forward, output, and postrouting chains.
If you do not specify-OAll interfaces on the system can be used as output interfaces.
If!-O eth0Interfaces other than eth0Output
If-I ETH appears+, Then onlyInterfaces starting with ETHOutput
You can also use-Out-InterfaceParameters
3. Description of the extended parameters of the ruleAfter a basic description of the rule, we sometimes want to specify the port, TCP flag, ICMP type, and so on.
-Sport
Because there is no/etc/init.d/iptales file in Ubuntu, you cannot use commands such as service to start iptables, you need to use the modprobe command.Start iptablesModprobe Ip_tablesClose iptables (Close command is more complex than start)Iptalbes-fIptables-xIptables-zIptables-p INPUT ACCEPTIptables-p OUTPUT ACCEPTIptables-p FORWARD ACCEPTModprobe-r Ip_tablesExecute the above command in turn to turn off iptables, otherwise you will be prompted Fatal:module Ip_tables is when you execute Modprobl
Linux iptable Firewall forbidden and open portsSource: http://hi.baidu.com/zplllm/item/f910cb26b621db57c38d5983Evaluation:1. Close all INPUT FORWARD OUTPUT only for certain ports.Here is the command implementation:Iptables-p INPUT DROPIptables-p FORWARD DROPIptables-p OUTPUT DROPThen use the command iptables-l-N to see if it's set up, good-looking to all DROPSuch a setup, we are only temporary, restart the server or will restore the original not set the stateand save with service Iptables saveSe
Iptables service starts, and if you call/etc/rc.d/init.d/iptablessave directly before restarting, you
/etc/sysconfig/iptables configuration is rolled back to the last boot service configuration, this must be noted!!!
2. Here are some instructions to use (mainly or man iptables to see the relevant information)
-A: Specify the chain name
-P: Specify protocol type
-D: Specify the destination address
--dport: Specify the destination port (destination port destinat
before restarting, you/etc/sysconfig/iptables configuration is rolled back to the last boot service configuration, this must be noted!!!2. Here are some instructions to use (mainly or man iptables to see the relevant information)-A: Specify the chain name-P: Specify protocol type-D: Specify the destination address--dport: Specify the destination port (destination port destination)--sport: Specifies the source port (source port)-j: Specifying an actio
and then add them on the basis of the previous rules.
Add two rules first.
Iptables-a input-p tcp -- dport 22-j ACCEPT # Add an INPUT stream rule for open port 22Iptables-a output-p tcp -- sport 22-j ACCEPT # Add an OUTPUT stream rule for open port 22
After adding the above two rules, you don't have to worry about logging on to SSH. To learn more about the command, use iptables -- help
Here we will focus on the differences between dport and
1. disable all INPUTFORWARDOUTPUT to open only some ports. The following is the command implementation: iptables-PINPUTDROPiptables-PFORWARDDROPiptables-POUTPUTDROP and then use the command iptables-L-n to check whether the settings are correct. then, we can see that all the settings have been dropped, 1. disable all input forward output and only open it to some ports.
The following is a command implementation:
Iptables-P INPUT DROPIptables-P FORWARD DROPIptables-P OUTPUT DROP
Run the command ip
Http://www.qkankan.com/sports/News on Internet football resources abroad: http: // Www. newsnow. co. uk (it is best to use a news collection website to search for all the information you want) HTTP: // Www.skysports.com/football/0,19521,11065,00.html (Sky Sports and football channel) HTTP: // Soccernet.espn.go.com/index? Cc = 4716 (ESPN football channel English version) HTTP: // Www.goal.com/en/breakingnews.aspx (goal.com Instant News) HTTP: // Www.channel4.com/
Linux iptable firewall block and open ports
Source: http://hi.baidu.com/zplllm/item/f910cb26b621db57c38d5983
Evaluation:
1, close all the INPUT FORWARD OUTPUT only to some ports open.
Here is the command implementation:
Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT DROP
Then use the command iptables-l-N to see if it's set up and look good to all DROP
This setting is OK, we are only temporary, restart the server or will restore the original did not set the state
You will
Tags: nbsp Author Invalid Other ash view Dex simple can't1. Close all INPUT FORWARD OUTPUT only for certain ports.Here is the command implementation:Iptables-p INPUT dropiptables-p FORWARD dropiptables-p OUTPUT DROPRe-use the commandIptables-l-NCheck to see if it's all set up.Such a setup, we are only temporary, restart the server or will restore the original not set the stateand save with service Iptables saveService Iptables SaveSee information firewall rules Firewall rule is actually saved in
Iptables-Fiptables-Xiptables-F-tmangleiptables-tmangle-Xiptables-F-tnatiptables-tnat-X first, clear the three tables and the self-built rules. Iptables-PINPUTDROPiptables-POUTPUTDROPiptables-PFORWAR
Iptables-FIptables-XIptables-F-t mangleIptables-t mangle-XIptables-F-t natIptables-t nat-XFirst, empty the three tables and empty the self-built rules.
Iptables-P INPUT DROPIptables-P OUTPUT DROPIptables-P FORWARD ACCEPTSet the default policy of INPUT and OUTPUT to DROP and FORWARD to ACCEPT.
Iptable
output-o eth +-p icmp -- icmp-type 0-j ACCEPTEnable the ping function on all NICs for easy maintenance and detection.Iptables-a input-I eth0-s 192.168.100.250-d 192.168.100.1-ptcp -- dport 22-j ACCEPTIptables-a output-o eth0-d 192.168.100.250-s 192.168.100.1-ptcp -- sport 22-j ACCEPTOpen port 22 to allow remote management. (Many additional conditions are set: the IP address of the management machine must be 250 and must be entered from the eth0 NIC)
1. disable all INPUTFORWARDOUTPUT to open only some ports. The following is the command implementation: iptables-PINPUTDROPiptables-PFORWARDDROPiptables-POUTPUTDROP and then use the command iptables-L-n to check whether the settings are correct. you can see that all the settings have been dropped.
1. disable all input forward output and only open it to some ports.The following is a command implementation:
Iptables-P INPUT DROPIptables-P FORWARD DROPIptables-P OUTPUT DROP
Run the command iptables
1. Disable all input forward output and only open it to some ports.The following is a command implementation:
Iptables-P INPUT DROPIptables-P FORWARD DROPIptables-P OUTPUT DROP
Run the command iptables-L-n to check whether the settings are correct.After the settings are completed, we only need to temporarily restart the server to restore the previously unconfigured status.You must also use service iptables save to saveThe firewall rules are saved in/etc/sysconfig/iptables.You can open the file t
# time netstat-ant | grep EST | wc-l3100real 0m12. 960 suser 0m0. 334 ssys 0m12. 561 s # time ss-o state established | wc-l3204real 0m0. 030 suser 0m0. 005 ssys 0m0. 026 s
The result is obvious that the efficiency of the number of concurrent connections in ss statistics has been defeated by netstat. If the ss can handle this problem, will you still choose netstat? Are you still hesitating? refer to the following example, or go to the Help Page.
Common ss commands:Ss-l show all locally opened p
0m12. 561 s # time ss-o state established | wc-l3204 real 0m0. 030 suser 0m0. 005 ssys 0m0. 026 s netstat # time netstat-ant | grep EST | wc-l3100 real 0m12. 960 suser 0m0. 334 ssys 0m12. 561 s # time ss-o state established | wc-l3204 Real 0m0. 030 suser 0m0. 005 ssys 0m0. the 026s result is obvious. The efficiency of the number of concurrent connections in the ss is defeated by netstat. If the ss can handle this problem, will you still choose netstat? Are you still hesitating? refer to the fol
# Delete existing rules in iptablesIptables-FIptables-x
# Discard all data packets that do not comply with the three chain rulesIptables-P input dropIptables-P output dropIptables-P forward drop
Iptables-A input-I lo-J acceptIptables-A output-O lo-J accept
Iptables-A input-I eth0-M state -- State established, related-J accept
Iptables-A input-p udp-I eth0 -- Sport 53 -- dport 1024: 65535-J acceptIptables-A output-p udp-O eth0 -- dport 53 --
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.