Iptables usage and instances in centos

View ip connection count:

Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n

1. Install iptables firewall

If iptables is not installed, install it first, and run CentOS:

Yum install iptables

Run Debian/Ubuntu:

Apt-get install iptables

2. Clear existing iptables rules

Iptables-F
Iptables-X
Iptables-Z

3. Open the specified port

# Allow the local loopback interface (that is, running the local machine to access the local machine)
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# Allow established or related connections
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
# Allow external access from all hosts
Iptables-a output-j ACCEPT
# Allow access to port 22
Iptables-a input-p tcp -- dport 22-j ACCEPT
# Allow access to port 80
Iptables-a input-p tcp -- dport 80-j ACCEPT
# Allow port 21 and Port 20 of the FTP service
Iptables-a input-p tcp -- dport 21-j ACCEPT
Iptables-a input-p tcp -- dport 20-j ACCEPT
# If there are other ports, the rule is similar. Just modify the preceding statement slightly.
# Prohibit access by other unpermitted rules
Iptables-a input-j REJECT (note: If port 22 is not added with the permit rule, the SSH link will be disconnected directly .)
Iptables-a forward-j REJECT

4. Shielding IP addresses

# The command to shield a single IP address is
Iptables-I INPUT-s 123.45.6.7-j DROP
# The Command for sealing the entire segment from 123.0.0.1 to 123.20.255.254
Iptables-I INPUT-s 123.0.0.0/8-j DROP
# An IP address segment is a command from 123.45.0.1 to 123.45.255.254.
Iptables-I INPUT-s 124.45.0.0/16-j DROP
# The Command from 123.45.6.1 to 123.45.6.254 is
Iptables-I INPUT-s 123.45.6.0/24-j DROP
4. View the added iptables rules
Iptables-L-n
V: displays details, including the number of matching packages and the number of matching bytes for each rule.
X: disable automatic unit conversion (K, M) based on v)
N: only the ip address and port number are displayed, and the ip address is not resolved as a domain name.

5. Delete the added iptables rule

Display all iptables with serial numbers. Run the following command:

Iptables-L-n -- line-numbers
For example, to delete the rule with serial number 8 in INPUT, execute:

Iptables-d input 8

6. Start iptables and save the rules

After iptables is installed on CentOS, iptables does not start automatically after it is started. You can execute the following command:

Chkconfig -- level 345 iptables on
Add it to startup.

On CentOS, you can run the: service iptables save rule.

In addition, iptables on Debian/Ubuntu does not save rules.

To disable the NIC, follow these steps: save iptables rules and load iptables rules at startup:

Create the/etc/network/if-post-down.d/iptables file and add the following:

#! /Bin/bash
Iptables-save>/etc/iptables. rules
Run: chmod + x/etc/network/if-post-down.d/iptables to add execution permissions.

Create the/etc/network/if-pre-up.d/iptables file and add the following:

#! /Bin/bash
Iptables-restore </etc/iptables. rules
Run: chmod + x/etc/network/if-pre-up.d/iptables to add execution permissions.

Save and save. Write to the/etc/sysconfig/iptables file

Iptables-save>/etc/sysconfig/iptables

/Etc/rc. d/init. d/iptables save

Service iptables save

 

Iptables-L-n

Iptables-t nat-L: displays the settings in the nat table.

 

Iptables-F: clear rules of all rule chains in the filter of the preset table

 

Iptables-X clear the rules in the user-defined chain in the filter of the preset table

 

-D. Delete a rule in the chain:

Iptables-L

Iptables-d input 3 deletes the 3rd rules on the INPUT chain.

 

Insert rule iptables-I into the first row to become the first rule

 

Iptables-save>/etc/sysconfig/iptables

 

Set chain rules

Iptables-p INPUT DROP

 

Iptables-p OUTPUT ACCEPT

 

Iptables-p FORWARD DROP