[root @ tp ~] # iptables -A INPUT -p tcp --dport 25 -j ACCEPT
If done FTP server, port 21 opening
[root@tp ~]# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
[root@tp ~]# iptables -A INPUT -p tcp --dport 20 -j ACCEPT
If you do a DNS server, open port 53
[root@tp ~]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
If you have made other servers, which need to open ports, according to the writing on the line.
Are written above the main INPUT chain, who are not in the above rules are DROP
Icmp packets allowed through, of ping is allowed,
[Root @ tp ~] # iptables -A OUTPUT -p icmp -j ACCEPT (OUTPUT DROP provided any)
[Root @ tp ~] # iptables -A INPUT -p icmp -j ACCEPT (INPUT DROP provided any)
Allow loopback! (Or will cause DNS issues can not be closed properly, etc.)
IPTABLES -A INPUT -i lo -p all -j ACCEPT (如果是INPUT DROP)
IPTABLES -A OUTPUT -o lo -p all -j ACCEPT(如果是OUTPUT DROP)
The following write OUTPUT chain, OUTPUT chain default rule is ACCEPT, so we need to write DROP (give up) chain.
Reduce unsafe port
[root@tp ~]# iptables -A OUTPUT -p tcp --sport 31337 -j DROP
[root@tp ~]# iptables -A OUTPUT -p tcp --dport 31337 -j DROP
Some of these Trojan scans ports 31337-31340 (called the elite ports hacker language) on the service. Now that opportunity no legitimate services that communicate these non-standard ports, blocking these ports can effectively reduce the independent communications on your network may be infected machines and their remote master servers
There are other ports, too, like: 31335,27444,27665,20034 NetBus, 9704,137-139 (smb), 2049 (NFS) port should also be banned, I would not write whole, interested friends should to check the relevant information.
Of course, more out of security considerations you can also pack OUTPUT chain is set to DROP, the rules that you add on some more, just add the top
SSH allows the same landing. Shining written on the line.
Here write about the more detailed rules, is restricted to a machine
Such as: We only allow the machine to 192.168.0.3 SSH connection
[root@tp ~]# iptables -A INPUT -s 192.168.0.3 -p tcp --dport 22 -j ACCEPT
To allow or restrict some available IP address 192.168.0.0/24 represent all IP 192.168.0.1-255 end.
24 represents the subnet mask, but remember to / etc / sysconfig / iptables inside this line deleted.
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT because it means that all addresses are landing.
Or using command mode:
[root@tp ~]# iptables -D INPUT -p tcp --dport 22 -j ACCEPT
Then save, while I say, is the use of anti command mode, only take effect at the time, if you want to restart also play a role, it would have to save. Written to / etc / sysconfig / iptables file.
[root@tp ~]# /etc/rc.d/init.d/iptables save
Write! 192.168.0.3 ip address 192.168.0.3 represents the addition of
Other rules are so connected to the same setting.
In the following is FORWARD chain, the chain is the default rule FORWARD DROP, so we need to write chain ACCETP (through), the monitoring is forwarding chain.
Open forwarding (when doing NAT, FORWARD default rule is DROP, must do)
[root@tp ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@tp ~]# iptables -A FORWARD -i eth1 -o eh0 -j ACCEPT
Discarding bad TCP packets
[root@tp ~]#iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
IP processing amount of debris, to prevent the attack, allowing 100 per second
[root@tp ~]#iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
ICMP packet filtering is provided, allowing a second package, with the proviso that 10 to limit the trigger packet.
[root@tp ~]#iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
So I only allow ICMP packets through the front, I am here because there is a limit.
Second, configure NAT table a fire wall
1, see this authority to set the case of NAT
[root@tp rc.d]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to:211.101.46.235
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I have configured the NAT (only the most simple proxy Internet access, has not added firewall rules). About how to configure NAT, refer to my other article
Of course, if you have not configured NAT, you do not have clear rules, because NAT is in default of nothing
If you want to clear, the command is
[root@tp ~]# iptables -F -t nat
[root@tp ~]# iptables -X -t nat
[root@tp ~]# iptables -Z -t nat
2, add a rule
Add basic NAT address translation (NAT on how to configure I can see another article),
Add a rule, we only add DROP chain. Because the default chain full of ACCEPT.
Prevent spoofing outside the network with IP network
[sysconfig the root @ TP] -t NAT # iptables -A the PREROUTING -j -i eth0 -s 10.0.0.0/8 the DROP
[sysconfig the root @ TP] -t NAT # iptables -A the PREROUTING -i eth0 -s 172.16.0.0/ -j DROP 12
[root @ TP sysconfig] # iptables -t NAT -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
If we want to, for example, to stop MSN, QQ, BT, etc., then they need to find used port or IP, (personally I think that there is not much need)
Example:
And the prohibition of all connections 211.101.46.253
[root@tp ~]# iptables -t nat -A PREROUTING -d 211.101.46.253 -j DROP
Disable FTP (21) port
[root@tp ~]# iptables -t nat -A PREROUTING -p tcp --dport 21 -j DROP
Write range is too big, we can be more precise definition.
[root@tp ~]# iptables -t nat -A PREROUTING -p tcp --dport 21 -d 211.101.46.253 -j DROP
Such disabled only address 211.101.46.253 FTP connection, other connections may also be as web (80 port).
As I write, as long as you find QQ, IP address other software such as MSN, and ports, and based on what protocol, just follow the writing on the line.
Third, and finally
drop illegal connections
[the root TP @ ~] # iptables -A the INPUT -m State --state the DROP INVALID -j
[the root TP @ ~] # iptables -A the OUTPUT -m State --state the DROP INVALID -j
[the root TP ~ @ ] # iptables-a FORWARD -m state --state INVALID -j DROP
allows all established and related connections (must be configured otherwise unable to connect httpd)
[root @ TP ~] # iptables-a State --state the INPUT -m the ESTABLISHED, The RELATED -j ACCEPT
[the root TP @ ~] # iptables -m-State A the OUTPUT --state the ESTABLISHED, The RELATED -j ACCEPT
[root@tp ~]# /etc/rc.d/init.d/iptables save
This can be written to / etc / sysconfig / iptables file a. After re-starting the firewall remember to write about, to work.
[root@tp ~]# service iptables restart