Linux firewall settings-DNS Server
Test availability. If you have just set up a DNS server and need to enable the firewall but do not know how to set it up, you can refer to the following content or directly use the script program provided below.
If the server is used as a DNS server, in most cases, to enable the firewall while providing relevant services normally, the general settings are as follows:
[1] Step 1: Clear default firewall rules
iptables -Fiptables -Xiptables -Z
· Parameter description:
-F: Clear all rules
-X: clears all user-defined chains (tables should be said)
(Extension: table-Linux iptables firewall has three default tables: Filter, NAT, and Mangle. Of course, there are also custom tables. Among them, Filter is the default table, chain is a chain, for example, filters have three links: INPUT, OUTPUT, and FORWARD)
-Z: clears the count and traffic statistics of all chains.
· Reason:
In the three links of the filter, the Default policy is ACCEPT. Obviously, this is very dangerous for INPUT. You can use the command iptables-L-n to view the default settings, you can also use the iptables-save command to list more detailed firewall configuration information ).
[2] Step 2: set a policy
iptables -P INPUT DROPiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPT
· Reason:
DROP is discarded. It can be seen from 1 that it is safer to set the INPUT policy to DROP.
[3] Step 3: Develop rules based on required services
(1) set the local machine as a trusted Device
iptables -A INPUT -i lo -j ACCEPT
(2) create ssh remote connection rules
Iptables-A (ADD) INPUT (Link)-p (specified protocol) tcp (specified as TCP protocol) -- dport (specified destination port number) 22 (specified destination port number is 22) -j (specified operation) ACCEPT (specified operation is accepted)
(3) Develop dns Service Rules
iptables -A INPUT -p tcp --dport 53 -j ACCEPTiptables -A INPUT -p udp --dport 53 -j ACCEPTiptables -A INPUT -p tcp --sport 53 -j ACCEPTiptables -A INPUT -p udp --sport 53 -j ACCEPT
· Note:
Allows new dns requests and nslookup to query the server, that is, querying dns information by the source port number 53.
(4) develop other rules
iptables -A INPUT -p icmp -j ACCEPT
· Note:
No, but to facilitate the detection of the network connectivity of the server, Add.
[4] Write the firewall configuration file
/etc/init.d/iptables save
· Note:
To save the configuration, otherwise the configuration will become invalid after the server is restarted.
The complete execution script is as follows:
#!/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/bin; export PATHiptables -Fiptables -Xiptables -Ziptables -P INPUT DROPiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A INPUT -p tcp --dport 53 -j ACCEPTiptables -A INPUT -p udp --dport 53 -j ACCEPTiptables -A INPUT -p tcp --sport 53 -j ACCEPTiptables -A INPUT -p udp --sport 53 -j ACCEPTiptables -A INPUT -p icmp -j ACCEPT/etc/init.d/iptables save
Save it as a. sh file and run it as administrator.
Other common commands:
View brief firewall configurations
iptables -L -n
View detailed firewall configurations
iptables-save
Important:
Be especially careful when configuring the firewall, especially when you do remote configuration, if you are not careful about the defined rules, and set the default INPUT rules to DROP, there is no way to connect remotely.
This article permanently updates the link address: