In any case, iptables is a need for special care to set up something, in the event that the server is not around you, and you rushed to set up to prevent SSH, then wait for the boss scold it, hehe ...
The content is written to prevent this from happening, of course, it is very elementary, but the general server is enough:
1. First introduce the instructions and related configuration files
- Start command: Service iptables start
- restart command: Service iptables restart  &NBSP
- Close command: Service iptables stop
-
- then the relevant configuration:/ Etc/sysconfig/iptables How does the
- operate the configuration?
- vim /etc/sysconfig/iptables
- then go in and modify it. A lot of people here will think of/etc/rc.d/init.d/iptables save instructions, but once you do this you have just made the changes in white ...
- The method is:
- only modify/etc/sysconfig/iptables to make it effective is modified first service Iptables restart, then call/etc/rc.d/init.d/iptables save,
- because/etc/rc.d/init.d/ The Iptables save will reload when the Iptables service starts, and if you call/etc/rc.d/init.d/iptables save directly before restarting, you
- /etc/sysconfig/iptables configuration is rolled back to the last boot service configuration, this must be noted!!!
2. Here are some instructions to use (mainly or man iptables to see the relevant information)
- -A: Specify the chain name
- -P: Specify protocol type
- -D: Specify the destination address
- --dport: Specify the destination port (destination port destination)
- --sport: Specifies the source port (source port)
- -j: Specifying an action type
3. If I do not like to change the file Direct command can, of course, no problem, the steps are as follows:
- For example, I gave the SSH release statement:
- Add INPUT Record: iptables-a input-p tcp--dport -j ACCEPT
- Add OUTPUT Record: iptables-a output-p tcp--sport -j ACCEPT
- Finally, note that you need to execute/etc/init.d/iptables save so that the two statements are saved to the/etc/sysconfig/iptables file just now.
4. Next explain the steps, if the machine is not around me, I can only ssh in to do iptables rules, then I must pay attention to every step, do not make a mistake, or SSH link is not possible!
- The first thing to do is to give our SSH to accept the configuration, so as not to directly connect the situation occurs:
- 1. If the SSH port is 22 (it is not recommended to use the default port, it is best to change the SSH port)
- Iptables-a input-p TCP--dport 22-j ACCEPT
- Iptables-a output-p TCP--sport 22-j ACCEPT
- Note that to/etc/rc.d/init.d/iptables save, it is best to execute this statement again at each of the following steps, which is no longer described below.
- 2.vim/etc/sysconfig/iptables determines if the configuration has been added and can be executed after service iptables restart restart
- 3. The following is a very dangerous operation, if you did not do the first step will directly lead to you can not connect to SSH, this step before you remember to perform the first step!!!
- Iptables-p INPUT DROP
- Iptables-p OUTPUT DROP
- Iptables-p FORWARD DROP
- This step is to all the rules that do not conform to their own configuration of the connection all drop off, after the execution if we have not lost ssh, then thank goodness, security, restart the next iptables after the following configuration!
- 4. I will not elaborate on the following, specifically to see the server to open which ports or to access which ports to do the specific configuration, the following is the configuration of my own machine:
- The/etc/sysconfig/iptables file is configured as follows:
- # Generated by Iptables-save v1.4.7 on Fri Mar 2 19:59:43 2012
- *filter
- : INPUT DROP [0:0]
- : FORWARD DROP [0:0]
- : OUTPUT DROP [8:496]
- -A input-m state--state related,established-j ACCEPT
- #ping使用的端口
- -A input-p icmp-j ACCEPT
- -A input-i lo-j ACCEPT
- -A input-s 127.0.0.1/32-d 127.0.0.1/32-j ACCEPT
- -A input-s 192.168.2.200/32-d 192.168.2.200/32-j ACCEPT
- #允许服务器自己的SSH (the server is the target for external requests, so use--dport)
- -A input-p tcp-m tcp--dport 22-j ACCEPT
- #80端口不用说了吧, server Web Access port
- -A input-p tcp-m tcp--dport 80-j ACCEPT
- -A input-p tcp-m tcp--dport 3306-j ACCEPT
- -A input-p tcp-m tcp--dport 11211-j ACCEPT
- -A input-p tcp-m tcp--dport 11212-j ACCEPT
- -A forward-j REJECT--reject-with icmp-host-prohibited
- #53端口是DNS相关, both TCP and UDP are configured
- -A input-p tcp-m tcp--dport 53-j ACCEPT
- -A input-p udp-m UDP--dport 53-j ACCEPT
- #ping使用的端口
- -A output-p icmp-j ACCEPT
- -A output-s 127.0.0.1/32-d 127.0.0.1/32-j ACCEPT
- -A output-s 192.168.2.200/32-d 192.168.2.200/32-j ACCEPT
- #允许服务器SSH到其他机器 (use--dport with external ports)
- -A output-p tcp-m tcp--dport 22-j ACCEPT
- #允许服务器自己的SSH (use--sport for self-source output)
- -A output-p tcp-m tcp--sport 22-j ACCEPT
- #访问外部网站80端口 (use--dport with external ports)
- -A output-p tcp-m tcp--dport 80-j ACCEPT
- #如果服务器需要访问外部网站, the output also needs to be configured with Port 53 (use--dport with external ports)
- -A output-p tcp-m tcp--dport 53-j ACCEPT
- -A output-p udp-m UDP--dport 53-j ACCEPT
- #如果有访问外部邮箱, open the mailbox-related ports (use--dport with external ports)
- -A output-p tcp-m tcp--dport 465-j ACCEPT
- -A output-p tcp-m tcp--dport 25-j ACCEPT
- -A output-p tcp-m tcp--dport 110-j ACCEPT
- #服务器网站访问端口 (use--sport for self-source output)
- -A output-p tcp-m tcp--sport 80-j ACCEPT
- -A output-p tcp-m tcp--sport 3306-j ACCEPT
- -A output-p tcp-m tcp--sport 11211-j ACCEPT
- -A output-p tcp-m tcp--sport 11212-j ACCEPT
- COMMIT
- # completed on Fri Mar 2 19:59:43 2012
5. May sometimes need to delete the rules, the simplest is to modify the/etc/sysconfig/iptables and then service iptables restart, and finally/etc/rc.d/init.d/iptables save.
Of course, you can also use instructions to complete:
- On the internet to find a bit, delete the rule method:
- The syntax is: iptables-d chain rulenum [Options]
- Where: Chain is the meaning of the chain, that is, input FORWARD and the like
- Rulenum is the number of the rule. Starting from 1. You can use--line-numbers to list the number of rules
- So, for example, if you want to delete a rule from the input chain, you can do this: iptables-d input 3
- This means deleting the 3rd rule.
- There's a second way. The second approach is a mapping of the-a command, but replaces-A with-D. This is useful when the rules in your chain are complex and you don't want to count their numbers. In other words, how do you use iptables-a .... Statement defines a rule, the rule is deleted by using-D instead of-the rest of it is the same.
- ======================
- Say the--line-numbers option above, as in the following command:
- Iptables-l input--line-numbers lists all the rules of the input chain
- Num Target prot opt source destination
- 1 REJECT TCP-anywhere anywhere TCP Dpt:microsoft-ds Reject-with icmp-port-unreachable
- 2 REJECT TCP-Anywhere anywhere TCP dpt:135 Reject-with icmp-port-unreachable
- 3 REJECT TCP-Anywhere anywhere TCP DPT:NETBIOS-SSN Reject-with icmp-port-unreachable
- ...
- ...
- To delete a specified row rule:
- [[email protected] rc.d]# iptables-d INPUT 4
6. Finally, if you want a separate open port for an IP, you can configure it as follows:
- If I need to open a MySQL port on a single machine in the intranet, it should be configured as follows:
- Iptables-a input-s 192.168.2.6-p tcp-m tcp--dport 3306-j ACCEPT
- Iptables-a output-s 192.168.2.6-p tcp-m tcp--sport 3306-j ACCEPT
7. Completely prohibit an IP access:
- #屏蔽单个IP的命令是
- Iptables-i input-s 123.45.6.7-j DROP
- #封整个段即从123.0.0.1 to 123.255.255.254 command
- Iptables-i input-s 123.0.0.0/8-j DROP
- #封IP段即从123.45.0.1 to 123.45.255.254 command
- Iptables-i input-s 124.45.0.0/16-j DROP
- #封IP段即从123.45.6.1 to 123.45.6.254 command is
- Iptables-i input-s 123.45.6.0/24-j DROP
- The command i is an insert instruction but the directive inserts in the correct position and does not look at your own sort position like the a directive, so use the mask because you must load the shielded IP at the beginning, so you must use the I command to load, and then pay attention to the execution of/etc/rc.d/init.d/iptables Save to restart the service after saving
Linux iptables settings in detail