Linux Firewall iptables Concise tutorial

A few days ago, the micro-demon tribe once again suffered an attack of an ulterior motive attacker, by the way to recharge their own electricity, review the Linux Common firewall iptables some of the content, but many of the online tutorials are more cumbersome, the purpose of concise learning, micro-magic for everyone to remove a lot of redundant content, Extract as much as possible the essence of the written, and we study together, the content of this article covers the following

Linux Firewall iptables Concise tutorial
1. Installing iptables
2. View existing iptables rules
3. Delete a iptables rule
4. Clear existing iptables rules
5. Create a rule
6. Set Boot up
7. Save Iptables Rules
Simple application of 8.iptables in manual anti-CC attack

1. Installing iptables

Many Linux have been installed by default iptables, you can use the view command later to test whether to install
Centos/redhat under Execution:

Run under Yum install Iptablesdebian/ubuntu:

Apt-get Install Iptables

2. View existing iptables rules

The line-number at the back of the command shows the line number (the rule is an output, and the line number is displayed), optionally, to facilitate the deletion instructions later.
Iptables-l-N--line-numbers

3. Delete a iptables rule

For example, to delete a rule on line 12th, the line number can be viewed by the previous command
Iptables-d INPUT 12

4. Clear existing iptables rules

Iptables-f
Iptables-x
Iptables-z

5. Create a rule
a). Open port

Command Iptables-a Input-j reject will block other unauthorized ports, so be sure to open 22 ports to ensure SSH connectivity is OK ~

Copy CodeThe code is as follows:
#允许本机访问
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# allow established or connected passes
Iptables-a input-m State--state established,related-j ACCEPT
#允许所有本机向外的访问
Iptables-a output-j ACCEPT
# Allow access to port 22
Iptables-a input-p TCP--dport 22-j ACCEPT
#允许访问80端口
Iptables-a input-p TCP--dport 80-j ACCEPT
#允许FTP服务的21和20端口
Iptables-a input-p TCP--dport 21-j ACCEPT
Iptables-a input-p TCP--dport 20-j ACCEPT
#如果有其他端口的话, the rules are similar, and you can modify the above statements slightly.
#禁止其他未允许的规则访问
Iptables-a input-j REJECT
Iptables-a forward-j REJECT

b). Shielded IP

Iptables-i input-s 123.123.123.123-j drop can be used to block IP segments by replacing the above IP for IP segment ~

If you want to block the entire IP segment (123.0.0.1 to 123.255.255.254), change to 123.0.0.0/8
If you need to block IP segment 123.123.0.1 to 123.123.255.254, change to 124.123.0.0/16
If you need to block IP segment 123.123.123.1 to 123.123.123.254, change to 123.123.123.0/24

6. Set Boot up

Generally after the installation of iptables completed, the boot will automatically set the success, but on the individual CentOS system, there seems to be some problems, you can use the following command manually set
Chkconfig--level 345 iptables on

7. Save Iptables Rules

Service Iptables Save

Simple application of 8.iptables in manual anti-CC attack

There are many ways to get an attacker's IP, such as viewing a Web site log, which is not described in this article.
a). Create a ip/ip section file to block, named Ip.txt

#屏蔽的ip
123.4.5.6
#屏蔽的ip段 (Writing method, Ibid.)
123.4.5.6/24b). Create a block_ip.sh script file

Copy CodeThe code is as follows:
#!/bin/sh
# Filename:block_ip.sh
# purpose:blocks All IP address/network found in a text file
# The text file must has one IP address or network per line
#################################################################
# change the following path/filename to match yours
Ip_list_file=/path/to/ip.txt
#################################################################
# Don ' t change anything below unless is a smarty pant!
#################################################################
Iptables_bin=/sbin/iptables
# Get The IP address/network from the file and ignore any line starting with # (comments)
bad_ip_addr_list=$ (Grep-ev "^#" $IP _list_file)
# now loop through the IP address/network list and ban them using iptabels
For I in $BAD _ip_addr_list
Do
Echo-n "Blocking $i ...";
$IPTABLES _bin-a input-s $i-j DROP
$IPTABLES _bin-a output-d $i-j DROP
echo "done.";
Done
##################################################################
# END of Script-nothing to see Here-that's all folks!
##################################################################

c). Run the script

sh/path/to/block_ip.sh

D). See if the iptables rules are in effect/correct, this step of the order, before mentioned oh, brains, really forgot, click here ~

Linux Firewall iptables Concise tutorial