tutorial on the use of iptables firewalls in Debian VPS systems

Iptables is a packet filtering management tool based on the NetFilter architecture, the most important role is to do firewall or transparent proxy. Iptables from IPChains, its function is more powerful. Iptables offers the following three features: packet filtering, NAT (network address translation), and generic Pre-route packet mangling.

In the previous article I to iptables on the concept and principle of the introduction: iptables Introduction and command, but in practical applications, many practical commands will be used repeatedly, so here to the summary of these commands, to facilitate everyone to view.

Install iptables Firewall

If you do not install iptables you need to install first, CentOS execution:

Yum Install Iptables

Debian/ubuntu Execution:

Apt-get Install Iptables

PS: The general default VPS Linux distribution will be with iptables.

Viewing and deleting of iptables rules

View Iptables Rules

The line-number at the back of the command shows the line number (a rule is output, and the line number is displayed), which is convenient for deletion of the following text.

Iptables-l-N--line-numbers

Clear existing Iptables rule

Iptables-f
Iptables-x
Iptables-z

Delete a iptables rule

For example, to delete the rule in line 12th, the line number can be viewed by the previous command

Iptables-d INPUT 12

Common rules for iptables

Open the specified port

#允许本机访问
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# allow established or connected traffic
Iptables-a input-m State--state established,related-j ACCEPT
#允许所有本机向外的访问
Iptables-a output-j ACCEPT
# Allow access to port 22
Iptables-a input-p TCP--dport 22-j ACCEPT
#允许访问80端口
Iptables-a input-p TCP--dport 80-j ACCEPT
#允许FTP服务的21和20端口
Iptables-a input-p TCP--dport 21-j ACCEPT
Iptables-a input-p TCP--dport 20-j ACCEPT
#如果有其他端口的话, the rules are similar, you can modify the above statement slightly
#禁止其他未允许的规则访问
Iptables-a input-j REJECT
Iptables-a forward-j REJECT
Shielding IP

Some IP if you do not want to be accessed by VPS (for many reasons, such as search engine spiders, DOS attackers, etc.), you can use Iptables to block these IP access:

#如果只是想屏蔽IP的话 "3, open specified port" can be skipped directly.
#屏蔽单个IP的命令是
Iptables-i input-s 123.45.6.7-j DROP
#封整个段即从123.0.0.1 to 123.255.255.254 's orders.
Iptables-i input-s 123.0.0.0/8-j DROP
#封IP段即从123.45.0.1 to 123.45.255.254 's orders.
Iptables-i input-s 124.45.0.0/16-j DROP
#封IP段即从123.45.6.1 to 123.45.6.254 's order is
Iptables-i input-s 123.45.6.0/24-j DROP

Save Iptables Rule

CentOS can be performed on:

Service Iptables Save

Generally after the installation iptables completed, the boot will automatically set up a successful, but on the individual CentOS system, seemingly there are some problems, you can use the following command manual settings:

Chkconfig--level 345 iptables on

In addition, it is more necessary to note that the iptables on the Debian/ubuntu will not save the rule.
You need to follow these steps to have the NIC shutdown to save the iptables rule and load the iptables rule at startup:
Create the/etc/network/if-post-down.d/iptables file and add the following:

#!/bin/bash
Iptables-save >/etc/iptables.rules

Add execution permissions.

chmod +x/etc/network/if-post-down.d/iptables

Create the/etc/network/if-pre-up.d/iptables file and add the following:

#!/bin/bash
Iptables-restore </etc/iptables.rules

Add Execute permission

chmod +x/etc/network/if-pre-up.d/iptables