Simple iptables configuration

1. install the software we purchased. generally, iptables is pre-installed. you can check the status of iptables and check whether it is installed. Serviceiptablesstatus if the prompt is iptables: unrecognizedservice, you need to install it. Yuminstalliptables # CentOS system apt-getinstallipta

1. install software

The VPS we purchased is generally pre-installed.IptablesYou can checkIptablesStatus to check whether the installation is successful.

Service iptables status
Install iptables: unrecognized service.
Yum install iptables # CentOS system
Apt-get install iptables # Debian system
II. configure rules
Take CentOS as an example.
The installed iptables configuration file is in /Etc/sysconfig/iptablesWe can ignore the default iptables and use the following command to clear the default rules. Welcome and despise collection!
Iptables? F
Iptables? X
Iptables? Z Welcome, despise collection!
Next, add our own iptalbes rules, open the specified port, and disable dangerous ports ., The following is a simple rule:

# Allow the local loopback interface (that is, running the local machine to access the local machine)

Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT

# Allow established or related connections

Iptables-a input-m state? State ESTABLISHED, RELATED-j
ACCEPT

# Allow external access from all hosts

Iptables-a output-j ACCEPT

# Allow access to port 22

Iptables-a input-p tcp? Dport 22-j ACCEPT

# Allow access to port 80

Iptables-a input-p tcp? Dport 80-j ACCEPT

# Allow port 21 and Port 20 of the FTP service

Iptables-a input-p tcp? Dport 21-j ACCEPT

Iptables-a input-p tcp? Dport 20-j ACCEPT

# If there are other ports, the rule is similar. just modify the preceding statement slightly.

# Prohibit access by other unpermitted rules

Iptables-a input-j REJECT
(Note: If port 22 is not added with the permit rules, the SSH link will be directly disconnected .)

Iptables-a forward-j REJECT

If you want to enable the port, add it, save the rule, and restart it.

Service iptables save # save

OR/etc/rc. d/init. d/iptables save

Service iptables restart # restart
Welcome and despise collection!

When writing to iptalbes rules, I will list other rules that may be involved here, such as disabling a single IP address:

-A input-s 1.2.3.4-j DROP
III. query, modify, and delete
Iptables-L? N # Query rules
Iptables-L-n -- line-numbers # display the rule by number to facilitate deletion
Iptables-d input 4 # Delete The fourth rule
4. set startup
Chkconfig iptables on
5. other rules
You can refer to the following rules.

# Enable syncookie (lightweight DOS attack prevention)

Sysctl-w net. ipv4.tcp _ syncookies = 1 &>/dev/null welcome, despise collection!

# Set the default TCP connection dementia duration to 3800 seconds (this option can greatly reduce the number of connections)

Sysctl-wnet. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 3800 &>/dev/null

# The maximum number of connection trees supported by the settings is 30 W (based on the memory and iptables versions, each connection requires more than 300 bytes)

Sysctl-w net. ipv4.ip _ conntrack_max = 300000 &>/dev/null

# Lightweight anti-SYN attack

Iptables-N syn-flood

Iptables-a input-p tcp? Syn-j syn-flood

Iptables-A syn-flood-p tcp-m limit? Limit 3/s? Limit-burst 6-j RETURN

Iptables-A syn-flood-j REJECT

# Control ip fragmentation wherever it comes from, and allow 100 fragments per second

Iptables-a forward-f-m limit? Is limit 100/s? Limit-burst 100-jACCEPT

# Icmp packet control to prevent icmp hacker attacks

Iptables-a forward-p icmp-m limit? Limit 1/s? Limit-burst 10-j ACCEPT welcome to visit, despise collection!

# Discard bad TCP packets

Iptables-a forward-p TCP! ? Syn-m state? State NEW-j LOG? Log-prefix "New not syn :"

Iptables-a forward-p TCP! ? Syn-m state? State NEW-jDROP