Configure iptables firewall on the VPS server

Step 1: first confirm that your system has installed Iptables. Open the SSH terminal and enter

Whereis iptables
If you can see the following similar information, you have installed iptables
Iptables:/sbin/iptables/usr/share/man/man8/iptables.8.gz
If this is not the prompt, or there is no prompt, you may not have installed iptables on Debian.
Run the following command to install the SDK:
Sudo apt-get install iptables
Note: all the commands in this document are completed under a general account. This general account has the root permission to use sudo. We do not recommend that you directly use the root user.

Step 2: view the current configuration of Iptables

You can use the following command to view
Sudo iptables-L
If you install and configure iptables for the first time, you may see the following results:
Chain INPUT (policy ACCEPT)
Target prot opt source destination
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
The result is that the firewall allows all requests, just as if no firewall is set.

Step 3: Configure Iptables 111cn.net

To configure Iptables, we first save a basic Iptables rule article, which is used for testing.
Sudo vim/etc/iptables. test. rules
Enter the following rule content in this article, which is the basic configuration officially provided by debian.

* Filter
 
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A input-I lo-j ACCEPT
-A input-I! Lo-d 127.0.0.0/8-j REJECT
 
# Accepts all established inbound connections
-A input-m state -- state ESTABLISHED, RELATED-j ACCEPT
 
# Allows all outbound traffic
# You cocould modify this to only allow certain traffic
-A output-j ACCEPT
 
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A input-p tcp -- dport 80-j ACCEPT
-A input-p tcp -- dport 443-j ACCEPT
 
# Allows SSH connections for script kiddies
# THE-dport number is the same one you set up in the SSHD_CONFIG FILE
-A input-p tcp-m state -- state NEW -- dport 22-j ACCEPT
 
# Now you shoshould read up on iptables rules and consider whether ssh access
# For everyone is really desired. Most likely you will only allow access from certain IPs.
 
# Allow ping
-A input-p icmp-m icmp -- icmp-type 8-j ACCEPT
 
# Log iptables denied Cils (access via 'dmesg' command)
-A input-m limit -- limit 5/min-j LOG -- log-prefix "iptables denied:" -- log-level 7
 
# Reject all other inbound-default deny unless explicitly allowed policy:
-A input-j REJECT
-A forward-j REJECT
 
COMMIT

Save this file and load the rule to make it take effect. Note that iptables does not need to be restarted, and once the rule is loaded, it becomes
Sudo iptables-restore </etc/iptables. test. rules
Then check the latest configuration. All settings should take effect. www.111cn.net
Sudo iptables-L

Step 4: save the effective configuration so that the valid configuration is automatically loaded when the system restarts.

Iptables allows you to save the currently running rules.
Iptables-save>/etc/iptables. up. rules

Note: If the current user is not the root user, even if sudo is used, you will be prompted that you do not have the permission to save it. Therefore, to execute this command, you must use the root user.
You can use sudo-I to quickly switch to the root account. Use su username to switch to the common account in time.

To automatically load rules after the server is restarted, create the following file:
Sudo vim/etc/Networking/if-pre-up.d/iptables
The content of this article is as follows:
#! /Bin/bash
/Sbin/iptables-restore </etc/iptables. up. rules
Finally, set this article to be executable only
Chmod + x/etc/net/if-pre-up.d/iptables

Fifth: Others

If you want to set an ip segment to access all services, you need. test. add-a input-m iprange -- src-range 192.168.1.1-192.168.1.199-j ACCEPT to the rules file, and set it again in step 3. note iptables. test. rules is not mandatory. It only allows you to better test your modifications.

I sorted out some port configuration rules for iptables fireproof configuration in linux.

The iptabls rule is applied from top to bottom. When you find a rule that can pass, the rule is also passed regardless of whether there is a rule conflict.
 

Eth0 connects to the NIC of the internal network
Network Adapter for connecting eth1 to external network
Lo local loop
1. Discard all ftp packets from the internet, except for the intranet
 

Iptables-A-I lo-j ACCEPT (allow all network communication within the local machine, required)
Iptables-A-I eht0-p tcp -- dport 21-j ACCEPT (Port 21 is enabled on the local machine, that is, the ftp control port)
Iptables-A-I eth0-p tcp -- dport 20-j ACCEPT (Port 20 is enabled on the local machine, that is, ftp transfer port)
Iptables-A-I eth1-j DROP (prohibit all packets from passing through) {disable external ftp}
2. Allow ssh to disable telnet
 

Iptables-A-I lo-j ACCEPT (allow all network communication within the local machine, required)
Iptables-A-I eth0-p tcp -- dport 22-j ACCEPT
Iptables-A-I eth1-p tcp -- dport 22-j ACCEPT
(Port 22 is opened on the local machine, that is, the ssh service port)
Iptables-A-I eth1-p tcp -- dport 23-j DROP (Port 23 is disabled on the local machine, that is, the telnet service port) or iptables-A-I eth0-j DROP
3. Do not use the ping command to ping the local machine.
 

Iptables-A-p icmp -- icmp-type 8-s 0/0-j DROP (0/0 all networks 111cn.net)
Iptables-A-p icmp -- icmp-type 0-s 0/0-j ACCEPT
Iptables-a output-p icmp -- icmp-type 0-s 192.168.29.1 (local ip)-j DROP
Iptables-a output-p icmp -- icmp-type 8-s 192.168.29.1-j ACCEPT
 
In this configuration, you can ping others, but others cannot ping your host.

4. Access to port 21 (ftp) and Port 80 (web) is prohibited)
 

Iptables-A-I eth1-p tcp -- dprot 21-j DROP
Iptables-A-I eth0-p tcp -- dprot 21-j DROP
Iptables-A-I eth1-p tcp -- dprot 80-j DROP
Iptables-A-I eth0-p tcp -- dprot 80-j DROP
5. Disable all udp ports.
 

Iptables-A-I eth0-p udp-j DROP
Iptables-A-I eth1-p udp-j DROP
6. Prohibit external email communication and allow internal communication (prohibit pop3, 110, smtp, 25)
 

Iptables-A-I eth0-p tcp -- dprot 25-j ACCEPT
Iptables-A-I eth0-p tcp -- dprot 110-j ACCEPT
Iptables-a output-I eth1-p tcp -- sprot 25-j DROP
Iptables-a output-I eth1-p tcp -- sprot 110-j DROP
7. Prohibit two specified networks from accessing the local machine.
 

Iptables-A-I eth1-s 192.168.1.0/24-j DROP
Iptables-A-I eth1-s 172.16.0.0/16-j DROP
8. Allow access from a specific port, but disable external access.
 

Iptables-A-I eht1 -- dport [port number]-j ACCEPT
Iptables-a output-I eht1 -- dport [port number]-j DROP
 
Configure iptables static firewall

Initialize firewall

Iptables-F // -- flush-F [chain] Delete all rules in chain or all chains

Iptables-X // -- delete-chain-X [chain] Delete a user-defined chain

Iptables-Z // -- zero-Z [chain] Zero counters in chain or all chains

Before using iptables to configure your own firewall, you must first clear any previously configured rules.

Configuration rules:

Configure the default policy

Iptables-P INPUT DROP

This command will prevent any data packets from entering the computer from being dropped ). At this time, if you ping 127.0.0.1, you will find that the screen is always there, because ping cannot receive any response packets.

Create a custom chain

Iptables-N MYINPUT

# Iptables-N MYDROPLOG

Add rules

Iptables-a input-j MYINPUT

This rule forwards any packets entering the computer to a custom chain for filtering.

Iptables-a myinput-p icmp-j ACCEPT

Then enter the command ping 127.0.0.1. Will the result be the same as that of the previous command?

If you want to access the www Service

Iptables-a myinput-p tcp -- sport 80-j ACCEPT

Iptables-a myinput-p udp -- sport 53-j ACCEPT

# Iptables-a myinput-j MYDROPLOG

# Iptables-a mydroplog-j DROP

Record logs

# Iptables-I MYDROPLOG 1-j LOG -- log-prefix' [IPTABLES DROP LOGS]: '-- log-level debug

In this way, all discarded network data packets are recorded, and detailed network access information can be used to view logs. So far, a secure personal static firewall has been built and can be configured again to meet various requirements.

View firewall

Iptables-L -- line-number