The company's products have always been running on cloud servers, so I have had the honor to contact AWS's ec2, Shanda's cloud servers, and recently prepared to use Alibaba Cloud's elastic computing (cloud servers). The first two cloud servers do better in terms of security policies, providing a simple and clear configuration interface, and giving default security policies. In contrast to Alibaba Cloud servers, security policies need to be configured by themselves, and even centos machines are not pre-installed. iptables (at least we don't have it on either of the two applications), you can use yum to install it. The installation command is as follows:
yum install -y iptables
After iptables is installed, you can configure the rules. Because it is used as a web server, port 80 must be opened to the outside world. In addition, server management must be performed through ssh, and port 22 must also be opened to the outside world. Of course, it is best to change the default port of the ssh service. There will be many people trying to To crack the password, if you modify the port, remember to develop the port externally, otherwise it will be a tragedy if you can't connect. A detailed description of the configuration rules is provided below:
Modify the default port of ssh: vi /etc/ssh/sshd_config Port 22 //Before this, there was a # in front of it, the default is 22, modify it and it will be ok Save and restart to take effect service sshd restart Configure iptables: Step 1: Clear all rules After executing /sbin/iptables -F during Chain INPUT (policy DROP), you will be disconnected from the server All the policy DROP should be INPUT before clearing all the rules, to prevent tragedy from happening, be careful and be careful /sbin/iptables -P INPUT ACCEPT clear all rules /sbin/iptables -F /sbin/iptables -X Set the counter to 0 /sbin/iptables -Z Step 2: Set up the rules Allow packets from the lo interface, without this rule, you will not be able to access local services through 127.0.0.1, for example ping 127.0.0.1 /sbin/iptables -A INPUT -i lo -j ACCEPT Open TCP protocol port 22 so that you can ssh. If you are in a place with a fixed ip, you can use -s to limit the client's ip /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT Open TCP port 80 for web services /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT 10.241.121.15 is the intranet ip of another server. Due to the communication between them, it accepts all TCP requests from 10.241.121.15 /sbin/iptables -A INPUT -p tcp -s 10.241.121.15 -j ACCEPT accept ping /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT See this rule: http://www.netingcn.com/iptables-localhost-not-access-internet.html /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT It is indispensable to block all requests considered by the above rules, otherwise the firewall will not have any filtering function /sbin/iptables -P INPUT DROP You can use iptables -L -n to see if the rules are in effect
Even if the firewall is configured so far, it is temporary. When iptables is restarted or the machine is restarted, the above configuration will be cleared. To take effect permanently, the following operations are required:
/etc/init.d/iptables save or service iptables save Execute the above command to see the configuration in the file /etc/sysconfig/iptables
The following provides a clean configure script:
/sbin/iptables -P INPUT ACCEPT /sbin/iptables -F /sbin/iptables -X /sbin/iptables -Z /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p tcp -s 10.241.121.15 -j ACCEPT /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -P INPUT DROP
Finally, execute service iptables save to ensure that there is no problem with the ssh connection, so as to prevent the rule error, which leads to the failure to connect to the server. Because there is no save, restarting the server rules will be invalid. Otherwise, the rules can only be modified by going to the computer room.
Last but not least, be careful before clearing the rules to ensure Chain INPUT (policy ACCEPT).