From:http://www.myhack58.com/article/sort099/sort0102/2011/31781.htm
1. Close all INPUT FORWARD OUTPUT only for certain ports.
Here is the command implementation:
Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT DROP
Then use the command iptables-l-N to see if it's set up, good-looking to all DROP
Such a setup, we are only temporary, restart the server or will restore the original not set the state
and save with service Iptables save
See information firewall rules Firewall rule is actually saved in/etc/sysconfig/iptables
can open File View Vi/etc/sysconfig/iptables
2.
Below I only open 22 port, see how I operate, is the following 2 statements
Iptables-a input-p tcp–dport 22-j ACCEPT
Iptables-a output-p tcp–sport 22-j ACCEPT
To see if the next Iptables-l-N is added, see added
Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT tcp–0.0.0.0/0 0.0.0.0/0 TCP dpt:22
Chain FORWARD (Policy DROP)
Target Prot opt source destination
Chain OUTPUT (Policy DROP)
Target Prot opt source destination
ACCEPT tcp–0.0.0.0/0 0.0.0.0/0 TCP spt:22
Now the Linux server only opened 22 ports, with Putty.exe test whether you can link up.
Can be linked up, stating that there is no problem.
Finally, don't forget to save your firewall settings
Save by Command: Service iptables save
Iptables-a input-p tcp–dport 22-j ACCEPT
Iptables-a output-p tcp–sport 22-j ACCEPT
Do some explaining to these 2 commands.
The-a parameter is considered a rule to add an INPUT
-p Specifies what protocol we commonly use for the TCP protocol, and of course there are UDP such as 53-port DNS
By the time we're going to configure DNS for Port 53, you'll find that using the UDP protocol
And –dport is the target port when the data goes from outside to the server as the destination port
Conversely, data from the server is used for the data source port –sport
-J is designated as accept or DROP not receive
3. Prohibit an IP access
1 Linux servers, 2 Windows XP operating systems access
Linux Server IP 192.168.1.99
XP1 ip:192.168.1.2
XP2 ip:192.168.1.8
Let's take a look at the 2 XP I can access.
192.168.1.2 This is what XP1 can access,
192.168.1.8 XP2 is also available for normal access.
So now I'm going to ban 192.168.1.2 xp1 access, XP2 normal access,
Here's a look at the demo
by command iptables-a input-p tcp-s 192.168.1.2-j DROP
This means that the-A is the addition of new rules, what are the rules? As we visit the website using TCP,
We use-p TCP, if it is UDP to write UDP, here with TCP,-S is the source of meaning,
IP comes from 192.168.1.2,-j How do we reject it here should be DROP
Well, look at the effect. Good to add success. Verify that the following is in effect
The wait state has been present for the last time the page cannot be displayed, this is 192.168.1.2 XP1 's access was denied.
Then see if another XP can be accessed, is the normal access to the 192.168.1.8 is able to access the normal
4. How to delete a rule
First of all we need to know the number of this rule, each rule has a number
-n–line-number can show rules and relative numbers by iptables-l
num target prot opt source Destination
1 DROP tcp – 0.0.0.0/0 0.0.0.0/0 TCP dpt:3306
2 drop tcp – 0.0.0.0/0 0.0.0.0/0 TCP dpt:21
3 drop tcp – 0.0.0.0/0 0.0.0.0/0 TCP dpt:80
has more num This column, so we can see that the rule just corresponds to the number 2
Then we can delete it.
Iptables-d INPUT 2
Delete the input chain number 2 rule.
Again Iptables-l-n view has been cleared.
5. Filter Invalid Packets
If someone enters the server, or has a virus trojan, it can transfer data out of the 22,80 port like a server
Configure Linux with Iptables to prohibit all ports from landing and opening designated ports