Iptables firewall settings in Linux

Iptables firewall settings in Linux

In this tutorial, make sure that you can use the Linux host. If you are using ssh remote and cannot directly operate the local machine, add the following code first. Of course, the worst result is that all ports cannot be accessed, or even cannot log on to ssh, but after five minutes, the timer will help you turn off the iptables firewall.

[Root @ localhost ~] # Crontab-uroot-e
 
*/5 */etc/init. d/iptables stop # Shut down the firewall for 5 minutes at regular intervals to prevent setup errors and cause ssh Login Failure

First, we will introduce several simple commands:

/Etc/init. d/iptables save # save the firewall rules. If you do not save the rules, restart iptables and the rules will disappear.
 
Iptables-L-n # view current firewall rules

PS: before adding a rule, use iptables-L-n to check the current rule. If no rule is displayed, your iptables may not be enabled. If you add a rule at this time, save the rule and overwrite it. If you want to continue using the previous rules, enable the iptables service first, then you can see the previous rules and then add them on the basis of the previous rules.

Add two rules first.

Iptables-a input-p tcp -- dport 22-j ACCEPT # Add an INPUT stream rule for open port 22
 
Iptables-a output-p tcp -- sport 22-j ACCEPT # Add an OUTPUT stream rule for open port 22
 

After adding the above two rules, you don't have to worry about logging on to SSH. To learn more about the command, use iptables -- help

Here we will focus on the differences between dport and sport in iptables:

Dport: Destination Port

Sport: Source Port

Two INPUT examples are used to differentiate dport and sport in INPUT.

Example 1:

Iptables-a input-p tcp -- dport 22-j ACCEPT
 

This INPUT rule can be described as follows:

1. This is a data entry from the external to the internal local server.

2. The destination (dport) Address of the data packet is 22, which means to access port 22 on my local device.

3. Allow the above data to pass.

Example 2:

1
 
Iptables-a input-p tcp -- sport 22-j ACCEPT
 

This INPUT rule can be described as follows:

1. This is a data entry from the external to the internal local server.

2. The source port of the data packet is port 22, that is, the packet sent from the other side is port 22.

3. Allow the above data behavior.

Two OUTPUT examples are used to differentiate dport and sport in OUTPUT.

Example 1:

Iptables-a output-p tcp -- dport 22-j ACCEPT
 

This OUTPUT rule can be described as follows:

1. This is a piece of data going out from the inside.

2. The destination (dport) port is 22.

3. Allow the above data behavior.

Example 2:

Iptables-a output-p tcp -- sport 22-j ACCEPT

This OUTPUT rule can be described as follows:

1. This is a piece of data going out from the inside.

2. The source port of the data packet is port 22, and data is sent from port 22 of the server.

3. Allow the above data behavior.

By default, INPUT, OUTPUT, and FORWARD are all ACCEPT

If no rule is added, data on all ports will not be rejected ~

Iptables-p input drop # Do not run this command if the accept rule for port 22 is not added

If you run the preceding command, all INPUT packets except the rules added are dropped...

Likewise, these commands:

Iptables-P OUTPUT DROP
Iptables-P FORWARD DROP

Set INPUT to DROP. Then we need to add some rules for the input accept:

Iptables-a input-p tcp -- dport 22-j ACCEPT # Open the ssh port
Iptables-a input-p tcp -- dport 80-j ACCEPT # Open the web Service port
Iptables-a input-p tcp -- dport 21-j ACCEPT # open ftp service port
 
Iptables-a input-p icmp-j ACCEPT # Allow icmp packets to pass, that is, allow ping
Iptables-a input-I lo-p all-j ACCEPT # Allow loopback
 
##### If you have another server, you just need to open the port and write it as needed.

Generally, the OUTPUT is set to ACCEPT. Then we need to add some DROP rules for OUTPUT:

Close some ports
Iptables-a output-p tcp -- sport 27444-j DROP
Iptables-a output-p tcp -- sport 27665-j DROP
Iptables-a output-p tcp -- sport 31337-j DROP

-------------------------------------- Split line --------------------------------------

Disable the default firewall in CentOS 7.0 and enable the iptables firewall.

Iptables examples

Linux Firewall iptables

Basic use of iptables backup, recovery, and firewall scripts

Detailed description of firewall iptables usage rules in Linux

-------------------------------------- Split line --------------------------------------

This article permanently updates the link address: