Real-combat Linux under firewall iptables settings

with this tutorial, make sure you can use Linux native. If you are using SSH remote and cannot operate the machine directly, then add the following code first ... Of course the worst result is that all ports are inaccessible and cannot even log in to SSH, but after 5 minutes, the timer will help you turn off the firewall.

[[email protected] ~]# CRONTAB-UROOT-E */5 * * * */etc/init.d/iptables Stop # #定时5分钟关闭防火墙, prevent setting errors, resulting in SSH login not possible

Let's talk about a few simple commands:

/etc/init.d/iptables Save # #保存防火墙规则, if you do not save the rule will disappear after restarting Iptables iptables-l-N # #查看当前防火墙规则

PS: before adding a rule, use Iptables-l-N to view the current rule, if there is no rule, your iptables may not be turned on. If you add a rule at this time, the previous rule will be overwritten after saving. If you want to continue to use the previous rules, first open the Iptables service, you can see the previous rules, and then add on the basis of the previous.

Let's add two rules first.

Iptables-a input-p TCP--dport 22-j Accept # #添加一个开放端口22的输入流的规则iptables-A output-p tcp--sport 22-j ACCEPT # #添加一个开放端口22的输出流的规则

After adding the above two rules, you don't have to worry about landing ssh, want to know the command details using iptables--help

Here's the point about the difference between dport and sport in iptables:

Dport: Destination Port

Sport: Source Port

With two input examples, you distinguish between the dport and sport in the next input.

Example 1:

Iptables-a input-p TCP--dport 22-j ACCEPT

This input rule can be described like this:

1. This is a data entry from outside to the internal local server.

2. The destination (dport) address of the packet is 22, which is to access my local 22 port.

3. Allow the above data behavior to pass.

Example 2:

Iptables-a input-p TCP--sport 22-j ACCEPT

This input rule can be described like this:

1. This is a data entry from outside to the internal local server.

2. The source port of the packet is (sport) 22, the other's packet is 22 port sent over.

3. Allow the above data behavior.

With two output examples, you distinguish between the dport and sport in the output

Example 1:

Iptables-a output-p TCP--dport 22-j ACCEPT

This output rule can be described like this:

1. This is a data from the inside out.

2. The purpose of the exit (Dport) port is 22.

3. Allow the above data behavior.

Example 2:

Iptables-a output-p TCP--sport 22-j ACCEPT

This output rule can be described like this:    

1. This is a data from the inside out.

2. the source port of the packet is (sport) 22, which emits data from Port 22 of the server .

3. Allow the above data behavior.

The default input, OUTPUT, forward are all accept

No rules are added, and data for all ports is not the same

Iptables-p INPUT DROP #如果没有添加端口22的accept规则, do not run this command

If you run the above command, the input packet is dropped except for the rule added ...

In the same vein, there are these commands:

Iptables-p OUTPUT dropiptables-p FORWARD DROP

The input is generally set to drop. Then we need to add some rules for the accept rule for input:

Iptables-a input-p TCP--dport 22-j accept #开放ssh端口iptables-A input-p TCP--dport 80-j accept #开放web服务端口iptables- A input-p TCP--dport 21-j accept #开放ftp服务端口iptables-A input-p icmp-j Accept #允许icmp包通过, that is, allow Pingiptables-a I Nput-i lo-p all-j ACCEPT #允许loopback # # # # # #如果你还做了其他的服务器, which port you need to open, just write it.

the output is generally set to accept. Then we need to add some rules for the drop rule for output:

Close some ports iptables-a output-p TCP--sport 27444-j DROP iptables-a output-p tcp--sport 27665-j dropiptables-a OUTPUT- P TCP--sport 31337-j DROP

Real-combat Linux under firewall iptables settings