My goal is to disable all external service ports and only allow port 22 of the SSH service to accept external requests.
First, enter the root permission on my test server, and then use the following command to view iptables
root@host2:~# iptables -vnL --line-numbersChain INPUT (policy ACCEPT 105 packets, 10480 bytes)num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:532 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:533 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:674 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED2 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 3 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 4 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable5 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain OUTPUT (policy ACCEPT 25 packets, 3380 bytes)num pkts bytes target prot opt in out source destination
-V is the output details.
-N indicates the display address and port number.
-L indicates the rules in the display chain.
The -- line-number parameter is used to display the row number. It is useful when deleted.
From the above results, we can see that the policy allows all input connections.
Delete all rules first, so they are not necessarily used in case of prevention.
Iptables-F
Then, close all access requests in the policy.
Iptables-P input drop
Add access support for SSH ports
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Try the link from another machine. There is no problem with SSH Login, except to wait for a while.
Note: This setting will prevent you from connecting to the Internet from this machine. There are two solutions:
1. For absolute security, you can manually open the policy temporarily and close it after it is used up.
Iptables-P input accept
// Do something
Iptables-P input drop
2. Add a rule to allow data received by established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
The connection is initiated from the local machine. Our rules are not limited. After the connection is established, data can be pulled from the external network.
Add other ports as needed.
If you want to restrict a limited number of machines to initiate requests to the server, you can use the-S parameter, for example:
iptables -A INPUT -p tcp -s 10.112.18.0/0 --dport 27017 -j ACCEPT
Only machines in the 10.112.18.0/0 network segment can connect to port 27017 of the local machine.
For detailed iptables operations under Ubuntu, refer:
Https://help.ubuntu.com/community/IptablesHowTo
How to save rules? Two steps,
1. Install
Apt-Get install iptables-persistent
2. Save the rule File
service iptables-persistent save
Restart.
Iptables-persistent is a boot script, which can be viewed in the/etc/init. d/directory if you are interested.