How Linux firewalls Open specific ports

Last Update:2017-06-13 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

How Linux firewalls Open specific ports

Iptables is a firewall under Linux and is also the service name.

Service iptables Status View firewall state

Service iptables start to turn on the firewall

Service iptables Stop shutting down the firewall

Service iptables Restart Restart firewall

Firewalls Open specific ports:

① file/etc/sysconfig/iptables

② Add:

-A rh-firewall-1-input-m state--state new-m tcp-p TCP--dport 8080-j ACCEPT

(The number 8080 stands for open 8080 ports and can also be changed to other ports)

③ Restart the firewall

================================================================

Save settings for the firewall

Serivce iptables Save

View Iptables rules and numbers

IPTABLES-NL--line-number

Turn off all input FORWARD (forwards) output for all ports

Iptables-p INPUT DROP

Iptables-p FORWARD DROP

Iptables-p OUTPUT DROP

Open only 22 ports

Iptables-a input-p TCP--dport 22-j ACCEPT

Iptables-a output-p TCP--sport 22-j ACCEPT

Parameter explanation:

The –A parameter is seen as adding a rule

–P specifies what protocol we commonly use for the TCP protocol, and of course there are UDP, such as 53-port DNS

–dport is the destination port, when the data goes from outside to the server as the destination port

–sport data goes out of the server, it is used for the data source port

–J is designated as Accept-receive or DROP not receive

Disable an IP access

Iptables-a input-p tcp-s 192.168.1.2-j DROP

–s parameter is source (i.e. 192.168.1.2)

The back rejection is drop.

Delete Rule

Iptables-d INPUT 2

Delete the input chain number 2 rule

1, allowed to pass one end of the port

Vi/etc/sysconfig/iptables

-A input-m state--state new-m tcp-p TCP--dport 80-j ACCEPT (allow 80 ports via firewall)

/etc/init.d/iptables restart

#最后重启防火墙使配置生效

Allow only specific IPs to access a port? Refer to the following command to allow only 46.166.150.22 access to the native port 80. If you want to set another IP or port, change it.

Iptables-i input-p TCP--dport 80-j DROP

Iptables-i input-s 46.166.150.22-p TCP--dport 80-j ACCEPT

After the root user executes the above 2 lines command, restart Iptables, service iptables restart

To see if iptables is in effect:

[[Email protected]]# iptables-l

Chain INPUT (Policy ACCEPT)

Target Prot opt source destination

ACCEPT TCP--46.166.150.22 anywhere TCP Dpt:http

DROP TCP--anywhere anywhere TCP dpt:http

Chain FORWARD (Policy ACCEPT)

Target Prot opt source destination

Chain OUTPUT (Policy ACCEPT)

Target Prot opt source destination

The above command is for the entire server (all IP) prohibit port 80, if you just need to prohibit the server on the 80 port of an IP address, what to do?

The following command is to allow only IP access from 174.140.3.190 to the 216.99.1.216 80 port on the server

Iptables-a forward-s 174.140.3.190-d 216.99.1.216-p tcp-m tcp--dport 80-j ACCEPT

Iptables-a forward-d 216.99.1.216-p tcp-m tcp--dport 80-j DROP

If you are unfamiliar with the SSH command for Linux, you can set it up in the Webmin/virtualmin panel to achieve the same effect. Reference: Webmin panel How to set allow specific IP access to port 80, prohibit 80 port

More iptables reference commands are as follows:

1. Back Up Iptables first

# cp/etc/sysconfig/iptables/var/tmp

Requires 80 ports, specify IP and LAN

The following three lines mean:

Shut down all 80 ports first.

Turn on 80 ports on the 192.168.1.0/24 end of the IP segment

Turn on IP segment 211.123.16.123/24 IP segment 80 port

# iptables-i input-p TCP--dport 80-j DROP

# iptables-i input-s 192.168.1.0/24-p tcp--dport 80-j ACCEPT

# iptables-i input-s 211.123.16.123/24-p tcp--dport 80-j ACCEPT

These are temporary settings.

2. Then save Iptables

# Service Iptables Save

3. Restart the firewall

#service iptables Restart

=============== The following is reproduced ================================================

The following is the port, all the first to open some of the IP

Iptables-i input-p TCP--dport 9889-j DROP

Iptables-i input-s 192.168.1.0/24-p TCP--dport 9889-j ACCEPT

If you use NAT forwarding, remember to match the following to take effect

Iptables-i forward-p TCP--dport 80-j DROP

Iptables-i forward-s 192.168.1.0/24-p TCP--dport 80-j ACCEPT

The common iptables rules are as follows:

can only send and receive mail, and everything else off

Iptables-i Filter-m mac--mac-source 00:0f:ea:25:51:37-j DROP

Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p UDP--dport 53-j ACCEPT

Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p tcp--dport 25-j ACCEPT

Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p tcp--dport 110-j ACCEPT

IPSEC NAT Policy

Iptables-i pfwanpriv-d 192.168.100.2-j ACCEPT

Iptables-t nat-a prerouting-p tcp--dport 80-d $INTERNET _addr-j DNAT--to-destination 192.168.100.2:80

Iptables-t nat-a prerouting-p tcp--dport 1723-d $INTERNET _addr-j DNAT--to-destination 192.168.100.2:1723

Iptables-t nat-a prerouting-p UDP--dport 1723-d $INTERNET _addr-j DNAT--to-destination 192.168.100.2:1723

Iptables-t nat-a prerouting-p UDP--dport 500-d $INTERNET _addr-j DNAT--to-destination 192.168.100.2:500

Iptables-t nat-a prerouting-p UDP--dport 4500-d $INTERNET _addr-j DNAT--to-destination 192.168.100.2:4500

NAT for FTP server

Iptables-i pfwanpriv-p TCP--dport 21-d 192.168.1.22-j ACCEPT

Iptables-t nat-a prerouting-p tcp--dport 21-d $INTERNET _addr-j DNAT--to-destination 192.168.1.22:21

Allow access to specified URLs only

Iptables-a filter-p UDP--dport 53-j ACCEPT

Iptables-a filter-p TCP--dport 53-j ACCEPT

Iptables-a filter-d www.ctohome.com-j ACCEPT

Iptables-a filter-d www.guowaivps.com-j ACCEPT

Iptables-a filter-j DROP

Open some ports of an IP, others are closed

Iptables-a filter-p TCP--dport 80-s 192.168.1.22-d www.pconline.com.cn-j ACCEPT

Iptables-a filter-p TCP--dport 25-s 192.168.1.22-j ACCEPT

Iptables-a filter-p TCP--dport 109-s 192.168.1.22-j ACCEPT

Iptables-a filter-p TCP--dport 110-s 192.168.1.22-j ACCEPT

Iptables-a filter-p TCP--dport 53-j ACCEPT

Iptables-a filter-p UDP--dport 53-j ACCEPT

Iptables-a filter-j DROP

Multiple ports

Iptables-a filter-p tcp-m multiport--destination-port 22,53,80,110-s 192.168.20.3-j REJECT

Continuous port

Iptables-a filter-p tcp-m multiport--source-port 22,53,80,110-s 192.168.20.3-j REJECT iptables-a filter-p TCP--so Urce-port 2:80-s 192.168.20.3-j REJECT

Internet access at designated times

Iptables-a filter-s 10.10.10.253-m time--timestart 6:00pm--timestop 11:00am--days mon,tue,wed,thu,fri,sat,sun-j DROP

Iptables-a filter-m time--timestart--timestop 13:00--days mon,tue,wed,thu,fri,sat,sun-j ACCEPT

Iptables-a filter-m time--timestart 17:30--timestop 8:30am--days mon,tue,wed,thu,fri,sat,sun-j ACCEPT

Prohibit multiple port services

Iptables-a filter-m multiport-p TCP--dport 21,23,80-j ACCEPT

Nat the WAN port to the PC

Iptables-t nat-a prerouting-i $INTERNET _if-d $INTERNET _addr-j DNAT--to-destination 192.168.0.1

The WAN Port 8000 is NAT to 192. 168. 100. 200 of 80 ports

Iptables-t nat-a prerouting-p tcp--dport 8000-d $INTERNET _addr-j DNAT--to-destination 192.168.1.22:80

Port to which the mail server will go

Iptables-t nat-a prerouting-p tcp--dport 110-d $INTERNET _addr-j DNAT--to-destination 192.168.1.22:110

Iptables-t nat-a prerouting-p tcp--dport 25-d $INTERNET _addr-j DNAT--to-destination 192.168.1.22:25

Only Ping 202 is allowed. 96. 134. 133, other services are prohibited

Iptables-a filter-p icmp-s 192.168.1.22-d 202.96.134.133-j ACCEPT

Iptables-a filter-j DROP

Disabling BT configuration

Iptables–a filter–p tcp–dport 6000:20000–j DROP

Disable QQ firewall configuration

Iptables-a filter-p UDP--dport! 53-j DROP

Iptables-a filter-d 218.17.209.0/24-j DROP

Iptables-a filter-d 218.18.95.0/24-j DROP

Iptables-a filter-d 219.133.40.177-j DROP

Based on Mac, can only send and receive mail, others reject

Iptables-i Filter-m mac--mac-source 00:0a:eb:97:79:a1-j DROP

Iptables-i filter-m mac--mac-source 00:0a:eb:97:79:a1-p tcp--dport 25-j ACCEPT

Iptables-i filter-m mac--mac-source 00:0a:eb:97:79:a1-p tcp--dport 110-j ACCEPT

Disable MSN Configuration

Iptables-a filter-p UDP--dport 9-j DROP

Iptables-a filter-p TCP--dport 1863-j DROP

Iptables-a filter-p TCP--dport 80-d 207.68.178.238-j DROP

Iptables-a filter-p TCP--dport 80-d 207.46.110.0/24-j DROP

Only Ping 202 is allowed. 96. 134. 133 Other public network IP is not allowed to ping

Iptables-a filter-p icmp-s 192.168.1.22-d 202.96.134.133-j ACCEPT

Iptables-a filter-p icmp-j DROP

Prohibit a MAC address from accessing the Internet:

Iptables-i Filter-m mac--mac-source 00:20:18:8f:72:f8-j DROP

Disable ping of an IP address:

Iptables–a filter–p icmp–s 192.168.0.1–j DROP

Disable an IP address service:

Iptables–a filter-p tcp-s 192.168.0.1--dport 80-j DROP

Iptables–a filter-p udp-s 192.168.0.1--dport 53-j DROP

Only some services are allowed, others are rejected (2 rules)

Iptables-a filter-p tcp-s 192.168.0.1--dport 1000-j ACCEPT

Iptables-a filter-j DROP

Disable a port service for an IP address

Iptables-a filter-p tcp-s 10.10.10.253--dport 80-j ACCEPT

Iptables-a filter-p tcp-s 10.10.10.253--dport 80-j DROP

Disable a port service for a MAC address

Iptables-i filter-p tcp-m mac--mac-source 00:20:18:8f:72:f8--dport 80-j DROP

Prohibit a MAC address from accessing the Internet:

Iptables-i Filter-m mac--mac-source 00:11:22:33:44:55-j DROP

Disable ping of an IP address:

Iptables–a filter–p icmp–s 192.168.0.1–j DROP

Start iptables

Service Iptables Start

Iptables–list//* view iptables rule set *//

Here's what iptables looks like when planning is not defined:

Chain INPUT (Policy ACCEPT)

Target Prot opt source destination

Chain FORWARD (Policy ACCEPT)

Target Prot opt source destination

Chain OUTPUT (Policy ACCEPT)

Target Prot opt source destination

How to turn on/off a specified port

For example:

Turn on port 81:

Iptables-i input-i eth0-p tcp–dport 81-j ACCEPT

Iptables-i output-o eth0-p tcp–sport 81-j ACCEPT

Turn off Port 81:

Iptables-i input-i eth0-p tcp–dport 81-j DROP

Iptables-i output-o eth0-p tcp–sport 81-j DROP

and then save

/etc/rc.d/init.d/iptables Save

Eth0 for the network card name, you can enter ifconfig to view the network card information, pay attention to fill in the correct network card name.

You can use the lsof command to see if a port is open. View ports can be used in this way.

I'll take Port 81 as an example:

lsof-i:81

If there is an indication that the display is open, no indication is not open.

How Linux firewalls Open specific ports

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

How Linux firewalls Open specific ports

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support

How Linux firewalls Open specific ports

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

Trending Topic

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support