1234567891011121314151617181920212223ept = "/sbin/iptables" $ IPT -- delete-chain $ EPT -- flush $ ip- p input drop #1 $ ipt-p forward drop #1 $ ipt-p OUTPUT DROP #1 $ IPT-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT #2 $ EPT-a input-p tcp-m tcp -- dport 80-j ACCEPT #3 $ EPT-a input-p tcp-m tcp -- dport 22- j ACCEPT #3 $ EPT-a input-p tcp-m tcp -- dport 21-j ACCEPT #3 $ EPT-a input-p tcp-m tcp -- dport 873-j ACCEPT #3 $ ipt-a INPUT-I lo-j ACCEPT #4 $ ipt-a INPUT-p icmp-m icmp -- icmp-type8-j ACCEPT #5 $ ipt-a INPUT-p icmp-m icmp -- icmp-type11-j ACCEPT #5 $ EPT-a output-m state -- state RELATED, ESTABLISHED-j ACCEPT #6 $ ipt-a OUTPUT-p udp-m udp -- dport 53-j ACCEPT #7 $ ipt-a OUTPUT-o lo-j ACCEPT #4 $ EPT -a output-p tcp-m tcp -- dport 80-j ACCEPT #8 $ EPT-a output-p tcp-m tcp -- dport 25-j ACCEPT #9 $ EPT- OUTPUT-p icmp-m icmp -- icmp-type8-j ACCEPT #10 $ EPT-a output-p icmp-m icmp -- icmp-type11-j ACCEPT #10 service iptables saveservice iptables restart
Save as the script iptables. sh and execute sh iptables. sh to automatically configure the firewall.
Explanation:
#1. Set INPUT, FORWARD, and OUTPUT chain to DROP by default, that is, external communication with the server is not allowed.
#2. set to allow data to enter the server when the connection status is RELATED and ESTABLISHED.
#3. Set ports 80, 22, and 21,873 for external clients to connect to the server.
#4. allow internal data to be recycled.
#5. allow external ping to the server.
#6. Data in the RELATED and ESTABLISHED statuses can be sent from the server to the outside.
#7. Allow the server to use external dns for domain name resolution.
#8. Set the server to connect to port 80 of the external server.
#9. Allow the server to send emails.
#10. allow external ping from the server.