First, the installation instructions:
1, because centos7.0 or later installed by default firewall a firewall, but sometimes the actual desired item, or you need to install iptables on the server, the following are the specific installation steps;
2, Yin Ali cloud server out there in the appropriate firewall, so in addition to open the corresponding ports in iptables, it is also necessary to Ali cloud background - also open the relevant port - Safety set of rules;
Second, how to install:
Installation iptable iptable-service
Check whether the installed iptables
service iptables status
Install iptables
yum install -y iptables
Upgrading iptables
yum update iptables
Install iptables-services
yum install iptables-services
iptables-services and iptables is not the same
Installed services have / etc / sysconfig / iptables
Disable / stop service comes firewalld
Stop firewalld Service
systemctl stop firewalld
Disable firewalld Service
systemctl mask firewalld
Settings of an existing rule
View existing iptables rules
iptables -L -n
To allow all, or is likely to have a "cup" that could lead to some of the services the server is unavailable, such as web, ftp, etc.
iptables -P INPUT ACCEPT
Clear all the default rule
iptables -F
Clear all custom rules
iptables -X
All counters return 0
iptables -Z
Lo allow the packet from the interface (local access)
iptables -A INPUT -i lo -j ACCEPT
Open 22 ports
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
Open port 21 (FTP)
iptables -A INPUT -p tcp –dport 21 -j ACCEPT
Open port 80 (HTTP)
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
Open port 443 (HTTPS)
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
Allow ping
iptables -A INPUT -p icmp –icmp-type 8 -j ACCEPT
RELATED allowed to receive return data requests after this is set to the FTP
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
Other stations will be dropped into the
iptables -P INPUT DROP
All outbound always green
iptables -P OUTPUT ACCEPT
All forward will be dropped
iptables -P FORWARD DROP
Other rules set
If you want to add network ip trust (accept all its TCP request)
iptables -A INPUT -p tcp -s 45.96.174.68 -j ACCEPT
All non-over filter rule request
iptables -P INPUT DROP
Feng Ting to an IP, use the following command:
iptables -I INPUT -s ... -j DROP
To re-opened an IP, use the following command:
iptables -D INPUT -s ... -j DROP
Save the rule set
Save the above rules
service iptables save
Open iptables Service
Sign up iptables Service
Equivalent to the previous chkconfig iptables on
systemctl enable iptables.service
Open service
systemctl start iptables.service
View Status
systemctl status iptables.service
解决vsftpd在iptables开启后,无法使用被动模式的问题
1.首先在/etc/sysconfig/iptables-config中修改或者添加以下内容
添加以下内容,注意顺序不能调换
IPTABLES_MODULES=”ip_conntrack_ftp”
IPTABLES_MODULES=”ip_nat_ftp”
2.重新设置iptables设置
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
以下为完整设置脚本
!/bin/sh
iptables -P INPUT ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -p tcp –dport 21 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
iptables -A INPUT -p icmp –icmp-type 8 -j ACCEPT
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save
systemctl restart iptables.service