In any case, iptables is something that needs to be set up with special care. If the server is not by your side, it is likely that SSH connection will not be possible. This will be a headache. The following content is written to prevent this from happening. If SSH port 22 (the default port for use herein is preferably not recommended rid SSH port).
iptables -A 22 - dport the INPUT -p TCP -j ACCEPT
iptables -A 22 -sport the OUTPUT -p TCP -j ACCEPT
attention to / etc/rc.d/init.d/iptables save, it is best to execute this statement for each of the following steps, the following will not be repeated, otherwise after directly executing the service iptables restart command, the just added will be lost.
1. First introduce the instructions and related configuration files
Start instruction: service iptables start
restart instruction: service iptables restart
shutdown instruction: service iptables stop
Then the relevant configuration: /etc/sysconfig/iptables
How to operate this configuration?
vim /etc/sysconfig/iptables
2. Here are some instruction usage
-A: Specify the chain name
-p: Specify the protocol type
-d: Specify the destination address
-dport: Specify the destination port (destination port)
-sport: Specify the source port (source port)
-j: Specify the action type
3.Global DROP rules.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
This step is to DROP all the connections that do not conform to the ACCEPT rules configured by yourself. After the execution, if the SSH has not been dropped, then thankfully, it is safe. After restarting iptables, continue with the following configuration!
4. Sometimes it may be necessary to delete rules. The method of deleting rules using commands completed: The
syntax is: iptables -D chain rulenum [options]
Among them: chain means chain, that is,
rulenum such as INPUT FORWARD is the number of the rule. Start from 1. You can use --line-numbers to list the number of rules
So, for example, the above rule to delete an INPUT chain can be like this: iptables -D INPUT 3
means to delete the third rule.
5. Finally, add that a separate open port for an IP can be configured as follows:
If I need to separately open the mysql port to a machine on the intranet, I should configure it as follows:
iptables -A INPUT -s 192.168.2.6 -p tcp -m tcp –dport 3306 -j ACCEPT
iptables -A OUTPUT -s 192.168.2.6 -p tcp -m tcp –sport 3306 -j ACCEPT
Let's not go into details below. Specifically, it depends on which ports my server wants to open or which ports I want to access for specific configuration. The following is the configuration of my own machine:
/etc/sysconfig/iptables文件配置如下:
# Generated by iptables-save v1.4.7 on Fri Mar 2 19:59:43 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [8:496]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
#ping the port used
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#Allow the server's own SSH (the server is the target for external requests, so use –dport)
-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
#80 Port Needless to say, server website access port
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 11211 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 11212 -j ACCEPT
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
#53 port is DNS related, TCP and UDP must be configured
-A INPUT -p tcp -m tcp –dport 53 -j ACCEPT
-A INPUT -p udp -m udp –dport 53 -j ACCEPT #Allow the
server to SSH to other machines (Use -dport when using an external port)
-A OUTPUT -p tcp -m tcp –dport 22 -j ACCEPT
#Allow the server's own SSH (use –sport as the source output)
-A OUTPUT -p tcp -m tcp –sport 22 -j ACCEPT
#Access to external website port 80 (use external port, use -dport)
-A OUTPUT -p tcp -m tcp -dport 80 -j ACCEPT
#If the server needs to access external websites, then OUTPUT also needs to configure port 53 (using external ports, use -dport)
-A OUTPUT -p tcp -m tcp –dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp -dport 53 -j ACCEPT
#If you have access to the external mailbox, then open the mailbox related port (use the external port to use –dport)
-A OUTPUT -p tcp -m tcp –dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp –dport 110 -j ACCEPT
#Server website access port (use –sport for source output)
-A OUTPUT -p tcp -m tcp –sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp –sport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp –sport 11211 -j ACCEPT
-A OUTPUT -p tcp -m tcp –sport 11212 -j ACCEPT
COMMIT
# Completed on Fri Mar 2 19:59:43 2012
=======================
Talk about the above -line-numbers option, such as the following command:
iptables -L INPUT -line-numbers List all INPUT chain rules
NUM target Prot opt Source Where do you want
. 1 REJECT TCP - Anywhere Anywhere TCP DPT: Microsoft-DS Reject-with ICMP-Port-unreachable the
2 REJECT TCP - Anywhere Anywhere TCP DPT: 135 Reject-with ICMP-Port-unreachable the
. 3 REJECT TCP - tcp DPT Anywhere Anywhere: Reject the NetBIOS-ssn-with-Port-ICMP unreachable
...
...
#The command to shield a single IP is iptables -I INPUT -s 123.45.6.7 -j DROP
#Sealing the entire paragraph is the command from 123.0.0.1 to 123.255.255.254
iptables -I INPUT -s 123.0.0.0/8 -j DROP
#The IP segment is the command from 123.45.0.1 to 123.45.255.254
iptables -I INPUT -s 124.45.0.0/16 -j DROP
# Seal the IP segment, that is, the command from 123.45.6.1 to 123.45.6.254 is
iptables -I INPUT -s 123.45.6.0/24 -j DROP
The instruction I is an insert instruction, but the instruction will insert in the correct position. It does not look at your own sorting position like the A instruction. Therefore, because the shielding IP must be loaded at the beginning, you must use the I command to load, and then pay attention to the execution/ After saving etc/rc.d/init.d/iptables save, restart the service.
The above is the reprinted content, the following is the configuration of my own production firewall, the firewall is added in, but not in the output
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
##Add an inbound rule at the end of the firewall rule: enable link tracking to detect the status of this machine.
##Let this machine communicate and the state belongs to ESTABLISHED, RELATED packets let it pass. Probably means to be able to forward data packets quickly, and each data packet has been considered
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow the icmp package to pass, that is, allow ping,
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#Note that the default port 22 should not be deleted, this is the port of ssh -A INPUT -s 12.3.0.0/16 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
##Only 10.4.XX.XX this network segment access 8090 and 8000 ports
-A INPUT -s 12.3.0.0/16 -m state --state NEW -m tcp -p tcp --dport 8090 -j ACCEPT
-A INPUT -s 12.3.0.0/16 -m state --state NEW -m tcp -p tcp --dport 8000 -j ACCEPT
## Only a certain ip to access all ports
-A INPUT -s 123.456.789.166/32 -j ACCEPT
-A INPUT -s 123.456.789.166/32 -j ACCEPT
COMMIT