Summary of the basic settings of the iptables firewall

1. Install iptables firewall

If you do not have iptables installed, you need to install it first. CentOS Execute: yum install iptables

Debian/Ubuntu Execute: apt-get install iptables 2. Clear existing iptables Rule iptables -Fiptables -Xiptables -Z 3. Open the specified port #Allow local loopback interface (ie run native access to the machine) iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT # Allow established Or related iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow all local access to iptables -A OUTPUT -j ACCEPT # Allow access to port 22 iptables -A INPUT -p tcp - -dport 22 -j ACCEPT #Allow access to port 80 iptables -A INPUT -p tcp --dport 80 -j ACCEPT #Allow FTP service 21 and 20 ports iptables -A INPUT -p tcp --dport 21 -j ACCEPTiptables -A INPUT -p tcp --dport 20 -j ACCEPT # If there are other ports, the rules are similar. Modify the above statement a little. #Prohibit other unallowed rules access. (Note: If port 22 does not include the allowed rule, the SSH link will be directly Disconnected.) 1). Use D ROP method iptables -A INPUT -p tcp -j DROP 2). Use REJECT method iptables -A INPUT -j REJECTiptables -A FORWARD -j REJECT 4. Shield IP# If you just want to block IP, "3, open the specified port & rdquo; can be skipped directly. #Screening a single IP command is iptables -I INPUT -s 123.45.6.7 -j DROP #封The entire segment is from 123.0.0.1 to 123.255.255.254 command iptables -I INPUT -s 123.0.0.0/8 -j DROP #封The IP segment is the command from 123.45.0.1 to 123.45.255.254 iptables -I INPUT -s 124.45.0.0/16 -j DROP #封IP segment is the command from 123.45.6.1 to 123.45.6.254 is iptables -I INPUT -s 123.45 .6.0/24 -j DROP 4. View the added iptables rules iptables -L -n

v: Display details, including the number of matching packets and the number of matching bytes per rule x: in v On the basis of this, automatic unit conversion (K, M) is prohibited. vps Detective n: only shows the IP address and port number, does not resolve ip to the domain name

5, deletes the added iptables rule

Display all iptables by serial number, execute: iptables -L -n --line-numbers

For example, to delete the rule with sequence number 8 in INPUT, execute: iptables -D INPUT 8 6. Startup of iptables And rule saving

CentOS may exist after installing iptables, iptables does not boot from boot, you can execute: chkconfig --level 345 Iptables on

Add it to the boot.

CentOS can be executed: service iptables save save rules.

The iptables on Debian/Ubuntu won't save the rules. Need to follow the steps below, let the NIC close is to save the iptables rules, load iptables rules at startup. If the current user is not root, even if you use sudo, you will be prompted that you do not have permission and cannot save it. Therefore, you must use the root user to execute this command. You can use sudo -i to quickly go to root and use it. Please use su username in time. Switch to the normal account. In order to restart the server, the rules are automatically loaded, we create the following file: sudo vim /etc/network/if-pre-up.d/iptables #!/bin/bashiptables-save > /etc/iptables. Rules

Add execute permission. Chmod +x /etc/network/if-pre-up.d/iptables

Attach the basic rules: *filter:INPUT ACCEPT [106:85568]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [ ,null,null,3],188:168166]:RH-Firewall-1-INPUT - [0:0]#Allow local loopback interface (ie run this machine to access the machine)-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT#Allow Established or related pass-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT#Allow all local accesses externally -A OUTPUT -j ACCEPT#Allow PPTP dial-over wall-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT#Access to Rsync data synchronization service only for specific hosts -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --dport 873 -j ACCEPT#Access to WDCP management system only for specific hosts -A INPUT -s 6.6.6.6/32 -p tcp -m tcp --dport 8080 -j ACCEPT#Allow access to SSH-A INPUT -p tcp -m tcp --dport 1622 -j ACCEPT#Allow access to FTP-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT#Allow access to website services-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT #Forbid all unauthorised connections -A INPUT -p tcp -j DROP# Note: If 22 Port not allowed to join regular, SSH will directly link is disconnected. #-A INPUT -j REJECT#-A FORWARD -j REJECTCOMMIT can be loaded directly using the following method: 1. Copy the above rules and paste them here. Save this file sudo vim /etc/iptables.test.rules 2. Put this rule Load, make it effective, note that iptables does not need to restart, load the rule once it becomes sudo iptables-restore < /etc/iptables.test.rules 3. View the latest configuration, all settings should take effect. sudo iptables -L -n 4. Save the configuration that is in effect, and automatically load the valid configuration when the system is restarted (iptables provides the function to save the current running rules) iptables-save > /etc/iptables.rules