Iptables is an IP information package filtering system integrated with Linux kernel. It comes with a firewall function. After configuring the server role function, we need to modify the iptables configuration.
You must configure iptables for CentOS, Ubuntu, and other Linux servers. The following are some common iptables configuration methods.
1. View all current iptables configurations
The code is as follows: |
Copy code |
Iptables-L-n |
2. Add rules to allow INPUT access. For the following, we often see the port settings of the service. To deny access, change ACCEPT to DROP.
The code is as follows: |
Copy code |
# SSH Iptables-a input-p tcp -- dport 22-j ACCEPT # HTTP Iptables-a input-p tcp -- dport 80-j ACCEPT Iptables-a input-p tcp -- dport 8080-j ACCEPT # HTTPS Iptables-a input-p tcp -- dport 443-j ACCEPT # POP3 Iptables-a input-p tcp -- dport 110-j ACCEPT # SMTP Iptables-a input-p tcp -- dport 25-j ACCEPT # FTP Iptables-a input-p tcp -- dport 21-j ACCEPT Iptables-a input-p tcp -- dport 20-j ACCEPT # DNS Iptables-a input-p tcp -- dport 53-j ACCEPT |
3. Add an IP address restriction INPUT access rule. Here we use SSH as an example. 192.168.0.100 is the allowed IP address.
The code is as follows: |
Copy code |
# DELETE Iptables-d input-p tcp -- dport 22-j ACCEPT # ADD Iptables-a input-s 192.168.0.100-p tcp -- dport 22-j ACCEPT |
4. Save the settings of iptables. After modifying the rules, remember to save them.
The code is as follows: |
Copy code |
/Etc/rc. d/init. d/iptables save |
5. Restart iptables.
The code is as follows: |
Copy code |
Service iptables restart |
6. Enable/disable startup
The code is as follows: |
Copy code |
Chkconfig iptables on Chkconfig iptables off |
7. Open the iptables configuration file:
The code is as follows: |
Copy code |
Vi/etc/sysconfig/iptables
|
Run the/etc/init. d/iptables status command to check whether port 80 is enabled. If port 80 is not enabled, you can use either of the following methods:
8. Modify the vi/etc/sysconfig/iptables command to add the firewall to open port 80.
The code is as follows: |
Copy code |
-A RH-Firewall-1-INPUT-m state -- state NEW-m tcp-p tcp -- dport 80-j ACCEPT
|
9. Disable/enable/restart the firewall
The code is as follows: |
Copy code |
/Etc/init. d/iptables stop # Start # Restart |
10. Permanently disable the firewall
The code is as follows: |
Copy code |
Chkconfig -- level 35 iptables off /Etc/init. d/iptables stop Iptables-P INPUT DROP |
11. Open port 21 in active mode
The code is as follows: |
Copy code |
Iptables-a input-p tcp -- dport 21-j ACCEPT |
12. Enable passive mode 49152 ~ Port 65534
The code is as follows: |
Copy code |
Iptables-a input-p tcp -- dport 49152: 65534-j ACCEPT
Iptables-a input-I lo-j ACCEPT Iptables-a input-m state -- state ESTABLISHED-j ACCEPT |
Note:
Be sure to leave a path for yourself and leave a VNC management port and an SSh management port.
You must modify the file based on your server.
After all the modifications, restart iptables:
The code is as follows: |
Copy code |
Service iptables restart
|
You can verify whether all rules have taken effect:
The code is as follows: |
Copy code |
Iptables-L
|
Through the introduction of this article, we have clearly understood the process of configuring iptables firewall in CentOS.
Example
After a web server is built on a virtual machine, the host cannot be accessed. The details are as follows:
1. The local machine can ping the virtual machine
2. The VM can also ping the host.
3. Virtual machines can access their own web
4. The local machine cannot access its web
The reason should be the firewall. Many examples of firewall settings on the Internet are also a bit complicated. I will not introduce them here. This article only addresses how to allow hosts to access the web of virtual machines through ip addresses.
The code is as follows: |
Copy code |
[Root @ CentOS ~] # Vi/etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. * Filter : Input accept [0: 0] : Forward accept [0: 0] : Output accept [0: 0] -A input-m state -- state ESTABLISHED, RELATED-j ACCEPT -A input-p icmp-j ACCEPT -A input-I lo-j ACCEPT -A input-m state -- state NEW-m tcp-p tcp -- dport 22-j ACCEPT -A input-m state -- state NEW-m tcp-p tcp -- dport 80-j ACCEPT -A input-j REJECT -- reject-with icmp-host-prohibited -A forward-j REJECT -- reject-with icmp-host-prohibited COMMIT |
Pay attention to the red line above. Port 80 is the default web port. 22 is the ssh port (you can connect to the virtual machine through ssh ).
Restart the firewall to make the modification take effect.
The code is as follows: |
Copy code |
[Root @ CentOS ~] #/Etc/init. d/iptables restart |
In this case, you can access the web of a virtual machine through an ip address on the host.
Recommended article: linux/iptables.htm "> iptables firewall configuration guide