Configure iptables firewall in Centos

In Centos, the new system for configuring iptables firewall server is Centos6. iptables is installed by default. Basic operation of iptables: service iptables startservice iptables stopservice iptables restartservice iptables status # if it is not started, the system will prompt that it is not started, otherwise, the added filter rule service iptables save # saves the added rule, remember to clear the iptables existing rule iptables-F iptables-X iptables-Z after each rule change. view the added rule: iptables-L-n. All iptables are marked with serial numbers, run iptables-L-n -- line-numbers. For example, if you want to delete the rule with the serial number 8 in INPUT, run iptables-d input 8. Then, add various filtering rules, first, run the service iptables status Command. The following table lists the filter rules that have been added: Txt code table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0/0 tcp dpt: 21 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 20 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT all -- 127.0.0.1 127.0.0.1 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 80 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 22 8 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 now the server is mainly on apache and ftp, apache port is 80, vsftpd needs 20, 21. Then, you must log on via ssh (port 22 ). Now, let's take a look at how to add these rules step by step. First, let SSH log on to the system, because all these operations are performed on the server remotely logged on through ssh. If port 22 is filtered out, it will be done: shell code iptables-a input-p tcp -- dport 22-j ACCEPT add rules to the INPUT chain (-A is added to the end,-I is added to the first, all data for tcp source port 22 is received. In this case, run iptables-a output-p tcp -- sport 22-j ACCEPT in the OUTPUT chain. Later, let's make all the external data open, otherwise, programs with other unknown ports on the server will not work properly. Therefore: the Shell code iptables-a output-j ACCEPT does not reject any special situations on the FORWARD link: shell code iptables-a forward-j REJECT because the order of adding rules is very important, all INPUT data is also rejected by default, and A special port is added later, as A rule for port 22 Development was added, the rejected rule by default was added to the end of the INPUT: Shell code iptables-a input-j REJECT and then add Port 80 of apache, allow requests to the server: Shell code iptables-I INPUT-p tcp- -Dport 80-j ACCEPT allows the local loopback interface (that is, run the local machine to access the local machine): Shell code iptables-I INPUT-s 127.0.0.1-d 127.0.0.1-j ACCEPT allows ping, so that other machines can ping this server (because all OUTPUT is accept, so it can certainly ping other machines), ping uses icmp protocol, no port number, therefore, the method to add is as follows: Shell code iptables-I INPUT-p icmp-j ACCEPT allows all established or related connections: shell code iptables-I INPUT-m state-state ESTABLISHED, RELATED-j ACCEPT is ready, then add the ports 20 and 21 required by ftp: shell code iptables-I INPUT-p tcp -- dport 20-j ACCEPT; iptables-I INPUT-p tcp -- dport 21-j ACCEPT; all the rules have been added. You can see the Filter list from the beginning through service iptables status. Next, let's test it. There is no problem with SSH logon and WEB access to apache, but ftp cannot even be connected. It's so strange. Didn't all add ports 20 and 21. I searched the internet and said that iptables still needs to load the system module to control ftp, mainly ip_nat_ftp. # Lsmod | grep ftp (check whether the ftp module is loaded) # modprobe ip_nat_ftp (load the ftp module) # lsmod | grep ftp (check whether the module is loaded) after modprobe ip_nat_ftp is executed, it is true that ftp can be accessed normally. However, it was annoying to find that lsmod | grep ftp failed to be checked after each service iptables save. Solution: in vim, open/etc/sysconfig/iptables-config. This is the iptables configuration file. The content displayed is as follows: # Space separated list of nat helpers (e.g. 'IP _ nat_ftp ip_nat_irc '), which # are loaded after the firewall rules are applied. options for the helpers are # stored in/etc/modprobe. conf. IPTABLES_MODULES = "" # Unload modules on restart and stop # Value: yes | no, default: yes # This option has to be 'yes' to get to a sane state for Firewall # restart or stop. only set to 'no' if there are problems unloading netfilter # modules. IPTABLES_MODULES_UNLOAD = "yes", of course, this file is followed by the following parameters. The two parameters are displayed, and the second IPTABLES_MODULES_UNLOAD = "yes". Which of the following annotations is clear, each time iptables is stopped or restarted, it will Unload modules. Let's take a look at the first parameter IPTABLES_MODULES = "". The comment shows the modules loaded after each firewall rule is applied. Now, change it to IPTABLES_MODULES = "ip_nat_ftp" to solve the problem.