Simple iptables configuration

Source: Internet
Author: User
1. install the software we purchased. generally, iptables is pre-installed. you can check the status of iptables and check whether it is installed. Serviceiptablesstatus if the prompt is iptables: unrecognizedservice, you need to install it. Yuminstalliptables # CentOS system apt-getinstallipta

1. install software

The VPS we purchased is generally pre-installed.IptablesYou can checkIptablesStatus to check whether the installation is successful.

Service iptables status
Install iptables: unrecognized service.
Yum install iptables # CentOS system
Apt-get install iptables # Debian system
II. configure rules
Take CentOS as an example.
The installed iptables configuration file is in /Etc/sysconfig/iptablesWe can ignore the default iptables and use the following command to clear the default rules. Welcome and despise collection!
Iptables? F
Iptables? X
Iptables? Z Welcome, despise collection!
Next, add our own iptalbes rules, open the specified port, and disable dangerous ports ., The following is a simple rule:

# Allow the local loopback interface (that is, running the local machine to access the local machine)

Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT

# Allow established or related connections

Iptables-a input-m state? State ESTABLISHED, RELATED-j
ACCEPT

# Allow external access from all hosts

Iptables-a output-j ACCEPT

# Allow access to port 22

Iptables-a input-p tcp? Dport 22-j ACCEPT

# Allow access to port 80

Iptables-a input-p tcp? Dport 80-j ACCEPT

# Allow port 21 and Port 20 of the FTP service

Iptables-a input-p tcp? Dport 21-j ACCEPT

Iptables-a input-p tcp? Dport 20-j ACCEPT

# If there are other ports, the rule is similar. just modify the preceding statement slightly.

# Prohibit access by other unpermitted rules

Iptables-a input-j REJECT
(Note: If port 22 is not added with the permit rules, the SSH link will be directly disconnected .)

Iptables-a forward-j REJECT

If you want to enable the port, add it, save the rule, and restart it.

Service iptables save # save

OR/etc/rc. d/init. d/iptables save

Service iptables restart # restart
Welcome and despise collection!

When writing to iptalbes rules, I will list other rules that may be involved here, such as disabling a single IP address:

-A input-s 1.2.3.4-j DROP
III. query, modify, and delete
Iptables-L? N # Query rules
Iptables-L-n -- line-numbers # display the rule by number to facilitate deletion
Iptables-d input 4 # Delete The fourth rule
4. set startup
Chkconfig iptables on
5. other rules
You can refer to the following rules.

# Enable syncookie (lightweight DOS attack prevention)

Sysctl-w net. ipv4.tcp _ syncookies = 1 &>/dev/null welcome, despise collection!

# Set the default TCP connection dementia duration to 3800 seconds (this option can greatly reduce the number of connections)

Sysctl-wnet. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 3800 &>/dev/null

# The maximum number of connection trees supported by the settings is 30 W (based on the memory and iptables versions, each connection requires more than 300 bytes)

Sysctl-w net. ipv4.ip _ conntrack_max = 300000 &>/dev/null

# Lightweight anti-SYN attack

Iptables-N syn-flood

Iptables-a input-p tcp? Syn-j syn-flood

Iptables-A syn-flood-p tcp-m limit? Limit 3/s? Limit-burst 6-j RETURN

Iptables-A syn-flood-j REJECT

# Control ip fragmentation wherever it comes from, and allow 100 fragments per second

Iptables-a forward-f-m limit? Is limit 100/s? Limit-burst 100-jACCEPT

# Icmp packet control to prevent icmp hacker attacks

Iptables-a forward-p icmp-m limit? Limit 1/s? Limit-burst 10-j ACCEPT welcome to visit, despise collection!

# Discard bad TCP packets

Iptables-a forward-p TCP! ? Syn-m state? State NEW-j LOG? Log-prefix "New not syn :"

Iptables-a forward-p TCP! ? Syn-m state? State NEW-jDROP

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.