This article demonstrates how to use iptables. Firewall setting policies firewall setting policies are generally divided into two types, one is called & ldquo; Interpass & rdquo; and the other is called & ldquo; intercept & rdquo; policy: Interpass policy, by default, all data packets are not allowed to pass. rules are defined for allowed data packets. The blocking policy means that all data packets are allowed to pass by default, and rules are defined for the data packets to be rejected. Generally
This article demonstrates how to use iptables.
Firewall setting policy
Firewall configuration policies are generally divided into two types: one is "pass", and the other is "block:
By default, all data packets are not allowed to pass. rules are defined for allowed data packets.
The blocking policy means that all data packets are allowed to pass by default, and rules are defined for the data packets to be rejected.
Generally, server firewall settings adopt the first policy with higher security. the scenario described in this article also uses the "pass" policy.
Scenario Definition
Assume that this article implements the rules defined in the following scenarios:
1. open ports 80, 22, and 10-21 of the local machine to all addresses;
2. enable ICMP packet access for all addresses;
3. access from other unpermitted ports is prohibited.
Iptables rule implementation
To implement the command operations defined above:
Clear all default rules first iptables -F Open port iptables -I INPUT -p tcp --dport 80 -j ACCEPT iptables -I INPUT -p tcp --dport 22 -j ACCEPT Open ICMP iptables -I INPUT -p icmp -j ACCEPT Disable other ports iptables -A INPUT -j REJECT View rules iptables -L -n |
Operation result:
Key points of iptables rule definition
Note the following points during the above operations:
1. Be sure to allow access from port 22. otherwise, SSH will be disconnected immediately when iptables-a input-j REJECT is INPUT, and remote operations cannot be performed;
2. iptables-a input-j REJECT must be appended to the end of the rule using command A, and cannot be inserted using the I command, so that the rejected operation will take effect at the end;
3. you can use the start Port: end port to specify a port in a continuous range.