When a new Linux server is configured, if you need to configure iptables, you are typically configured with the following command:
First, install and start the firewall
[Root@linux ~]#/etc/init.d/iptables start
When we use Iptables to add rules, save, these rules to file the situation exists on disk, take CentOS as an example, the file address is/etc/sysconfig/iptables, we can through the way to add, modify, delete rules, can also directly modify/ Just etc/sysconfig/iptables this file on the line.
1. Loading module
/sbin/modprobe Ip_tables
2. View Rules
Iptables-l-n-v
3. Set rules
#清除已经存在的规则
Iptables-f
Iptables-x
Iptables-z
#默认拒绝策略 (try not to set it this way, although this is a high security configuration, it also rejects the # network interface including the LO loop, causing other problems. It is recommended that you make the appropriate configuration on the extranet interface only.
Iptables-p INPUT DROP
Iptables-p OUTPUT DROP
Iptables-p FORWARD DROP
#ssh rules
Iptables-t filter-a input-i eth0-p tcp–dport 22-j
Iptables-t filter-a output-o eth0-p tcp–sport 22-j
#本地还回及tcp握手处理
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
Iptables-a input-m state–state related,established-j ACCEPT
#www-dns Rules
Iptables-i input-p tcp–sport 53-j ACCEPT
Iptables-i input-p udp–sport 53-j ACCEPT
Iptables-t filter-a input-i eth0-p tcp–dport 80-j
Iptables-t filter-a output-o eth0-p tcp–sport 80-j
#ICMP rules
Iptables-a input-p icmp–icmp-type echo-request-j ACCEPT
Iptables-a input-p icmp–icmp-type echo-reply-j ACCEPT
Iptables-a output-p icmp–icmp-type echo-request-j ACCEPT
Iptables-a output-p icmp–icmp-type echo-reply-j ACCEPT
Second, add firewall rules
1, add the filter table
1.[root@linux ~]# iptables-a input-p tcp-m tcp--dport 21-j//Open 21 ports
I am open to export iptables-p OUTPUT ACCEPT, so the exit is not necessary to open the port.
2, add NAT table
1.[root@linux ~]# iptables-t nat-a postrouting-s 192.168.10.0/24-j
Address camouflage of a packet with a source address of 192.168.10.0/24
3,-a is inserted to the tail by default, and can be inserted into the specified position
1.[root@linux ~]# iptables-i INPUT 3-p tcp-m tcp--dport 20-j ACCEPT
2.[root@linux ~]# iptables-l-N--line-number
3.Chain INPUT (Policy DROP)
4.num Target prot opt source destination
5.1 ACCEPT All--0.0.0.0/0 0.0.0.0/0
6.2 DROP ICMP--0.0.0.0/0 0.0.0.0/0 ICMP type 8
7.3 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:20//-i specified location
8.4 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22
9.5 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80
10.6 ACCEPT All--0.0.0.0/0 0.0.0.0/0 State related,established
11.7 DROP All--0.0.0.0/0 0.0.0.0/0 State invalid,new
12.8 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:21//-a default insert to Last
13.Chain FORWARD (Policy ACCEPT)
14.num Target prot opt source destination
15.Chain OUTPUT (Policy ACCEPT)
16.num Target prot opt source destination
Three, check the iptable rules.
1, view the filter table
1.[root@linux ~]# iptables-l-n--line-number |grep//--line-number can display the rule number, which is easier to delete
2.5 ACCEPT TCP--192.168.1.0/24 0.0.0.0/0 TCP dpt:21
If you do not add-T, the default is the filter table, view, add, delete all Yes
2, view NAT table
1.[root@linux ~]# iptables-t nat-vnl postrouting--line-number
2.Chain postrouting (Policy ACCEPT packets, 2297 bytes)
3.num pkts bytes Target prot opt in Out source destination
4.1 0 0 Masquerade All--* * 192.168.10.0/24 0.0.0.0/0
Iv. Modifying the Rules
1.[root@linux ~]# iptables-r INPUT 3-j drop//Change rule 3 to drop
Five, delete the iptables rule
1.[root@linux ~]# iptables-d Input 3//Delete input 3rd rule
2.[root@linux ~]# iptables-t nat-d postrouting 1//delete the first rule of postrouting in the NAT table
3.[root@linux ~]# iptables-f Input//Empty filter table input all rules
4.[root@linux ~]# iptables-f//Clear All rules
5.[root@linux ~]# iptables-t nat-f postrouting//Empty NAT table postrouting all rules
Set the default rule
1.[root@linux ~]# iptables-p Input drop//Set filter table INPUT default rule is DROP
All additions, deletions, and modifications are to be saved,/etc/init.d/iptables save. The above is just some of the most basic operations, to be flexible to use, but also a certain amount of time in the actual operation.
Iptables Configuration general mapping and soft routing
Role: Virtualization Cloud Platform Server network segment 192.168.1.0/24 through a Linux server (eth0:192.168.1.1, eth1:10.0.0.5) Soft routing achieves access to the 10.0.0.5 network and provides services through iptables NAT mapping.
NAT Map Network Port:
Effect: 10.0.0.5:2222--"192.168.1.2:22
Command: iptable-t nat-a prerouting-d 10.0.0.5-p tcp–dport 2222-j dnat–to-destination 192.168.1.2:22
Service Iptables Save
Service Iptables Restart
Note: 1. In the 192.168.1.2 network configuration needs to NAT host intranet IP namely 192.168.1.1 as the default gateway, if 10.0.0.5 has public network access rights, DNS is set to the public network corresponding DNS
2. Echo 1/proc/sys/net/ip_forward need to be turned on on a NAT host to take effect
Soft routing 192.168.1.0/24 access to extranet via 10.0.0.5:
Command: iptables-t nat-a postrouting-s 192.168.1.0/24-j snat–to-source 10.0.0.5
Service Iptables Save
Service Iptables Restart