Linux systems have high efficiency and operational stability when they are run as Web servers. Windows systems can restrict access by external computers to server ports through the system firewall, and Linux is iptables to allow or restrict port access.
The usage scenario discussed in this article is the case under the LNMP or Lnmpa system architecture.
In order to facilitate the example, drift easy to take a section of my existing server running firewall iptables content.
Please note: The following comment explains the text:
# Firewall configuration written by System-config-firewall
# Manual Customization of this file is not recommended.
*filter
: INPUT ACCEPT [0:0]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [0:0]
-A input-m state--state established,related-j ACCEPT
-A input-p icmp-j ACCEPT
-A input-i lo-j ACCEPT
-A input-m state--state new-m tcp-p TCP--dport 22-j ACCEPT # (SSH port)
-A input-m state--state new-m tcp-p TCP--dport 80-j ACCEPT # (Web port)
-A input-m state--state new-m tcp-p TCP--dport 21-j ACCEPT # (FTP port)
-A input-m state--state new-m tcp-p TCP--dport 20000:30000-j ACCEPT # (FTP Passive mode port range)
-A input-m state--state new-m tcp-p TCP--dport 3306-j ACCEPT # (MySQL port)
-A input-j REJECT--reject-with icmp-host-prohibited
-A forward-j REJECT--reject-with icmp-host-prohibited
COMMIT
After you modify the firewall iptables, you need to reboot:
/etc/init.d/iptables restart
Or
Service Iptables Restart
Note: iptables configuration file location is:/etc/sysconfig/iptables
Save command: Service iptables save
Use command: Iptables -l -n You can view open port conditions for the current iptables.
iptables service boot automatically:
chkconfig iptables on
& nbsp; Check iptables service:
# chkconfig --list iptables
iptables 0:off 1:off 2 :on 3:on 4:on 5:on 6:off
above open ports are noted behind, there is a point to note, is the FTP port, FTP default port 21 must be open, However, the general FTP software is the default to try a few times the passive mode PASV connection, in the PASV mode connection failure, will be active mode port connection.
If we just open port 21, there's a problem here. In FTP PASV mode, a free port is also randomly used, which ranges between 20000-30000. So, we need to add this port range to the firewall:
-a input -m state --state new -m tcp -p Tcp --dport 20000:30000 -j accept