Home > Developer > Linux

Linux iptables settings in detail

Source: Internet
Author: User
Tags ssh port
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Your own example:

-A input-s 192.168.28.68-p tcp--dport 1000-j ACCEPT

172.168.XX.XX in the Internal network open 1000 this port

In any case, iptables is a need for special care to set up something, in the event that the server is not around you, and you rushed to set up to prevent SSH, then wait for the boss scold it, hehe ...

The content is written to prevent this from happening, of course, it is very elementary, but the general server is enough:

1. First introduce the instructions and related configuration files

    1. Start command: Service iptables start
    2. Restart command: Service iptables restart
    3. Shutdown command: Service iptables stop
    5. Then the related configuration:/etc/sysconfig/iptables
    6. How do I operate the configuration?
    7. Vim/etc/sysconfig/iptables
    8. And then go in and modify it, how to do? A lot of people here will think of/etc/rc.d/init.d/iptables save instructions, but once you do this you have just made the changes in white ...
    9. The specific methods are:
    10. The only way to modify/etc/sysconfig/iptables to take effect is to modify the service iptables restart before calling/etc/rc.d/init.d/iptables save.
    11. Because/etc/rc.d/init.d/iptables save will reload when the Iptables service starts, if you call/etc/rc.d/init.d/iptables save directly before restarting, you
    12. /etc/sysconfig/iptables configuration is rolled back to the last boot service configuration, this must be noted!!!

2. Here are some instructions to use (mainly or man iptables to see the relevant information)

    1. -A: Specify the chain name
    2. -P: Specify protocol type
    3. -D: Specify the destination address
    4. --dport: Specify the destination port (destination port destination)
    5. --sport: Specifies the source port (source port)
    6. -j: Specifying an action type

3. If I do not like to change the file Direct command can, of course, no problem, the steps are as follows:

    1. For example, I gave the SSH release statement:
    2. Add INPUT Record: iptables-a input-p tcp--dport -j ACCEPT
    3. Add OUTPUT Record: iptables-a output-p tcp--sport -j ACCEPT
    4. Finally, note that you need to execute/etc/init.d/iptables save so that the two statements are saved to the/etc/sysconfig/iptables file just now.

4. Next explain the steps, if the machine is not around me, I can only ssh in to do iptables rules, then I must pay attention to every step, do not make a mistake, or SSH link is not possible!

  2. The first thing to do is to give our SSH to accept the configuration, so as not to directly connect the situation occurs:
  4. 1. If the SSH port is 22 (it is not recommended to use the default port, it is best to change the SSH port)
  6. Iptables-a input-p TCP--dport 22-j ACCEPT
  8. Iptables-a output-p TCP--sport 22-j ACCEPT
  10. Note that to/etc/rc.d/init.d/iptables save, it is best to execute this statement again at each of the following steps, which is no longer described below.
  14. 2.vim/etc/sysconfig/iptables determines if the configuration has been added and can be executed after service iptables restart restart
  18. 3. The following is a very dangerous operation, if you did not do the first step will directly lead to you can not connect to SSH, this step before you remember to perform the first step!!!
  20. Iptables-p INPUT DROP
  22. Iptables-p OUTPUT DROP
  24. Iptables-p FORWARD DROP
  26. This step is to all the rules that do not conform to their own configuration of the connection all drop off, after the execution if we have not lost ssh, then thank goodness, security, restart the next iptables after the following configuration!
  30. 4. I will not elaborate on the following, specifically to see the server to open which ports or to access which ports to do the specific configuration, the following is the configuration of my own machine:
  34. The/etc/sysconfig/iptables file is configured as follows:
  36. # Generated by Iptables-save v1.4.7 on Fri Mar 2 19:59:43 2012
  38. *filter
  40. : INPUT DROP [0:0]
  42. : FORWARD DROP [0:0]
  44. : OUTPUT DROP [8:496]
  46. -A input-m state--state related,established-j ACCEPT
  48. #ping使用的端口
  50. -A input-p icmp-j ACCEPT
  52. -A input-i lo-j ACCEPT
  54. -A input-s 127.0.0.1/32-d 127.0.0.1/32-j ACCEPT
  56. -A input-s 192.168.2.200/32-d 192.168.2.200/32-j ACCEPT
  58. #允许服务器自己的SSH (the server is the target for external requests, so use--dport)
  60. -A input-p tcp-m tcp--dport 22-j ACCEPT
  62. #80端口不用说了吧, server Web Access port
  64. -A input-p tcp-m tcp--dport 80-j ACCEPT
  66. -A input-p tcp-m tcp--dport 3306-j ACCEPT
  68. -A input-p tcp-m tcp--dport 11211-j ACCEPT
  70. -A input-p tcp-m tcp--dport 11212-j ACCEPT
  72. -A forward-j REJECT--reject-with icmp-host-prohibited
  74. #53端口是DNS相关, both TCP and UDP are configured
  76. -A input-p tcp-m tcp--dport 53-j ACCEPT
  78. -A input-p udp-m UDP--dport 53-j ACCEPT
  80. #ping使用的端口
  82. -A output-p icmp-j ACCEPT
  84. -A output-s 127.0.0.1/32-d 127.0.0.1/32-j ACCEPT
  86. -A output-s 192.168.2.200/32-d 192.168.2.200/32-j ACCEPT
  88. #允许服务器SSH到其他机器 (use--dport with external ports)
  90. -A output-p tcp-m tcp--dport 22-j ACCEPT
  92. #允许服务器自己的SSH (use--sport for self-source output)
  94. -A output-p tcp-m tcp--sport 22-j ACCEPT
  96. #访问外部网站80端口 (use--dport with external ports)
  98. -A output-p tcp-m tcp--dport 80-j ACCEPT
  100. #如果服务器需要访问外部网站, the output also needs to be configured with Port 53 (use--dport with external ports)
  102. -A output-p tcp-m tcp--dport 53-j ACCEPT
  104. -A output-p udp-m UDP--dport 53-j ACCEPT
  106. #如果有访问外部邮箱, open the mailbox-related ports (use--dport with external ports)
  108. -A output-p tcp-m tcp--dport 465-j ACCEPT
  110. -A output-p tcp-m tcp--dport 25-j ACCEPT
  112. -A output-p tcp-m tcp--dport 110-j ACCEPT
  114. #服务器网站访问端口 (use--sport for self-source output)
  116. -A output-p tcp-m tcp--sport 80-j ACCEPT
  118. -A output-p tcp-m tcp--sport 3306-j ACCEPT
  120. -A output-p tcp-m tcp--sport 11211-j ACCEPT
  122. -A output-p tcp-m tcp--sport 11212-j ACCEPT
  124. COMMIT
  126. # completed on Fri Mar 2 19:59:43 2012

5. May sometimes need to delete the rules, the simplest is to modify the/etc/sysconfig/iptables and then service iptables restart, and finally/etc/rc.d/init.d/iptables save.

Of course, you can also use instructions to complete:

  2. On the internet to find a bit, delete the rule method:
  4. The syntax is: iptables-d chain rulenum [Options]
  6. Where: Chain is the meaning of the chain, that is, input FORWARD and the like
  8. Rulenum is the number of the rule. Starting from 1. You can use--line-numbers to list the number of rules
  12. So, for example, if you want to delete a rule from the input chain, you can do this: iptables-d input 3
  14. This means deleting the 3rd rule.
  16. There's a second way. The second approach is a mapping of the-a command, but replaces-A with-D. This is useful when the rules in your chain are complex and you don't want to count their numbers. In other words, how do you use iptables-a .... Statement defines a rule, the rule is deleted by using-D instead of-the rest of it is the same.
  18. ======================
  20. Say the--line-numbers option above, as in the following command:
  22. Iptables-l input--line-numbers lists all the rules of the input chain
  24. Num Target prot opt source destination
  26. 1 REJECT TCP-anywhere anywhere TCP Dpt:microsoft-ds Reject-with icmp-port-unreachable
  28. 2 REJECT TCP-Anywhere anywhere TCP dpt:135 Reject-with icmp-port-unreachable
  30. 3 REJECT TCP-Anywhere anywhere TCP DPT:NETBIOS-SSN Reject-with icmp-port-unreachable
  34. ...
  36. ...
  38. To delete a specified row rule:
  40. [[email protected] rc.d]# iptables-d INPUT 4

6. Finally, if you want a separate open port for an IP, you can configure it as follows:

    1. If I need to open a MySQL port on a single machine in the intranet, it should be configured as follows:
    2. Iptables-a input-s 192.168.2.6-p tcp-m tcp--dport 3306-j ACCEPT
    3. Iptables-a output-s 192.168.2.6-p tcp-m tcp--sport 3306-j ACCEPT

7. Completely prohibit an IP access:

    1. #屏蔽单个IP的命令是
    2. Iptables-i input-s 123.45.6.7-j DROP
    3. #封整个段即从123.0.0.1 to 123.255.255.254 command
    4. Iptables-i input-s 123.0.0.0/8-j DROP
    5. #封IP段即从123.45.0.1 to 123.45.255.254 command
    6. Iptables-i input-s 124.45.0.0/16-j DROP
    7. #封IP段即从123.45.6.1 to 123.45.6.254 command is
    8. Iptables-i input-s 123.45.6.0/24-j DROP
    9. The command i is an insert instruction but the directive inserts in the correct position and does not look at your own sort position like the a directive, so use the mask because you must load the shielded IP at the beginning, so you must use the I command to load, and then pay attention to the execution of/etc/rc.d/init.d/iptables Save to restart the service after saving

Linux iptables settings in detail

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
iptables in linux commands iptables rules in linux iptables command in linux open port in linux iptables architecture in detail ii explain html in detail how to check iptables in linux
Related Article
Linux Kernel Coding Style
Linux error--->export ' = ' not a valid identifier for gen...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More