Iptables is an IP information package filtering system integrated with Linux kernel. It comes with a firewall function. After configuring the server role function, we need to modify the iptables configuration.
You must configure iptables for CentOS, Ubuntu, and other Linux servers. The following are some common iptables configuration methods.
1. View all current iptables configurations
| The code is as follows: | Copy code |
Iptables-L-n |
|
2. Add rules to allow INPUT access. For the following, we often see the port settings of the service. To deny access, change ACCEPT to DROP.
| The code is as follows: | Copy code |
# SSH |
|
3. Add an IP address restriction INPUT access rule. Here we use SSH as an example. 192.168.0.100 is the allowed IP address.
| The code is as follows: | Copy code |
# DELETE |
|
4. Save the settings of iptables. After modifying the rules, remember to save them.
| The code is as follows: | Copy code |
/Etc/rc. d/init. d/iptables save |
|
5. Restart iptables.
| The code is as follows: | Copy code |
Service iptables restart |
|
6. Enable/disable startup
| The code is as follows: | Copy code |
Chkconfig iptables on |
|
7. Open the iptables configuration file:
| The code is as follows: | Copy code |
Vi/etc/sysconfig/iptables |
|
Run the/etc/init. d/iptables status command to check whether port 80 is enabled. If port 80 is not enabled, you can use either of the following methods:
8. Modify the vi/etc/sysconfig/iptables command to add the firewall to open port 80.
| The code is as follows: | Copy code |
-A RH-Firewall-1-INPUT-m state -- state NEW-m tcp-p tcp -- dport 80-j ACCEPT |
|
9. Disable/enable/restart the firewall
| The code is as follows: | Copy code |
/Etc/init. d/iptables stop # Restart |
|
10. Permanently disable the firewall
| The code is as follows: | Copy code |
Chkconfig -- level 35 iptables off /Etc/init. d/iptables stop |
|
11. Open port 21 in active mode
| The code is as follows: | Copy code |
| Iptables-a input-p tcp -- dport 21-j ACCEPT | |
12. Enable passive mode 49152 ~ Port 65534
| The code is as follows: | Copy code |
Iptables-a input-I lo-j ACCEPT
Iptables-a input-m state -- state ESTABLISHED-j ACCEPT |
|
Note:
Be sure to leave a path for yourself and leave a VNC management port and an SSh management port.
You must modify the file based on your server.
After all the modifications, restart iptables:
| The code is as follows: | Copy code |
Service iptables restart |
|
You can verify whether all rules have taken effect:
| The code is as follows: | Copy code |
Iptables-L |
|
Through the introduction of this article, we have clearly understood the process of configuring iptables firewall in CentOS.
Example
After a web server is built on a virtual machine, the host cannot be accessed. The details are as follows:
1. The local machine can ping the virtual machine
2. The VM can also ping the host.
3. Virtual machines can access their own web
4. The local machine cannot access its web
The reason should be the firewall. Many examples of firewall settings on the Internet are also a bit complicated. I will not introduce them here. This article only addresses how to allow hosts to access the web of virtual machines through ip addresses.
| The code is as follows: | Copy code |
| [Root @ CentOS ~] # Vi/etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. * Filter : Input accept [0: 0] : Forward accept [0: 0] : Output accept [0: 0] -A input-m state -- state ESTABLISHED, RELATED-j ACCEPT -A input-p icmp-j ACCEPT -A input-I lo-j ACCEPT -A input-m state -- state NEW-m tcp-p tcp -- dport 22-j ACCEPT -A input-m state -- state NEW-m tcp-p tcp -- dport 80-j ACCEPT -A input-j REJECT -- reject-with icmp-host-prohibited -A forward-j REJECT -- reject-with icmp-host-prohibited COMMIT |
|
Pay attention to the red line above. Port 80 is the default web port. 22 is the ssh port (you can connect to the virtual machine through ssh ).
Restart the firewall to make the modification take effect.
| The code is as follows: | Copy code |
| [Root @ CentOS ~] #/Etc/init. d/iptables restart | |
In this case, you can access the web of a virtual machine through an ip address on the host.
Recommended article: linux/iptables.htm "> iptables firewall configuration guide
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
