Iptables in CentOS: scenario practice

This article demonstrates how to use iptables. Firewall setting policies firewall setting policies are generally divided into two types, one is called & ldquo; Interpass & rdquo; and the other is called & ldquo; intercept & rdquo; policy: Interpass policy, by default, all data packets are not allowed to pass. rules are defined for allowed data packets. The blocking policy means that all data packets are allowed to pass by default, and rules are defined for the data packets to be rejected. Generally

This article demonstrates how to use iptables.

Firewall setting policy

Firewall configuration policies are generally divided into two types: one is "pass", and the other is "block:

By default, all data packets are not allowed to pass. rules are defined for allowed data packets.

The blocking policy means that all data packets are allowed to pass by default, and rules are defined for the data packets to be rejected.

Generally, server firewall settings adopt the first policy with higher security. the scenario described in this article also uses the "pass" policy.

Scenario Definition

Assume that this article implements the rules defined in the following scenarios:

1. open ports 80, 22, and 10-21 of the local machine to all addresses;

2. enable ICMP packet access for all addresses;

3. access from other unpermitted ports is prohibited.

Iptables rule implementation

To implement the command operations defined above:

Clear all default rules firstiptables -F Open portiptables -I INPUT -p tcp --dport 80 -j ACCEPTiptables -I INPUT -p tcp --dport 22 -j ACCEPTOpen ICMPiptables -I INPUT -p icmp -j ACCEPTDisable other portsiptables -A INPUT -j REJECTView rulesiptables -L -n

Operation result:

Key points of iptables rule definition

Note the following points during the above operations:

1. Be sure to allow access from port 22. otherwise, SSH will be disconnected immediately when iptables-a input-j REJECT is INPUT, and remote operations cannot be performed;

2. iptables-a input-j REJECT must be appended to the end of the rule using command A, and cannot be inserted using the I command, so that the rejected operation will take effect at the end;

3. you can use the start Port: end port to specify a port in a continuous range.