Linux iptables settings in detail

Source: Internet
Author: User
Tags ssh port

Your own example:

-A input-s 192.168.28.68-p tcp--dport 1000-j ACCEPT

172.168.XX.XX in the Internal network open 1000 this port

In any case, iptables is a need for special care to set up something, in the event that the server is not around you, and you rushed to set up to prevent SSH, then wait for the boss scold it, hehe ...

The content is written to prevent this from happening, of course, it is very elementary, but the general server is enough:

1. First introduce the instructions and related configuration files

    1. Start command: Service iptables start
    2. Restart command: Service iptables restart
    3. Shutdown command: Service iptables stop
    4. Then the related configuration:/etc/sysconfig/iptables
    5. How do I operate the configuration?
    6. Vim/etc/sysconfig/iptables
    7. And then go in and modify it, how to do? A lot of people here will think of/etc/rc.d/init.d/iptables save instructions, but once you do this you have just made the changes in white ...
    8. The specific methods are:
    9. The only way to modify/etc/sysconfig/iptables to take effect is to modify the service iptables restart before calling/etc/rc.d/init.d/iptables save.
    10. Because/etc/rc.d/init.d/iptables save will reload when the Iptables service starts, if you call/etc/rc.d/init.d/iptables save directly before restarting, you
    11. /etc/sysconfig/iptables configuration is rolled back to the last boot service configuration, this must be noted!!!

2. Here are some instructions to use (mainly or man iptables to see the relevant information)

    1. -A: Specify the chain name
    2. -P: Specify protocol type
    3. -D: Specify the destination address
    4. --dport: Specify the destination port (destination port destination)
    5. --sport: Specifies the source port (source port)
    6. -j: Specifying an action type

3. If I do not like to change the file Direct command can, of course, no problem, the steps are as follows:

    1. For example, I gave the SSH release statement:
    2. Add INPUT Record: iptables-a input-p tcp--dport -j ACCEPT
    3. Add OUTPUT Record: iptables-a output-p tcp--sport -j ACCEPT
    4. Finally, note that you need to execute/etc/init.d/iptables save so that the two statements are saved to the/etc/sysconfig/iptables file just now.

4. Next explain the steps, if the machine is not around me, I can only ssh in to do iptables rules, then I must pay attention to every step, do not make a mistake, or SSH link is not possible!

  1. The first thing to do is to give our SSH to accept the configuration, so as not to directly connect the situation occurs:
  2. 1. If the SSH port is 22 (it is not recommended to use the default port, it is best to change the SSH port)
  3. Iptables-a input-p TCP--dport 22-j ACCEPT
  4. Iptables-a output-p TCP--sport 22-j ACCEPT
  5. Note that to/etc/rc.d/init.d/iptables save, it is best to execute this statement again at each of the following steps, which is no longer described below.
  6. 2.vim/etc/sysconfig/iptables determines if the configuration has been added and can be executed after service iptables restart restart
  7. 3. The following is a very dangerous operation, if you did not do the first step will directly lead to you can not connect to SSH, this step before you remember to perform the first step!!!
  8. Iptables-p INPUT DROP
  9. Iptables-p OUTPUT DROP
  10. Iptables-p FORWARD DROP
  11. This step is to all the rules that do not conform to their own configuration of the connection all drop off, after the execution if we have not lost ssh, then thank goodness, security, restart the next iptables after the following configuration!
  12. 4. I will not elaborate on the following, specifically to see the server to open which ports or to access which ports to do the specific configuration, the following is the configuration of my own machine:
  13. The/etc/sysconfig/iptables file is configured as follows:
  14. # Generated by Iptables-save v1.4.7 on Fri Mar 2 19:59:43 2012
  15. *filter
  16. : INPUT DROP [0:0]
  17. : FORWARD DROP [0:0]
  18. : OUTPUT DROP [8:496]
  19. -A input-m state--state related,established-j ACCEPT
  20. #ping使用的端口
  21. -A input-p icmp-j ACCEPT
  22. -A input-i lo-j ACCEPT
  23. -A input-s 127.0.0.1/32-d 127.0.0.1/32-j ACCEPT
  24. -A input-s 192.168.2.200/32-d 192.168.2.200/32-j ACCEPT
  25. #允许服务器自己的SSH (the server is the target for external requests, so use--dport)
  26. -A input-p tcp-m tcp--dport 22-j ACCEPT
  27. #80端口不用说了吧, server Web Access port
  28. -A input-p tcp-m tcp--dport 80-j ACCEPT
  29. -A input-p tcp-m tcp--dport 3306-j ACCEPT
  30. -A input-p tcp-m tcp--dport 11211-j ACCEPT
  31. -A input-p tcp-m tcp--dport 11212-j ACCEPT
  32. -A forward-j REJECT--reject-with icmp-host-prohibited
  33. #53端口是DNS相关, both TCP and UDP are configured
  34. -A input-p tcp-m tcp--dport 53-j ACCEPT
  35. -A input-p udp-m UDP--dport 53-j ACCEPT
  36. #ping使用的端口
  37. -A output-p icmp-j ACCEPT
  38. -A output-s 127.0.0.1/32-d 127.0.0.1/32-j ACCEPT
  39. -A output-s 192.168.2.200/32-d 192.168.2.200/32-j ACCEPT
  40. #允许服务器SSH到其他机器 (use--dport with external ports)
  41. -A output-p tcp-m tcp--dport 22-j ACCEPT
  42. #允许服务器自己的SSH (use--sport for self-source output)
  43. -A output-p tcp-m tcp--sport 22-j ACCEPT
  44. #访问外部网站80端口 (use--dport with external ports)
  45. -A output-p tcp-m tcp--dport 80-j ACCEPT
  46. #如果服务器需要访问外部网站, the output also needs to be configured with Port 53 (use--dport with external ports)
  47. -A output-p tcp-m tcp--dport 53-j ACCEPT
  48. -A output-p udp-m UDP--dport 53-j ACCEPT
  49. #如果有访问外部邮箱, open the mailbox-related ports (use--dport with external ports)
  50. -A output-p tcp-m tcp--dport 465-j ACCEPT
  51. -A output-p tcp-m tcp--dport 25-j ACCEPT
  52. -A output-p tcp-m tcp--dport 110-j ACCEPT
  53. #服务器网站访问端口 (use--sport for self-source output)
  54. -A output-p tcp-m tcp--sport 80-j ACCEPT
  55. -A output-p tcp-m tcp--sport 3306-j ACCEPT
  56. -A output-p tcp-m tcp--sport 11211-j ACCEPT
  57. -A output-p tcp-m tcp--sport 11212-j ACCEPT
  58. COMMIT
  59. # completed on Fri Mar 2 19:59:43 2012

5. May sometimes need to delete the rules, the simplest is to modify the/etc/sysconfig/iptables and then service iptables restart, and finally/etc/rc.d/init.d/iptables save.

Of course, you can also use instructions to complete:

  1. On the internet to find a bit, delete the rule method:
  2. The syntax is: iptables-d chain rulenum [Options]
  3. Where: Chain is the meaning of the chain, that is, input FORWARD and the like
  4. Rulenum is the number of the rule. Starting from 1. You can use--line-numbers to list the number of rules
  5. So, for example, if you want to delete a rule from the input chain, you can do this: iptables-d input 3
  6. This means deleting the 3rd rule.
  7. There's a second way. The second approach is a mapping of the-a command, but replaces-A with-D. This is useful when the rules in your chain are complex and you don't want to count their numbers. In other words, how do you use iptables-a .... Statement defines a rule, the rule is deleted by using-D instead of-the rest of it is the same.
  8. ======================
  9. Say the--line-numbers option above, as in the following command:
  10. Iptables-l input--line-numbers lists all the rules of the input chain
  11. Num Target prot opt source destination
  12. 1 REJECT TCP-anywhere anywhere TCP Dpt:microsoft-ds Reject-with icmp-port-unreachable
  13. 2 REJECT TCP-Anywhere anywhere TCP dpt:135 Reject-with icmp-port-unreachable
  14. 3 REJECT TCP-Anywhere anywhere TCP DPT:NETBIOS-SSN Reject-with icmp-port-unreachable
  15. ...
  16. ...
  17. To delete a specified row rule:
  18. [[email protected] rc.d]# iptables-d INPUT 4

6. Finally, if you want a separate open port for an IP, you can configure it as follows:

    1. If I need to open a MySQL port on a single machine in the intranet, it should be configured as follows:
    2. Iptables-a input-s 192.168.2.6-p tcp-m tcp--dport 3306-j ACCEPT
    3. Iptables-a output-s 192.168.2.6-p tcp-m tcp--sport 3306-j ACCEPT

7. Completely prohibit an IP access:

    1. #屏蔽单个IP的命令是
    2. Iptables-i input-s 123.45.6.7-j DROP
    3. #封整个段即从123.0.0.1 to 123.255.255.254 command
    4. Iptables-i input-s 123.0.0.0/8-j DROP
    5. #封IP段即从123.45.0.1 to 123.45.255.254 command
    6. Iptables-i input-s 124.45.0.0/16-j DROP
    7. #封IP段即从123.45.6.1 to 123.45.6.254 command is
    8. Iptables-i input-s 123.45.6.0/24-j DROP
    9. The command i is an insert instruction but the directive inserts in the correct position and does not look at your own sort position like the a directive, so use the mask because you must load the shielded IP at the beginning, so you must use the I command to load, and then pay attention to the execution of/etc/rc.d/init.d/iptables Save to restart the service after saving

Linux iptables settings in detail

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.