Home > Developer > CentOS

Use and set centos iptables

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Common commands

Service iptables [save | start | restart | stop]

Iptables-L-n

Simple shell commands

Iptables-P INPUT DROP
Iptables-P FORWARD DROP
Iptables-P OUTPUT DROP
Iptables-a input-p tcp -- dport 22-j ACCEPT
Iptables-a input-p tcp-m multiport -- destination-port, 80,-j ACCEPT

Redirect settings

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth2 -j SNAT --to A.B.C.Diptables -t nat -A POSTROUTING -s 192.168.168.0/24 -o eth2 -j SNAT --to A.B.C.Diptables -t nat -A PREROUTING -s 192.168.100.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128iptables -t nat -A PREROUTING -s 192.168.168.0/24 -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128service iptables save

Eg:

# Generated by iptables-save v1.4.7 on Sun Aug 5 21:15:37 2012
* Filter
: Forward accept [0: 0]
: Input accept [0: 0]
: Output accept [0: 0]
-A input-m state -- state ESTABLISHED, RELATED-j ACCEPT
-A input-p tcp -- dport 22-j ACCEPT
-A input-p tcp -- dport 8080-j ACCEPT
-A input-p tcp -- dport 9000-j ACCEPT
-A input-p tcp -- dport 10000-j ACCEPT
-A input-p tcp -- dport 3306-j ACCEPT
-A input-p icmp-j DROP
-A input-j DROP
COMMIT
# Completed on Sun Aug 5 21:15:37 2012
# Generated by iptables-save v1.4.7 on Sun Aug 5 21:15:37 2012
* Mangle
: Prerouting accept [379: 49473]
: Input accept [377: 49409]
: Forward accept [0: 0]
: Output accept [360: 147434]
: Postrouting accept [360: 147434]
COMMIT
# Completed on Sun Aug 5 21:15:37 2012
# Generated by iptables-save v1.4.7 on Sun Aug 5 21:15:37 2012
* Nat
: Prerouting accept [23: 1575]
: Postrouting accept [7:508]
: Output accept [7:508]
COMMIT
# Completed on Sun Aug 5 21:15:37 2012

The blue statement disables icmp to prevent attack detection.

The deep red statement is very important, indicating that all ports except the above permitted ports are disabled.

References:

The following are the ports, first, completely seal and then open some IPiptables-I input-p tcp -- dport 9889-j DROP iptables-I INPUT-s 192.168.1.0/24-p tcp -- dport 9889-j ACCEPT if it is used for NAT forwarding, remember to use the following commands to take effect: iptables-I forward-p tcp -- dport 80-j DROP iptables-I FORWARD-s 192.168.1.0/24-p tcp -- dport 80-j ACCEPT the IPTABLES rules are as follows: only emails can be sent and received. Disable iptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-j DROPiptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p udp -- dport 53-j ACCEPTiptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p tcp -- dport 25-j ACCEPTiptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p tcp -- dport 110-j acceptipsec nat policy iptables-I PFWanPriv-d 192.168.100.2-j ACCEPTiptables-t nat-A PREROUTING-p tcp -- dport 80-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 80 iptables-t nat-A PREROUTING -P tcp -- dport 1723-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 1723 iptables-t nat-a prerouting-p udp -- dport 1723-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 1723 iptables-t nat-a prerouting-p udp -- dport 500-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 500 iptables-t nat-a prerouting-p udp -- dport 4500-d $ INTERNET_ADDR-j DNAT -- to-destination 192.16 8.100.2: NATiptables-I PFWanPriv-p tcp -- dport 21-d 192.168.100.200-j ACCEPTiptables-t nat-A PREROUTING-p tcp -- dport 21-d $ INTERNET_ADDR-j DNAT -- -destination 192.168.100.200: 21 only access to the specified URL iptables-A Filter-p udp -- dport 53-j ACCEPTiptables-A Filter-p tcp -- dport 53-j ACCEPTiptables-A Filter-d www.3322.org-j ACCEPTiptables -A Filter-d img.cn99.com-j ACCEPTiptables- Filter-j DROP opens some ports of an IP address, all others close iptables-A Filter-p tcp -- dport 80-s 192.168.100.200-d www.pconline.com.cn-j ACCEPTiptables-A Filter-p tcp -- dport 25-s 192.168.100.200-j ACCEPTiptables-A Filter -p tcp -- dport 109-s 192.168.100.200-j ACCEPTiptables-A Filter-p tcp -- dport 110-s 192.168.100.200-j ACCEPTiptables-A Filter-p tcp -- dport 53-j ACCEPTiptables- A Filter-p udp -- dport 53- J ACCEPTiptables-A Filter-j DROP multiple ports iptables-A Filter-p tcp-m multiport -- destination-port 22, 53, 80,110-s 192.168.20.3-j REJECT continuous port iptables-A Filter-p tcp-m multiport -- source-port, 80,110-s 192.168.20.3-j REJECT iptables-A Filter-p tcp -- source-port 2: 80-s 192.168.20.3-j REJECT specified time to access the Internet iptables-A Filter-s 10.10.10.253-m time -- timestart -- timestop -- days Mon, Tue, We D, Thu, Fri, Sat, Sun-j DROPiptables-A Filter-m time -- timestart 12:00 -- timestop 13:00 -- days Mon, Tue, Wed, Thu, Fri, Sat, sun-j ACCEPTiptables-A Filter-m time -- timestart 17:30 -- timestop 8:30 -- days Mon, Tue, Wed, Thu, Fri, Sat, sun-j ACCEPT prevents multiple port services from iptables-A Filter-m multiport-p tcp -- dport, 80-j ACCEPT: NAT the WAN port to PCiptables-t nat-a prerouting-I $ INTERNET_IF-d $ INTERNET_ADDR-j DNAT -- to-de Stination 192.168.0.1 NAT the port 8000 of the WAN port to port 192. 168. 100. Port 80 of 200 iptables-t nat-a prerouting-p tcp -- dport 8000-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: port iptables-t nat-a prerouting-p tcp -- dport 110-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 110 iptables-t nat-a prerouting-p tcp -- dport 25-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 25 only PING 202 is allowed. 96. 134. 133, other services disable iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.20.- j ACCEPTiptables-A Filter-j DROP disable BT configuration iptables-A Filter-p tcp-dport 6000: 20000-j DROP disable QQ firewall configuration iptables-A Filter-p udp -- dport! 53-j DROPiptables-A Filter-d 218.17.209.0/24-j DROPiptables-A Filter-d 218.18.95.0/24-j DROPiptables-A Filter-d 219.133.40.177-j drop mac-based, only emails can be sent and received. All others reject iptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: a1-j DROPiptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: a1-p tcp -- dport 25-j ACCEPTiptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: a1-p tcp -- dport 110-j ACCEPT disable MSN Configuration Set iptables-A Filter-p udp -- dport 9-j DROPiptables-A Filter-p tcp -- dport 1863-j DROPiptables-A Filter-p tcp -- dport 80-d 207.68.178.238-j DROPiptables-A Filter-p tcp -- dport 80-d 207.46.110.0/24-j DROP only allows PING 202. 96. 134. 133 PINGiptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.127- j ACCEPTiptables-A Filter-p icmp-j DROP is not allowed for other public IP addresses to access the internet: iptables-I Filter-m mac -- mac-source 00: 20: 18: 8F: 72: F8-j DROP disable PING from an IP address: iptables-A Filter-p icmp-s 192.168.0.1-j DROP disables an IP address service: iptables-A Filter-p tcp-s 192.168.0.1 -- dport 80-j DROPiptables-A Filter-p udp-s 192.168.0.1 -- dport 53-j DROP only some services are allowed, reject all others (2 Rules) iptables-A Filter-p tcp-s 192.168.0.1 -- dport 1000-j ACCEPTiptables-A Filter-j DROP disable A port service iptables-A Filter-p tcp-s 10.10.10.253 -- dport 80-j ACCEPTiptables-A Filter-p tcp-s 10.10.10.253 -- dport 80-j DROP disable A port service of a mac address iptables-I Filter-p tcp-m mac -- mac -source 00: 20: 18: 8F: 72: F8 -- dport 80-j DROP prohibit a MAC address from accessing the internet: iptables-I Filter-m mac -- mac-source 00: 11: 22: 33: 44: 55-j DROP disable PING of an IP Address: iptables-A Filter-p icmp-s 192.168.0.1-j DROP

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
centos iptables config iptables tutorial centos save iptables centos edit iptables centos centos 5 iptables modify iptables centos stop iptables centos
Related Article
Play Openresty 1.13.6.1 resty-cli module on CentOS 6.9 x86_64
Install build Essentials on CentOS 7 and Ubuntu 14.03
Linux CentOS Centos7 installs oci8 and PDO_OCI extensions
Setting up a PPPoE server on Linux (CentOS)
Installing a Ceph storage cluster under CentOS 7
CENTOS 6.10 Installation VirtualBox virtualization Platform

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More