View, add, delete and modify IP and ports of iptables rules

View, add, delete and modify iptables rules

http://www.cszhi.com/20120717/iptables-sample.html


http://blog.csdn.net/zht666/article/details/17505789
iptables prohibited ports and open ports

1. Close all INPUT FORWARD OUTPUT only open to certain ports.
The following is the command implementation:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
and then use the command iptables -L -n to check whether it is set well, so that you can see all the DROPs.
This setting is good, we are only temporary, restart The server will still restore the original state that was not set,
but also use service iptables save to save it.
See the information firewall rules. The firewall rules are actually saved in /etc/sysconfig/iptables.
You can open the file to view vi /etc/sysconfig/iptables
2.
Below I Only open port 22, see how I do it, it is the following two statements
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
Check if iptables -L -n is added, and see that
Chain INPUT (policy DROP)
target prot opt ​​source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy DROP ) is added )
target prot opt ​​source destination
Chain OUTPUT (policy DROP)
target prot opt ​​source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22
Now the Linux server only opens port 22, test it with putty.exe Is it possible to link up.
It can be linked up, indicating that there is no problem.
Finally, don't forget to save the firewall
settings . Save
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
for these two commands by command: service iptables save Let's give some explanations
The -A parameter is regarded as adding an INPUT rule.
-p specifies what protocol is our commonly used tcp protocol, and of course there is also udp. For example, when the DNS of port 53
arrives, we need to configure DNS to use port 53. You will find that the udp protocol is used.
And --dport is the target port when the data enters the server from the outside as the target port,
otherwise the data from the server is used for the data source port --sport
-j is to specify whether ACCEPT receives or DROP does not receive
3, prohibit a certain IP from accessing
1 Linux server, 2 windows xp operating systems to access
Linux server ip 192.168.1.99
xp1 ip: 192.168.1.2
xp2 ip: 192.168.1.8
Let's take a look at 192.168.1.2 that both my 2 xp can access,
this is what xp1 can access,
192.168.1.8 xp2 can also be accessed normally.
So now I want to prohibit 192.168.1.2 xp1 access, xp2 normal access, let's
take a look at the demo
through the command iptables -A INPUT -p tcp -s 192.168.1.2 -j DROP
here means -A is to add new rules, what kind of rules Woolen cloth? Since we use tcp to access the website,
we use -p tcp , if it is udp, write udp, here we use tcp, -s means the source,
ip comes from 192.168.1.2, how to do -j we reject it here should be DROP
, see the effect. Well added successfully. The following is to verify whether it is effective. There
has been a waiting state. Finally, the page cannot be displayed. This is that the access of 192.168.1.2 xp1 is denied.
Let 's see if the other xp can be accessed. It can be accessed normally. 192.168.1.8 can be accessed normally.
4. How to delete a rule
First of all, we need to know the number of this rule, each rule has a number
through iptables -L -n --line-number can display rules and corresponding numbers
num target prot opt ​​source destination
1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
2 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
3 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
has more num column, so we can see that the rule just now corresponds to number 2
, then we You can delete the
iptables -D INPUT 2
rule to delete the INPUT chain number 2.
Then iptables -L -n check that it has been cleared.
5. Filter invalid data packets
Suppose someone enters the server, or there is a virus Trojan program, it can transmit data outside the server through ports 22 and 80.
This way of it is different from our normal access to ports 22 and 80. The data it sends out is not the packets
that .
Next, we want to prohibit these packets that do not pass the request response, and block them all.
iptables provides a parameter to check the status. Let's configure ports 22 and 80 to prevent invalid packets.
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
can be seen and we used before:
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
has one more state judgment.
The same is true for port 80. Now delete the original 2 rules,
iptables -L -n --line-number This is to view the rules and bring the number. We can
delete .
iptables -D OUTPUT 1 The 1 here means the first rule.
When you delete the previous rule, the numbering also changes. See it.
Well, we deleted the first two rules, and port 22 can still be used normally, indicating that there is no problem. Save it
below , don't forget it, otherwise it will be restored to the original state after restarting.
service iptables save to save.
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Actually, write the rules you just set into the /etc/sysconfig/iptables file.
6. DNS port 53 settings
Let 's take a look at how to set iptables to open the DNS port. The DNS port corresponds to 53.
You can see my current situation. Only ports 22 and 80 are open. Now I will see if I can resolve the domain name. .
hostwww.google.com After entering this command, it has been waiting, indicating that the
DNS is not working. The following prompt appears :
;; .google.com The reason I am here is that iptables limits port 53. Some servers, especially Web servers, slow down, and DNS is actually related, which is caused by the inability to send packets to the DNS server. The following shows how to use iptables to set the DNS port 53. If you don't know the domain name service port number, you can use the command: grep domain /etc/services