Linux Firewall (iptables) settings __linux

Directly change the iptables configuration can be: vim/etc/sysconfig/iptables

1, close all the INPUT FORWARD OUTPUT only to some ports open. Here is the command implementation:

Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT DROP

Then use the command iptables-l-N to see if it's set up and look good to all DROP
This setting is OK, we are only temporary, restart the server or will restore the original did not set the state
You will also use the service iptables save for saving
See information firewall rules firewalls are actually stored in the/etc/sysconfig/iptables
You can open a file to view Vi/etc/sysconfig/iptables
2,
I'll just open port 22 to see how I'm doing it, which is the following 2 statements

Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT

And then see if the next Iptables-l-N is added up and see the added

Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22

Chain FORWARD (Policy DROP)
Target Prot opt source destination

Chain OUTPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:22

Now that the Linux server has only 22 ports open, test with Putty.exe to see if it can be linked up.
Can be linked up, indicating that there is no problem.

Finally, don't forget to save the settings for the firewall
By command: Service iptables save
Restart Iptables
Service iptables Save && service iptables restart
Shutdown firewall
Chkconfig iptables off && service iptables stop


Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT
Explain some of these 2 commands.
The-a parameter is considered as a rule to add an INPUT
-p Specifies what protocol we commonly use for TCP protocols, and of course there are UDP such as 53-port DNS
We're going to configure DNS to use port 53, and everyone will find the UDP protocol

And--dport is the target port. When data is entered from the outside into the server as the target port
Conversely, data from the server is used for the data source port--sport

-j is to specify that ACCEPT receive or DROP not receive
3, prohibit an IP access
1 Linux servers, 2 Windows XP operating systems for access
Linux Server IP 192.168.1.99
XP1 ip:192.168.1.2
XP2 ip:192.168.1.8

Here's a look at 2 XP I can access

192.168.1.2 This is what XP1 can access,
192.168.1.8 XP2 is also available for normal access.

So now I'm going to ban 192.168.1.2 xp1 access, XP2 normal access,
Here's a look at the demo

Iptables-a input-p tcp-s 192.168.1.2-j DROP by command
The idea here is that-a is to add new rules and rules. Because we visit the site using TCP,
We use-p TCP, if it is UDP to write UDP, here on TCP,-S is the source meaning,
IP from 192.168.1.2,-j How do we reject it here should be DROP

Okay, look at the effect. Good to add success. Check to see if it takes effect

The wait state is always present the page cannot be displayed, and this is 192.168.1.2 XP1 's visit was denied.

To see if another XP can be accessed, is a normal access to the 192.168.1.8 is a normal access
4. How to delete rules
First we need to know the number of this rule, each rule has a number

The rules and corresponding numbers can be displayed by Iptables-l-N--line-number
Num Target prot opt source destination
1 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:3306
2 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:21
3 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80
More num This column, so we can see just the rules corresponding to the number 2

Then we can delete it.
Iptables-d INPUT 2
Delete the rule with input chain number 2.

Then Iptables-l-N to see if it has been cleared.
5, filtering Invalid packets
Suppose someone has entered the server, or there is a virus trojan, it can through the 22,80 port like the server to send data outside.
It's this way it's different from our normal access to 22,80 ports. The data it sends out is not our request for access to the Web page
And the response of the packet.

Now we're going to bar these packets from not responding to the request, and block them all out.

Iptables provides a check state, below we will configure the next 22 and 80 ports to prevent invalid packets.

Iptables-a output-p TCP--sport 22-m State--state Established-j

Can see and we used to:
Iptables-a output-p TCP--sport 22-j ACCEPT
One more state of judgment.

Same as 80 ports, now delete the original 2 rules,
Iptables-l-N--line-number This is a view rule and is numbered. We see the numbers, we can
Delete the corresponding rule.

iptables-d OUTPUT 1 Here 1 represents the first rule.

When you delete the previous rule, the number will change as well. See it.

OK, we've removed the previous 2 rules, and 22 ports are working properly, which means no problem.

Save the following, don't forget, otherwise reboot will revert to the original appearance.

The service iptables save.

Saving firewall rules to/etc/sysconfig/iptables: [OK]
In fact, the rules just set are written to the/etc/sysconfig/iptables file.
6, DNS port 53 settings
Let's look at how to set up iptables to open the DNS port, which corresponds to a 53

You see my situation now, only open 22 and 80 ports, I now see if I can resolve the domain name.

Host www.google.com After entering this command, has been waiting, indicating that the DNS does not pass

The following prompts appear:
;; Connection timed out; No servers could be reached

Ping the domain name is also not pass
[Root@localhost ~ping www.google.com
Ping:unknown host www.google.com

The reason I'm here is that iptables has a limit of 53 ports.

Some servers, especially the Web server, are slowing down, and DNS is actually related to the inability to send packets to the DNS server.

The following shows how to use Iptables to set DNS 53 this port, if you do not know the domain Name Service port number, you

You can use the command: grep domain/etc/services

[Root@localhost ~grep Domain/etc/services
Domain 53/TCP # name-domain Server
Domain 53/UDP
Domaintime 9909/tcp # Domaintime
Domaintime 9909/UDP # Domaintime

See, we generally use the UDP protocol.

OK, start setting ...

Iptables-a output-p UDP--dport 53-j ACCEPT
This is we ping a domain name, the data is from this machine out, so we set OUTPUT first,
We follow the ping process to set up.

Then the DNS server receives the package we sent out and responds to a return
Iptables-a input-p UDP--sport 53-j ACCEPT

You also have to set the
Iptables-a input-p UDP--dport 53-j ACCEPT
Iptables-a output-p UDP--sport 53-j ACCEPT

OK, let's start with the test, you can use Iptables-l-N to see the settings, and make sure you can test it without problems.

[Root@localhost ~iptables-l-N
Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP spt:53
ACCEPT UDP--0.0.0.0/0 0.0.0