Linux firewall Settings-dns Server Chapter

Source: Internet
Author: User

Pro-Test available, for just build a DNS server, need to open the firewall but do not know how to set up friends, you can refer to the following, or directly using the script I gave below.

If the server is used as a DNS server, for the vast majority of cases, in order to open the firewall at the same time to provide the relevant services, the general settings are as follows:


"1" first step: Clear the default firewall rule

Iptables-fiptables-xiptables-z

• Parameter Description:

-F: Clears all established rules

-X: Clears all user-defined chain (should be said to be tables)

(Extension: Table--linux iptables firewall default has three kinds of tables, filter, Nat and mangle, of course, also have custom, where filter is the default table, chain--chain, such as filter has input, OUTPUT, forward three chain)

-Z: Zero Count of all chain and flow statistics

• Set the cause:

Filter in the three chain, the default policy is accept, obviously for input, this is very dangerous, you can use the command iptables-l-N to view the default settings, or use the Iptables-save command (will list more detailed firewall configuration information).


"2" Step Two: Set policy

Iptables-p INPUT dropiptables-p OUTPUT acceptiptables-p FORWARD ACCEPT

• Set the cause:

Drop is discarded, as indicated by 1, the input policy is more secure when it is set to drop.



"3" Step three: Develop the rules according to the required services


(1) Set this machine as a trusted device

Iptables-a input-i lo-j ACCEPT

(2) Making SSH remote connection rules

Iptables-a (ADD) INPUT (link)-p (Specify protocol) TCP (specified as TCP protocol)--dport (specify destination port number) 22 (Specify target port number)-j (Specify operation) accept (Specify operation for accept)

(3) Establish DNS service rules

Iptables-a input-p TCP--dport 53-j acceptiptables-a input-p UDP--dport 53-j acceptiptables-a input-p TCP--sport 53-j acceptiptables-a input-p TCP--sport 53-j ACCEPT

Description

Allows new DNS requests, while allowing Nslookup to query the server for DNS information 53来 the source port number.

(4) Making other rules

Iptables-a input-p icmp-j ACCEPT

Description

No, but in order to conveniently detect the network connectivity of the server, it is added.


"4" Write to firewall configuration file

/etc/init.d/iptables Save

Description

To save, the above configuration will be invalidated after restarting the server.


The complete execution script is as follows:

#!/bin/bashpath=/sbin:/bin:/usr/sbin:/usr/bin; Export pathiptables-fiptables-xiptables-ziptables-p INPUT dropiptables-p OUTPUT acceptiptables-p FORWARD acceptiptab Les-a input-i lo-j acceptiptables-a input-p tcp--dport 22-j acceptiptables-a input-p tcp--dport 53-j ACCEPTipta Bles-a input-p UDP--dport 53-j acceptiptables-a input-p tcp--sport 53-j acceptiptables-a input-p TCP--sport 5 3-j acceptiptables-a input-p icmp-j accept/etc/init.d/iptables Save

Save as an. sh file and execute it with administrator privileges.


Other common commands:

To view the firewall brief configuration

Iptables-l-N

View Firewall Detailed configuration

Iptables-save


Important NOTES:

The configuration of the firewall must be very careful, especially in the remote configuration, if you accidentally clear the defined rules, and the default input rule is set to drop, there is no way to connect remotely, this particular note.

This article is from the "fragrant fluttering leaves" blog, please make sure to keep this source http://xpleaf.blog.51cto.com/9315560/1707025

Linux firewall Settings-dns Server Chapter

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.