Linux firewall iptables allows the specified port to pass

Source: Internet
Author: User
Tags iptables


1. Allow to pass through a port at one end

Vi/etc/sysconfig/iptables

-A input-m state--state new-m tcp-p TCP--dport 80-j ACCEPT (allow 80 ports through the firewall)

/etc/init.d/iptables restart

#最后重启防火墙使配置生效

Allow only specific IP access to a port? Refer to the following command to allow only 46.166.150.22 access to port 80 on this computer. If you want to set another IP or port, change it.

Iptables-i input-p TCP--dport 80-j DROP
Iptables-i input-s 46.166.150.22-p TCP--dport 80-j ACCEPT

Restart Iptables, service iptables Restart after executing the above 2-line command under root user

See if Iptables is in effect:

[root@www.ctohome.com]# iptables-l
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
ACCEPT TCP--46.166.150.22 anywhere TCP Dpt:http
DROP TCP--anywhere anywhere TCP dpt:http

Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination

Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination

The above command is for the entire server (all IP) prohibit 80 ports, if only need to prohibit a server on the 80 port of an IP address, how to do?

The following command is to allow only port 80 on 216.99.1.216 from the 174.140.3.190 IP Access server

Iptables-a forward-s 174.140.3.190-d 216.99.1.216-p tcp-m TCP--dport 80-j
Iptables-a forward-d 216.99.1.216-p tcp-m tcp--dport 80-j DROP

If you are unfamiliar with Linux's SSH commands, you can set it in the Webmin/virtualmin panel to achieve the same effect. Reference: Webmin panel How to set up to allow specific IP access 80 ports, prohibit 80 ports


More iptables reference commands are as follows:

1. Backup Iptables First

# cp/etc/sysconfig/iptables/var/tmp

Need to open port 80, specify IP and LAN

The following three lines mean:

Shut down all 80 ports first.

Open 80 ports of IP segment 192.168.1.0/24 end

Open IP Segment 211.123.16.123/24 80 port IP Segment

# iptables-i input-p TCP--dport 80-j DROP
# iptables-i input-s 192.168.1.0/24-p tcp--dport 80-j ACCEPT
# iptables-i input-s 211.123.16.123/24-p tcp--dport 80-j ACCEPT

These are temporary settings.

2. Then save the Iptables

# Service Iptables Save

3. Reboot the firewall

#service iptables Restart

=============== Below is reproduced ================================================

The following is the port, and then open some IP first

Iptables-i input-p TCP--dport 9889-j DROP
Iptables-i input-s 192.168.1.0/24-p TCP--dport 9889-j ACCEPT
If you use NAT forwarding, remember to cooperate with the following to be effective

Iptables-i forward-p TCP--dport 80-j DROP
Iptables-i forward-s 192.168.1.0/24-p TCP--dport 80-j ACCEPT

The common iptables rules are as follows:
You can only send and receive mail, everything else is closed
Iptables-i Filter-m mac--mac-source 00:0f:ea:25:51:37-j DROP
Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p UDP--dport 53-j
Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p tcp--dport 25-j ACCEPT
Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p tcp--dport 110-j ACCEPT


IPSEC NAT Policy
Iptables-i pfwanpriv-d 192.168.100.2-j ACCEPT
Iptables-t nat-a prerouting-p tcp--dport 80-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:80

Iptables-t nat-a prerouting-p tcp--dport 1723-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:1723

Iptables-t nat-a prerouting-p UDP--dport 1723-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:1723

Iptables-t nat-a prerouting-p UDP--dport 500-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:500

Iptables-t nat-a prerouting-p UDP--dport 4500-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:4500


NAT for FTP server
Iptables-i pfwanpriv-p TCP--dport 21-d 192.168.1.22-j ACCEPT
Iptables-t nat-a prerouting-p tcp--dport 21-d $INTERNET _addr-j dnat--to-destination 192.168.1.22:21


Only allow access to the specified URL
Iptables-a filter-p UDP--dport 53-j ACCEPT
Iptables-a filter-p TCP--dport 53-j ACCEPT
Iptables-a filter-d www.ctohome.com-j ACCEPT
Iptables-a filter-d www.guowaivps.com-j ACCEPT
Iptables-a filter-j DROP


Open some ports for one IP, others are closed
Iptables-a filter-p TCP--dport 80-s 192.168.1.22-d www.pconline.com.cn-j
Iptables-a filter-p TCP--dport 25-s 192.168.1.22-j ACCEPT
Iptables-a filter-p TCP--dport 109-s 192.168.1.22-j ACCEPT
Iptables-a filter-p TCP--dport 110-s 192.168.1.22-j ACCEPT
Iptables-a filter-p TCP--dport 53-j ACCEPT
Iptables-a filter-p UDP--dport 53-j ACCEPT
Iptables-a filter-j DROP


Multiple ports
Iptables-a filter-p tcp-m multiport--destination-port 22,53,80,110-s 192.168.20.3-j REJECT


Continuous port
Iptables-a filter-p tcp-m multiport--source-port 22,53,80,110-s 192.168.20.3-j REJECT iptables-a filter-p TCP--so Urce-port 2:80-s 192.168.20.3-j REJECT


Specify time to surf the internet
Iptables-a filter-s 10.10.10.253-m time--timestart 6:00--timestop 11:00--days mon,tue,wed,thu,fri,sat,sun-j DROP
Iptables-a filter-m time--timestart 12:00--timestop 13:00--days mon,tue,wed,thu,fri,sat,sun-j ACCEPT
Iptables-a filter-m time--timestart 17:30--timestop 8:30--days mon,tue,wed,thu,fri,sat,sun-j ACCEPT

Prohibit multiple port services
Iptables-a filter-m multiport-p TCP--dport 21,23,80-j ACCEPT


To have a WAN port Nat to a PC
Iptables-t nat-a prerouting-i $INTERNET _if-d $INTERNET _addr-j dnat--to-destination 192.168.0.1


The WAN Port 8000 Nat to 192. 168. 100. 200 of 80 ports
Iptables-t nat-a prerouting-p tcp--dport 8000-d $INTERNET _addr-j dnat--to-destination 192.168.1.22:80


Port to which the mail server is to be transferred
Iptables-t nat-a prerouting-p tcp--dport 110-d $INTERNET _addr-j dnat--to-destination 192.168.1.22:110
Iptables-t nat-a prerouting-p tcp--dport 25-d $INTERNET _addr-j dnat--to-destination 192.168.1.22:25


Only Ping 202 is allowed. 96. 134. 133, other services are prohibited
Iptables-a filter-p icmp-s 192.168.1.22-d 202.96.134.133-j ACCEPT
Iptables-a filter-j DROP

Disable BT Configuration
Iptables–a filter–p tcp–dport 6000:20000–j DROP

Disable QQ firewall configuration
Iptables-a filter-p UDP--dport! 53-j DROP
Iptables-a filter-d 218.17.209.0/24-j DROP
Iptables-a filter-d 218.18.95.0/24-j DROP
Iptables-a filter-d 219.133.40.177-j DROP

Based on Mac, can only send and receive mail, others reject
Iptables-i Filter-m mac--mac-source 00:0a:eb:97:79:a1-j DROP
Iptables-i filter-m mac--mac-source 00:0a:eb:97:79:a1-p tcp--dport 25-j ACCEPT
Iptables-i filter-m mac--mac-source 00:0a:eb:97:79:a1-p tcp--dport 110-j ACCEPT

Disable MSN Configuration
Iptables-a filter-p UDP--dport 9-j DROP
Iptables-a filter-p TCP--dport 1863-j DROP
Iptables-a filter-p TCP--dport 80-d 207.68.178.238-j DROP
Iptables-a filter-p TCP--dport 80-d 207.46.110.0/24-j DROP

Only Ping 202 is allowed. 96. 134. 133 Other public network IP are not allowed ping
Iptables-a filter-p icmp-s 192.168.1.22-d 202.96.134.133-j ACCEPT
Iptables-a filter-p icmp-j DROP

To prevent a MAC address from accessing the Internet:
Iptables-i Filter-m mac--mac-source 00:20:18:8f:72:f8-j DROP

To prohibit ping of an IP address:
Iptables–a filter–p icmp–s 192.168.0.1–j DROP

Prohibit an IP address service:
Iptables–a filter-p tcp-s 192.168.0.1--dport 80-j DROP
Iptables–a filter-p udp-s 192.168.0.1--dport 53-j DROP

Only certain services are allowed, others are rejected (2 rules)
Iptables-a filter-p tcp-s 192.168.0.1--dport 1000-j
Iptables-a filter-j DROP

Prohibit a port service for an IP address
Iptables-a filter-p tcp-s 10.10.10.253--dport 80-j
Iptables-a filter-p tcp-s 10.10.10.253--dport 80-j DROP

Prohibit a port service for a MAC address

Iptables-i filter-p tcp-m mac--mac-source 00:20:18:8f:72:f8--dport DROP

To prevent a MAC address from accessing the Internet:
Iptables-i Filter-m mac--mac-source 00:11:22:33:44:55-j DROP

To prohibit ping of an IP address:
Iptables–a filter–p icmp–s 192.168.0.1–j DROP

Next cut


Start iptables
Service Iptables Start
Iptables–list//* view iptables rule set *//
Here's what iptables looks like when you don't have a plan defined:
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination

How to toggle the specified port on/off
For example:
Open Port 81:
Iptables-i input-i eth0-p tcp–dport 81-j ACCEPT
Iptables-i output-o eth0-p tcp–sport 81-j ACCEPT
Close Port 81:
Iptables-i input-i eth0-p tcp–dport 81-j DROP
Iptables-i output-o eth0-p tcp–sport 81-j DROP
and then save
/etc/rc.d/init.d/iptables Save

Eth0 for the network card name, you can enter ifconfig to view the network card information, pay attention to fill out the correct network card name.

You can use the lsof command to see if an end port is open. View ports can be used in this way.
I'll take 81 ports for example:
lsof-i:81
If there is a display indicating that it has been opened, if there is no indication that the description is not open.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.