Recently, due to the problem of a centos website server, you have been constantly searching for centos security information. Below is a common iptables rule:
IPT = "/sbin/iptables"
$ Ipt-delete-chain
$ Ipt-flush
$ Ipp-input DROP #1
$ Ipt-p forward drop #1
$ Ipp-output DROP #1
$ Ipt-a INPUT-m state-state RELATED, ESTABLISHED-j ACCEPT #2
$ Ipt-a INPUT-p tcp-m tcp-dport 80-j ACCEPT #3
$ Ipt-a INPUT-p tcp-m tcp-dport 22-j ACCEPT #3
$ Ipt-a INPUT-p tcp-m tcp-dport 21-j ACCEPT #3
$ Ipt-a INPUT-p tcp-m tcp-dport 873-j ACCEPT #3
$ Ipt-a INPUT-I lo-j ACCEPT #4
$ Ipt-a INPUT-p icmp-m icmp-type 8-j ACCEPT #5
$ Ipt-a INPUT-p icmp-m icmp-type 11-j ACCEPT #5
$ Ipt-a OUTPUT-m state-state RELATED, ESTABLISHED-j ACCEPT #6
$ Ipt-a OUTPUT-p udp-m udp-dport 53-j ACCEPT #7
$ Ipt-a OUTPUT-o lo-j ACCEPT #4
$ Ipt-a OUTPUT-p tcp-m tcp-dport 80-j ACCEPT #8
$ Ipt-a OUTPUT-p tcp-m tcp-dport 25-j ACCEPT #9
$ Ipt-a OUTPUT-p icmp-m icmp-type 8-j ACCEPT #10
$ Ipt-a OUTPUT-p icmp-m icmp-type 11-j ACCEPT #10
Service iptables save
Service iptables restart
#1. Set INPUT, FORWARD, and OUTPUT chain to DROP by default, that is, external communication with the server is not allowed.
#2. set to allow data to enter the server when the connection status is RELATED and ESTABLISHED.
#3. Set ports 80, 22, and 21,873 for external clients to connect to the server.
#4. allow internal data to be recycled.
#5. allow external ping to the server.
#6. Data in the RELATED and ESTABLISHED statuses can be sent from the server to the outside.
#7. Allow the server to use external dns for domain name resolution.
#8. Set the server to connect to port 80 of the external server.
#9. Allow the server to send emails.
#10. allow external ping from the server
In this way, all ports except ssh, http, and ftp are disabled. Of course, we may use other ports for management. For example, we often use PureFTPd to manage FTP under lnmp, in this case, you must first edit/etc/proftpd. conf, configure the following content:
PassivePorts 25000 26000 # (port number, which can be selected by yourself)
Then add a line in the above Code:
$ IPT-A INPUT-p tcp-m tcp-dport 25000: 26000-syn-j ACCEPT # The port numbers 25000 and 26000 must be added for you
In addition, some may use VNC, so add another row:
$ IPT-A INPUT-p tcp-m tcp-dport 5901-syn-j ACCEPT #5901 for your vnc Port
After all ports are configured, store the script as iptables. sh, upload it to VPS, and execute sh iptables. sh to automatically configure the firewall.
In this way, I believe you have found a rule. You can open other ports as needed and execute the script again ~