Configure Linux with Iptables to prohibit all ports from landing and opening designated ports

Source: Internet
Author: User

From:http://www.myhack58.com/article/sort099/sort0102/2011/31781.htm

1. Close all INPUT FORWARD OUTPUT only for certain ports.
Here is the command implementation:

Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT DROP

Then use the command iptables-l-N to see if it's set up, good-looking to all DROP
Such a setup, we are only temporary, restart the server or will restore the original not set the state
and save with service Iptables save
See information firewall rules Firewall rule is actually saved in/etc/sysconfig/iptables
can open File View Vi/etc/sysconfig/iptables
2.
Below I only open 22 port, see how I operate, is the following 2 statements

Iptables-a input-p tcp–dport 22-j ACCEPT
Iptables-a output-p tcp–sport 22-j ACCEPT

To see if the next Iptables-l-N is added, see added

Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT tcp–0.0.0.0/0 0.0.0.0/0 TCP dpt:22

Chain FORWARD (Policy DROP)
Target Prot opt source destination

Chain OUTPUT (Policy DROP)
Target Prot opt source destination
ACCEPT tcp–0.0.0.0/0 0.0.0.0/0 TCP spt:22

Now the Linux server only opened 22 ports, with Putty.exe test whether you can link up.
Can be linked up, stating that there is no problem.

Finally, don't forget to save your firewall settings
Save by Command: Service iptables save

Iptables-a input-p tcp–dport 22-j ACCEPT
Iptables-a output-p tcp–sport 22-j ACCEPT
Do some explaining to these 2 commands.
The-a parameter is considered a rule to add an INPUT
-p Specifies what protocol we commonly use for the TCP protocol, and of course there are UDP such as 53-port DNS
By the time we're going to configure DNS for Port 53, you'll find that using the UDP protocol

And –dport is the target port when the data goes from outside to the server as the destination port
Conversely, data from the server is used for the data source port –sport

-J is designated as accept or DROP not receive
3. Prohibit an IP access
1 Linux servers, 2 Windows XP operating systems access
Linux Server IP 192.168.1.99
XP1 ip:192.168.1.2
XP2 ip:192.168.1.8

Let's take a look at the 2 XP I can access.

192.168.1.2 This is what XP1 can access,
192.168.1.8 XP2 is also available for normal access.

So now I'm going to ban 192.168.1.2 xp1 access, XP2 normal access,
Here's a look at the demo

by command iptables-a input-p tcp-s 192.168.1.2-j DROP
This means that the-A is the addition of new rules, what are the rules? As we visit the website using TCP,
We use-p TCP, if it is UDP to write UDP, here with TCP,-S is the source of meaning,
IP comes from 192.168.1.2,-j How do we reject it here should be DROP

Well, look at the effect. Good to add success. Verify that the following is in effect

The wait state has been present for the last time the page cannot be displayed, this is 192.168.1.2 XP1 's access was denied.

Then see if another XP can be accessed, is the normal access to the 192.168.1.8 is able to access the normal
4. How to delete a rule
First of all we need to know the number of this rule, each rule has a number

-n–line-number can show rules and relative numbers by iptables-l
num  target     prot opt source                Destination
1    DROP        tcp –  0.0.0.0/0             0.0.0.0/0           TCP dpt:3306
2     drop       tcp –  0.0.0.0/0             0.0.0.0/0           TCP dpt:21
3    drop       tcp –  0.0.0.0/0             0.0.0.0/0            TCP dpt:80
has more num This column, so we can see that the rule just corresponds to the number 2

Then we can delete it.
Iptables-d INPUT 2
Delete the input chain number 2 rule.

Again Iptables-l-n view has been cleared.
5. Filter Invalid Packets
If someone enters the server, or has a virus trojan, it can transfer data out of the 22,80 port like a server

Configure Linux with Iptables to prohibit all ports from landing and opening designated ports

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.