iptables firewall simple setup in Linux

Open/etc/sysconfig/iptables with Vim, let's take a look at the final set up Apache80 port access is what:

The code is as follows	Copy Code
1,: Rh-firewall-1-input-[0:0]

This can be understood as defining a chain rh-firewall-1-input

The code is as follows	Copy Code
2-a input-j rh-firewall-1-input and-a forward-j rh-firewall-1-input

Here is the input and forward all packets forwarded to the Rh-firewall-1-input, this is the focus, also means that, as long as the definition of good rh-firewall-1-input, the definition of input and forward two chain

The code is as follows	Copy Code
3.-A rh-firewall-1-input-m state--state new-m tcp-p TCP--dport 80-j ACCEPT

Allow 80-port packet transmission, the parameters here are very simple, go to Baidu to find out

OK, so simple, a 80-port firewall setup is ready ~ ~

So how do you block IP from a particular country?

It's easy to go to IPDeny to download a list of IP addresses in country code,

For example, download Cn.zone:

# wget Http://www.ipdeny.com/ipblocks/data/countries/cn.zone

With all the IP addresses of the country, it's easy to block these IPs, write a script to read Cn.zone files line by row and add to Iptables:

code is as follows

copy code

#!/bin/bash # block traffic from a specific country # written by vpsee.co M COUNTRY = "cn" IPTABLES =/sbin/iptables Egrep =/bin/egrep If ["$ (id-u)"!= "0"]; then Ech O "You must be root" 1>&2 Exit 1 Fi Resetrules () { $IPTABLES-F $IPTABLES-T nat-f $IPT Ables-t mangle-f $IPTABLES-X } Resetrules For C on $COUNTRY do Country_file = $c. Zone IPS = $ ($EGREP-V "^#|^$" $country _file) for IP in $IPS do echo "blocking $ip" $IPTABLES-A input-s $ Ip-j DROP Done done Exit 0