Iptables provides packet filtering, which separates network address translation (NAT) from other packets. The two most common purposes of iptables are to provide support for firewalls and NAT. Manual configuration of Iptables is challenging for beginners, but Iptables provides wizard and other tools to help beginners. Run the following command to view the configured rules: iptables-L
IptablesPacket filtering, network address translation (NAT), and other packet splitting are supported.
IptablesThe two most common purposes are to provide support for firewall and NAT. Manual configuration of Iptables is challenging for beginners, but Iptables provides wizard and other tools to help beginners.
To view the configured rules, run the following command:
Iptables-L
Will output the following content
Chain INPUT (policy ACCEPT)
Target prot opt
Source
Destination
Chain FORWARD (policy ACCEPT)
Target prot opt
Source
Destination
Chain OUTPUT (policy ACCEPT)
Target prot opt
Source
Destination
The rules described above allow anyone to access from anywhere.
First, create an Iptables file.
Nano/etc/iptables. test. rules
Enter the following rules
* Filter
# Allows all loopback (lo0) traffic and drop all traffic
To 127/8 that doesn't use lo0
-A input-I lo-j ACCEPT
-A input! -I lo-d 127.0.0.0/8-j REJECT
# Accepts all established inbound connections
-A input-m state? State ESTABLISHED, RELATED-j ACCEPT
# Allows all outbound traffic
# You cocould modify this to only allow certain traffic
-A output-j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (
Normal ports for websites)
-A input-p tcp? Dport 80-j ACCEPT
-A input-p tcp? Dport 443-j ACCEPT
# Allows SSH connections for script kiddies
# THE-dport NUMBER IS THE SAME ONE YOU SET UP IN
SSHD_CONFIG FILE
-A input-p tcp-m state? State NEW? Dport 30000-j
ACCEPT
# Now you shoshould read up on iptables rules and consider
Whether ssh access
# For everyone is really desired. Most likely you will only
Allow access from certain IPs.
# Allow ping
-A input-p icmp-m icmp? Icmp-type 8-j ACCEPT
# Log iptables denied Cils (access via 'dmesg'
Command)
-A input-m limit? Limit 5/min-j LOG? Log-prefix "iptables
Denied :"? Log-level 7
# Reject all other inbound? Default deny unless
Explicitly allowed policy:
-A input-j REJECT
-A forward-j REJECT
This is complicated to see, but by looking at each part, you will find that it only closes all ports except what we allow, in this case, port 80 and port 443 (the port of the standard web browser) and the SSH Port defined above.
Activate these new rules
Iptables-restore </etc/iptables. test. rules
Let's take a look at the differences.
Iptables-L
We can see that only the ports defined above are closed, and the rest are closed. If so, the Iptables file will be saved.
Iptables-save>/etc/iptables. up. rules
To ensure that the iptables rule starts to restart, we will create a new file
Nano/etc/network/if-pre-up.d/iptables
Enter the following content
#! /Bin/bash
/Sbin/iptables-restore </etc/iptables. up. rules
Change the permission
Chmod + x/etc/net/if-pre-up.d/iptables
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
