Configure firewall iptables under Debian

Last Update:2015-09-22 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Debian under the iptables Input command immediately after the effective, but after the restart configuration will disappear, you can quickly save the configuration Iptables-save, and then when the power on automatically let iptables automatically load the newly exported configuration file, as follows:

To stop iptables,iptables-f emptying all configuration effects are equivalent to stopping.

Whereis iptables Find the path where Iptables is located.

1, save the iptables configuration to/etc/iptables, this file name can be defined by itself, and the following configuration is consistent

Iptables-save >/etc/iptables

2. Create a self-boot profile and grant permission to execute it

Iptables-save >/etc/iptables

3. Edit the self-boot configuration file to restore the Iptables configuration when starting the network

Vi/etc/network/if-pre-up.d/iptables

The contents are:

#!/bin/sh

/sbin/iptables-restore </etc/iptables

Save and exit. After this reboot, the iptables automatically loads the rules.

# #注意: Re-export the configuration file after the next time you modify the iptables rule.

#清空配置

Iptables-f

Iptables-x

Iptables-z

#配置, no-go, allow-out, allow loopback NIC

Iptables-p INPUT DROP

Iptables-a output-j ACCEPT

Iptables-a input-i lo-j ACCEPT

#允许ping

Iptables-a input-p icmp-j ACCEPT

#允许ssh

Iptables-a input-p TCP--dport 22-j ACCEPT

#允许ftp

Iptables-a input-p TCP--dport 21-j ACCEPT

Iptables-a input-p TCP--dport 20-j ACCEPT

#允许ftp被动接口范围, in the FTP configuration file can be set

Iptables-a input-p TCP--dport 20000:30000-j ACCEPT

#学习felix, set the SMTP cost to

Iptables-a input-p tcp-m tcp--dport 25-j accept-s 127.0.0.1

Iptables-a input-p tcp-m TCP--dport 25-j REJECT

#允许DNS

Iptables-a input-p tcp-m TCP--dport 53-j ACCEPT

Iptables-a input-p udp-m UDP--dport 53-j ACCEPT

#允许http和https

Iptables-a input-p TCP--dport 80-j ACCEPT

Iptables-a input-p TCP--dport 443-j ACCEPT

# allow established or connected passes

Iptables-a input-m State--state established,related-j ACCEPT

#禁止其他未允许的规则访问

Iptables-a input-j REJECT # (Note: If the 22 port is not joined to the Allow rule, the SSH link will be disconnected directly.) ）

Iptables-a forward-j REJECT

#保存配置

Iptables-save >/etc/iptables

Since Debian installs iptables after the default is not service prompt services Iptables prompt unrecognized service, need to add script to/etc/init.d/, the script is as follows

It is recommended that you save it as/etc/init.d/iptables, and then chmod +x/etc/init.d/iptables add run permissions.

#!/bin/sh-e

# # # BEGIN INIT INFO

# Provides:iptables

# Required-start:

# Required-stop:

# Default-start:2 3 4 5

# default-stop:0 1 6

# Short-description:start and stop iptables firewall

# Description:start, stop and save Iptables firewall

# # # END INIT INFO

Path= "/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"

Iptables=/sbin/iptables

Iptables_save=/sbin/iptables-save

Iptables_restore=/sbin/iptables-restore

Iptables_config=/etc/iptables.conf

[-X $IPTABLES] | | Exit 0

. /lib/lsb/init-functions

Case "$" in

Start

Log_action_begin_msg "Starting Firewall"

Type Usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 120" | | True

If $IPTABLES _restore < $IPTABLES _config; Then

Log_action_end_msg $?

Else

Log_action_end_msg $?

Type Usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 15" | | True

;;

Stop

Log_action_begin_msg "Saving current firewall Configuration"

If $IPTABLES _save > $IPTABLES _config; Then

Log_action_end_msg $?

Else

Log_action_end_msg $?

Log_action_begin_msg "Flushing all firewall rules from chains!"

If $IPTABLES-F; Then

Log_action_end_msg $?

Else

Log_action_end_msg $?

Log_action_begin_msg "Deleting all firewall chains [warning:accepting all PORT services!]"

if $IPTABLES-X; Then

$IPTABLES-P INPUT ACCEPT

$IPTABLES-P FORWARD ACCEPT

$IPTABLES-P OUTPUT ACCEPT

Log_action_end_msg $?

Else

Log_action_end_msg $?

;;

Save

Log_action_begin_msg "Saving current firewall Configuration"

If $IPTABLES _save > $IPTABLES _config; Then

Log_action_end_msg $?

Else

Log_action_end_msg $?

;;

Force-reload|restart)

Log_action_begin_msg "Reloading firewall configuration [warning:potential NETWORK insecurity DURING RELOAD]"

$IPTABLES-F

$IPTABLES-X

If $IPTABLES _restore < $IPTABLES _config; Then

Log_action_end_msg $?

Else

Log_action_end_msg $?

;;

echo "Usage:/etc/init.d/iptables {start|stop|save|restart|force-reload}"

Exit 1

;;

Esac

Exit 0

Configure firewall iptables under Debian

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Configure firewall iptables under Debian

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support