices. After discuz! The company's technical engineering tests show that the use of flash storage devices is about 6-10 times faster than traditional hard disks.

B) For MySQL applications, we recommend that you use a multi-channel symmetric CPU in the S. M. P. architecture. For example, you can use two Intel Xeon GHz CPUs.

C) For a database server using MySQL, we recommend that the server memory be no less than 2 GB. We recommend that you use more than 4 GB physical memory.

(2) MySQL's own factors when the above server hardware constraints are solved, let's see how MySQL's own optimization works. The optimization of MySQL is mainly to optimize and adjust the parameters in its configuration file my. CNF. The following describes some parameters that have a great impact on performance.

Since the optimization settings of the my. CNF file are closely related to the server hardware configuration, we specify a hypothetical server hardware environment:

• CPU: 2 Intel Xeon 2.4 GHz
• Memory: 4 GB DDR
• Hard Disk: SCSI 73 GB

Next, we will describe the optimized my. CNF based on the above hardware configuration:

   # vi /etc/my.cnf

Only the content in the [mysqld] section in the my. CNF file is listed below. The content in other sections has little impact on MySQL running performance, so ignore it.

[Mysqld] Port = 3306 serverid = 1 socket =/tmp/MySQL. Sock skip-locking # Avoid MySQL external locks, reduce the chance of errors, and enhance stability. Skip-name-resolve # forbid MySQL to perform DNS resolution on external connections. This option can eliminate the time for MySQL to perform DNS resolution.
However, if this option is enabled, IP addresses must be used for all remote host connection authorizations; otherwise, MySQL
Connection requests cannot be processed normally! Back_log = 384 # specify the number of possible MySQL connections. When the MySQL main thread receives many connection requests in a short time,
This parameter takes effect. The main thread takes a short time to check the connection and start a new thread. Back_log
The parameter value indicates how many requests can be stored in the stack within a short period of time before MySQL temporarily stops responding to a new request.
If the system has many connections in a short period of time, you need to increase the value of this parameter. This parameter value specifies
The size of the listening queue for TCP/IP connections. Different operating systems have their own limits on the queue size.
Trying to set back_log to be higher than your operating system limit will be invalid. The default value is 50. For Linux systems
We recommend that you set it to an integer smaller than 512. Key_buffer_size = 256 m # key_buffer_size specifies the buffer size used for the index. Increasing the size can improve the index processing performance. For
A server with around 4 GB memory can be set to 384 Mb or MB.
Note: If this parameter value is set too large, the overall efficiency of the server will be reduced! Max_allowed_packet = 4 m thread_stack = 256 k table_cache = 128 K sort_buffer_size = 6 m # the buffer size that can be used for sorting.
Note: The allocated memory corresponding to this parameter is exclusive to each connection! If there are 100 connections, the total sort buffer actually allocated
The partition size is 100 × 6 = 600 mb. Therefore, we recommend that you set the size of a server with around 4 GB to 6-8 Mb. Read_buffer_size = 4 m # buffer size available for read query operations. Same as sort_buffer_size, allocation of this parameter
The memory is exclusive for each connection! Join_buffer_size = 8 m # buffer size used by the Joint query operation, which is the same as sort_buffer_size. Allocation of this parameter
The memory is exclusive for each connection! Myisam_sort_buffer_size = 64 m table_cache = 512 thread_cache_size = 64 query_cache_size = 64 m # specify the size of the MySQL Query Buffer. You can run the following command on the MySQL Console: #> show variables like '% query_cache %'; #> show status like 'qcache % '; # If the qcache_lowmem_prunes value is very large, it indicates that the buffer is insufficient frequently. # If the qcache_hits value is very large, it indicates that the query buffer is frequently used. If this value is small, it will affect the efficiency,
You can consider not to query the buffer; qcache_free_blocks. If this value is very large, it indicates that there are many fragments in the buffer. Tmp_table_size = 256 m max_connections = 768 # specify the maximum number of connection processes allowed by MySQL. If the too connector connections error is frequently reported during Forum access
To increase the value of this parameter. Max_connect_errors = 10000000 wait_timeout = 10 # specify the maximum connection time of a request. For servers with around 4 GB of memory, you can set it to 5-10. Thread_concurrency = 8 # Set this parameter to the number of logical CPUs of the server × 2. In this example, the server has two physical CPUs, and each physical CPU supports
H.t hyper-threading, so the actual value is 4 × 2 = 8 skip-networking # enabling this option can completely disable the MySQL TCP/IP connection mode, if the web server is accessed remotely
Do not enable this option on the MySQL database server! Otherwise, the connection will fail!

In the above section, we have made a simple description of my. CNF. MySQL optimization is a task that requires long-term observation, long-term experience, and long-term testing. If you are interested, you can view documents and materials and perform experiments to gain more experience in practical applications.

The optimization section is basically finished now. After all the optimization operations are completed, you need to restart Apache and MySQL services:

   # /usr/local/apache2/bin/apachectl restart  # /etc/rc.d/init.d/mysqld restart

Vi. Server iptables firewall security policy customization reference for Linux servers, using iptables for security control and packet filtering is a good choice. This section does not explain how to use iptables. iptables is very powerful. If you are interested (Http://www.netfilter.org) Find a lot of information about Netfilter/iptables. The following uses a l.a.m.p server with dual NICs as an example to describe an iptables script that can meet the security access requirements.

Server dual Nic usage:

• Eth0: connect to the internet Wan
• Eth1: connect to the Intranet LAN

Server-to-public WAN services:

• FTP on TCP port 21
• SSH on TCP port 22
• SMTP on TCP port 25
• HTTP on TCP port 80
• Pop on TCP port 110

   # vi /usr/local/sbin/fw.sh

Paste the following script into FW. sh:

   #! /bin/bash   # This Net-Filter script was create by Discuz! - Nanu.   # Support: nanu@discuz.com   # Set FTP Passive Transfer Mode   /sbin/modprobe ip_conntrack_ftp   /sbin/modprobe ip_nat_ftp   # Initalize   /sbin/iptables -F -t filter   /sbin/iptables -F -t nat   /sbin/iptables -P INPUT DROP   /sbin/iptables -P OUTPUT ACCEPT   /sbin/iptables -P FORWARD DROP   # Enable Private Network lo & eth1 Access   /sbin/iptables -A INPUT -i lo -j ACCEPT   /sbin/iptables -A INPUT -i eth1 -j ACCEPT   #################################   #### Server Security Settings ###   #################################   # ICMP Control   /sbin/iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT   # FTP Service   /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT   # SSH Service   /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT   # Mail Service   /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT   /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT   # WWW Service   /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT   # Deny Other Connections   /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

After saving, run the following command:

   # chmod 755 /usr/local/sbin/fw.sh   # echo '/usr/local/sbin/fw.sh' >> /etc/rc.local   # /usr/local/sbin/fw.sh

View the current iptables access control policy:

   # iptables -L

So far, all content in this article has been introduced. If you have any questions about this article or are worth exploring, visit discuz! Forum for discussion. Http://www.discuz.net

From "http://kb.discuz.net/index.php? Title = centos3_linux _ % E6 % 9C % 8d % E5 % 8A % a1 % E5 % 99% A8 % E7 % 8e % af % E5 % A2 % 83% E9 % 85% 8d % E7 % BD % AE % E4 % BC % 98% E5 % 8C % 96% E8 % af % a6 % E8 % A7 % A3"