Linux iptables Firewall Configuration Guide

First, install the software

We buy VPS, generally have pre-installed iptables, you can check the status of the Iptables, confirm whether the installation.

Service Iptables status If prompted for iptables:unrecognized service, you need to install. Yum Install iptables #CentOS系统apt-get install iptables #Debian系统二, configuration rules The following command we take CentOS as an example, please note. Installed iptables configuration file in/etc/sysconfig/iptables, the default iptables we can ignore it, use the following command to clear the default rule. Iptables–fiptables–xiptables–z Next, add our own iptalbes rules, open the specified port, close the dangerous port, and so on. , here is a simple rule: #允许本地回环接口 (that is, running native access to this computer)

Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT

# allow established or connected traffic

Iptables-a input-m state–state established,related-j ACCEPT

#允许所有本机向外的访问

Iptables-a output-j ACCEPT

# Allow access to port 22

Iptables-a input-p tcp–dport 22-j ACCEPT

#允许访问80端口

Iptables-a input-p tcp–dport 80-j ACCEPT

#允许FTP服务的21和20端口

Iptables-a input-p tcp–dport 21-j ACCEPT

Iptables-a input-p tcp–dport 20-j ACCEPT

#如果有其他端口的话, the rules are similar, you can modify the above statement slightly

#禁止其他未允许的规则访问

Iptables-a input-j REJECT (Note: If the 22 port does not join the Allow rule, the SSH link will be disconnected directly.) ）

Iptables-a forward-j REJECT

If you have a port that you need to open, add it, and then save the rule and restart it.

Service Iptables Save #保存

or/etc/rc.d/init.d/iptables save.

Service iptables Restart #重启

When writing to the Iptalbes rule, I'll list other rules that might be involved, such as banning a single IP:

-A input-s 1.2.3.4-j Drop III, query modification and deletion iptables-l–n #查询规则iptables-L-N--line-numbers #将规则按数字序号显示方便删除iptables-D INPUT 4 #删除第四条规则四, set boot start chkconfig iptables on five, other rules of the following part of the rules, we can do some reference. # Open Syncookie (Lightweight prevention DOS attack)

Sysctl-w Net.ipv4.tcp_syncookies=1 &>/dev/null

# Set Default TCP connection dementia is 3,800 seconds long (this option can significantly reduce the number of connections)

Sysctl-w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 &>/dev/null

# Set to support maximum connection tree 30W (this is based on memory and iptables version, each connection requires more than 300 bytes)

Sysctl-w net.ipv4.ip_conntrack_max=300000 &>/dev/null

# Prevent SYN attack light weight

Iptables-n Syn-flood

Iptables-a input-p tcp–syn-j Syn-flood

Iptables-a syn-flood-p tcp-m limit–limit 3/s–limit-burst 6-j return

Iptables-a syn-flood-j REJECT

# Allow 100 fragments per second to be controlled, regardless of where the IP fragments come from

Iptables-a forward-f-M limit–limit 100/s–limit-burst 100-j ACCEPT

# ICMP packets through the control to prevent ICMP hacker attacks

Iptables-a forward-p icmp-m limit–limit 1/s–limit-burst 10-j

# Discard Bad TCP packets

Iptables-a forward-p TCP! –syn-m state–state new-j log–log-prefix "NEW not syn:"

Iptables-a forward-p TCP! –syn-m state–state new-j DROP

Here we recommend a more detailed linux/iptables.htm ">linux iptables configuration Tutorial http://www.111cn.net/sys/linux/iptables.htm