Linux opens ports that allow extranet accessLinux opens ports that allow extranet access
Linux uses the following command to open network ports that allow external access:
viewing port conditions
1.netstat-ntpl
2.IPTABLES-F rules for clearing all rule chains in a preset table filter
3.iptables-x clears rules from user-defined chains in preset table filter
4.iptables-l-N View the settings of this organization in iptables "remote connection rules will not be available," note
/etc/init.d/iptables status
5./etc/rc.d/init.d/iptables Save
6./etc/rc.d/init.d/iptables restart
Class
7. Accept/drop
Iptables-p INPUT DROP
Iptables-p OUTPUT DROP
Iptables-p FORWARD DROP
What it means is that when you go beyond the two-chain rules (Input,forward) in the Iptables filter table, the data packets that are not in the two rules are treated as drop (discard). It should be said that this configuration is very safe. We want to control the flow of packets
And for output chain, that is, we do not have to do too many restrictions, but to take ACCEPT, that is, not in the rules of the package how to do it, that is through.
It can be seen that the Input,forward two chain uses what packets are allowed to pass, and the output chain is not allowed to pass any packets.
This setting is quite reasonable, of course you can drop all three, but I don't think it's necessary, and the rules to write will increase. But if you only want a limited number of rules, such as Web server only. Or recommend three chains are drop.
Note: If you are a remote SSH login, you should drop it when you enter the first command return. Because you didn't set any rules.
Repeat the 5,6 step to see the result iptables-l-n
8. Add rules
eg. SSH Port
Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT
(Note: This rule, if you set output to drop is to write this one, many people are looking at the writing of this rule, always can not ssh.) at a distance, is not good.
Other ports are the same, if the Web server is turned on, output is set to drop, but also to add a chain
Repeat the 5,6 step to see the result iptables-l-n
Web
Iptables-a input-p TCP--dport 80-j ACCEPT
Iptables-a output-p TCP--sport 80-j ACCEPT
Mysql
Iptables-a input-p TCP--dport 3306-j ACCEPT
Iptables-a output-p TCP--sport 3306-j ACCEPT
Svn
Iptables-a input-p TCP--dport 3690-j ACCEPT
Iptables-a output-p TCP--sport 3690-j ACCEPT
Memcached
Iptables-a input-p TCP--dport 11211-j ACCEPT
Iptables-a output-p TCP--sport 11211-j ACCEPT
Mongodb
Iptables-a input-p TCP--dport 27017-j ACCEPT
Iptables-a output-p TCP--sport 27017-j ACCEPT
Ping
Iptables-a input-p UDP--sport 53-j ACCEPT
Iptables-a output-p UDP--dport 53-j ACCEPT
Iptables-a input-p UDP--dport 53-j ACCEPT
Iptables-a output-p UDP--sport 53-j ACCEPT
Iptables-a output-p icmp-j ACCEPT (if it is input DROP)
Iptables-a input-p icmp-j ACCEPT (INPUT set to drop)
loopback! (Otherwise it will cause DNS to not shut down properly.)
Iptables-a input-i lo-p all-j ACCEPT (if INPUT DROP)
Iptables-a output-o lo-p all-j ACCEPT (if it is OUTPUT DROP)
Ping,loopback all open otherwise database domain name will not connect
Formal Service port development
80,22,3690
Deputy Formal Clothing
80,22,3690,27017
Test Clothing
80,22,3690,3306,27017
9. Direct editing of configuration files
Vi/etc/sysconfig/iptables
A lot of people here think of the/etc/rc.d/init.d/iptables save directive, but once you do that, you just have to do it ...
The specific methods are:
The only way to modify/etc/sysconfig/iptables to take effect is to modify the first service iptables restart before calling/etc/rc.d/init.d/iptables save,
Because/etc/rc.d/init.d/iptables save will reload at the start of the Iptables service, if you first call/etc/rc.d/init.d/iptables save before restarting, then you
/etc/sysconfig/iptables configuration is rolled back to the last boot service configuration, this must be noted ...
To configure a successful backup:
# generated by Iptables-save v1.4.7 on Sun May 3 10:37:14 2015
*filter
: INPUT DROP [0:0]
: FORWARD DROP [0:0]
: OUTPUT ACCEPT [0:0]
-A input-p tcp-m tcp--dport 22-j ACCEPT
-A input-p tcp-m tcp--dport 80-j ACCEPT
-A input-p tcp-m tcp--dport 3306-j ACCEPT
-A input-p tcp-m tcp--dport 3690-j ACCEPT
-A input-p tcp-m tcp--dport 27017-j ACCEPT
-A input-p udp-m UDP--sport 53-j ACCEPT
-A input-p udp-m UDP--dport 53-j ACCEPT
-A input-p icmp-j ACCEPT
-A input-i lo-j ACCEPT
-A input-m state--state established-j ACCEPT
-A input-p icmp-m ICMP--icmp-type 8-j ACCEPT
-A output-p tcp-m tcp--sport 22-j ACCEPT
-A output-p tcp-m tcp--sport 3306-j ACCEPT
-A output-p tcp-m tcp--sport 3690-j ACCEPT
-A output-p tcp-m tcp--sport 27017-j ACCEPT
-A output-p tcp-m tcp--dport 80-j ACCEPT
-A output-p udp-m UDP--dport 53-j ACCEPT
-A output-p udp-m UDP--sport 53-j ACCEPT
-A output-p icmp-j ACCEPT
-A output-o lo-j ACCEPT
COMMIT
# Completed on Sun May 3 10:37:14 2015
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.