Linux iptables firewall basic application tutorial
Iptables is a common firewall software in Linux, the following describes how to install and clear iptables rules. iptables only supports the specified port. iptables shields basic applications of iptables, such as specified ip addresses, ip segments, unblocking, and deleting added iptables rules..
1. Install iptables Firewall
If iptables is not installed, install it first,CentOS execution:
Yum install iptables
Run Debian/Ubuntu:
Apt-get install iptables2, clear existing iptables rules iptables-F
Iptables-X
Iptables-Z3: Open the specified port # Allow the local loopback interface (that is, run the local machine to access the local machine)
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# Allow established or related connections
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
# Allow external access from all hosts
Iptables-a output-j ACCEPT
# Allow access to port 22
Iptables-a input-p tcp -- dport 22-j ACCEPT
# Allow access to port 80
Iptables-a input-p tcp -- dport 80-j ACCEPT
# Allow port 21 and Port 20 of the FTP service
Iptables-a input-p tcp -- dport 21-j ACCEPT
Iptables-a input-p tcp -- dport 20-j ACCEPT
# If there are other ports, the rule is similar. Just modify the preceding statement slightly.
# Prohibit access by other unpermitted rules
Iptables-a input-j REJECT (Note: if port 22 is not added with the permit rule, the SSH link will be disconnected directly .)
Iptables-a forward-j REJECT4, blocked IP # If you only want to shield the IP, you can skip "3. Open the specified port.
# The command to shield a single IP address is
Iptables-I INPUT-s 123.45.6.7-j DROP
# The command for sealing the entire segment from 123.0.0.1 to 123.20.255.254
Iptables-I INPUT-s 123.0.0.0/8-j DROP
# An IP address segment is a command from 123.45.0.1 to 123.45.255.254.
Iptables-I INPUT-s 124.45.0.0/16-j DROP
# The command from 123.45.6.1 to 123.45.6.254 is
Iptables-I INPUT-s 123.45.6.0/24-j DROP4, view the added iptables rules iptables-L-n
V: displays details, including the number of matching packages and the number of matching bytes for each rule.
X: Disable Automatic unit conversion (K, M) vps Detection Based on v.
N: only the ip address and port number are displayed, and the ip address is not resolved as a domain name.
5. Delete the added iptables rule
Display All iptables with serial numbers. Run the following command:
Iptables-L-n -- line-numbers
For example, to delete the rule with serial number 8 in INPUT, execute:
Iptables-d input 86, iptables startup and rule saving
After iptables is installed on CentOS, iptables does not start automatically after it is started. You can execute the following command:
Chkconfig -- level 345 iptables on
Add it to startup.
On CentOS, you can run the: service iptables save rule.
In addition, iptables On Debian/Ubuntu does not save rules.
To disable the NIC, follow these steps: Save iptables rules and load iptables rules at startup:
Create the/etc/network/if-post-down.d/iptables file and add the following:
#! /Bin/bash
Iptables-save>/etc/iptables. rules
Run: chmod + x/etc/network/if-post-down.d/iptables to add execution permissions.
Create the/etc/network/if-pre-up.d/iptables file and add the following:
#! /Bin/bash
Iptables-restore </etc/iptables. rules
Run: chmod + x/etc/network/if-pre-up.d/iptables to add execution permissions.
For more instructions on iptables, run iptables -- help or search for iptables parameters online.