[Operating system] ---- Linux firewall configuration record

Configuring the firewall filter Table

# Clear all the rules of regular chain filter preset table in
iptables -F

# Clear preset table in user defined filter rules chain
iptables -X

# save the iptables configuration
service iptables the Save

# service iptables restart the
service restart iptables

# View iptables rules
iptables -L -n

# iptables rules to view the file
CAT / etc / sysconfig / iptables

# set the default rule
iptables -P the INPUT DROP
iptables -P the OUTPUT ACCEPT
iptables -P the FORWARD DROP

# 22 open ports
iptables - 22 -p TCP --dport the INPUT A -j ACCEPT
# If OUTPUT DROP arranged to add -A OUTPUT -p TCP --sport iptables -j ACCEPT 22
# 22 to close the port iptables -D INPUT -p tcp --dport 22 - ACCEPT J

# open common port
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 3306 -j ACCEPT
#iptables -A INPUT -p tcp --dport 20 -j ACCEPT
#iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
#iptables -A INPUT -p tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -j ACCEPT

#允许ping
iptables -A INPUT -p icmp -j ACCEPT
#如果OUTPUT设置成DROP需要添加 iptables -A OUTPUT -p icmp -j ACCEPT

#允许loopback
iptables -A INPUT -i lo -p all -j ACCEPT
#如果OUTPUT设置成DROP需要添加 iptables -A OUTPUT -o lo -p all -j ACCEPT

# Shield specify IP
# iptables -A -j the INPUT -p TCP -s 192.168.10.1 the DROP

# reduce insecure port
# iptables -A the OUTPUT -p TCP -j 31337 --sport the DROP
# iptables -A the OUTPUT -p TCP 31337 -j the DROP --dport

# remote connections allow an IP
# iptables -A 192.168.10.1 the INPUT -s -p TCP --dport 22 is -j ACCEPT
# allow a segment of the IP remote connections
iptables -A INPUT -s 22 is --dport -p TCP -j 192.168.10.0/24 ACCEPT

# allowed by the specified network, the specified network port is connected via the SSH
# iptables -A the INPUT -i eth0 -p TCP -s 192.168.10.0/24 - State 22 is --state NEW -m dport, ESTABLESHED -j ACCEPT
# iptables -A the OUTPUT -o eth0 -p TCP --sport -m State 22 is --state the ESTABLISHED -j ACCEPT
# iptables -A the INPUT -i eth0 -p TCP -s 192.168.10.0/24 --dport 22 -m state --state ESTABLESHED -j ACCEPT
-A the OUTPUT -o eth0 -p # iptables TCP --sport 22 is --state NEW -m State, the ESTABLISHED -j ACCEPT

# open forwarding
#iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED, -j ACCEPT the ESTABLISHED
# iptables -A -o eth1, eth0 the FORWARD -i -j ACCEPT

# TCP packet discarding bad
# iptables -A the FORWARD -p TCP! -m --syn State --state the DROP NEW -j

# IP fragmentation processing number, to prevent the attack, allowing 100 sec
# iptables -A -f -m limit the FORWARD --limit 100 / S 100 -j ACCEPT --limit-Burst

# set filtering ICMP packets, one packet per second to allow, restrict trigger with the proviso that 10 packets
# iptables -A -m limit the FORWARD -p ICMP --limit. 1 / S-Burst 10 --limit -j ACCEPT

# discards illegal connections
iptables -A the INPUT INVALID -j -m State --state the DROP
iptables State --state INVALID the OUTPUT -m -A -j the DROP
iptables -A -j INVALID the FORWARD -m State --state the DROP

# Allow all established and related connections
iptables -A the INPUT -m State --state the ESTABLISHED, The RELATED -j ACCEPT
iptables -A the OUTPUT -m State --state the ESTABLISHED, The RELATED -j ACCEPT



configured firewall NAT table

# View NAT table rule
iptables -L -t NAT

# Clear NAT rules
iptables -F -t NAT
iptables the -X--t NAT
iptables the -Z -t NAT

# prevent spoofing outside the network with the network the IP
# iptables -t NAT -A the PREROUTING -i eth0 - -j 10.0.0.0/8 the DROP S
# iptables the PREROUTING -t NAT -A -j -i eth0 -s 172.16.0.0/12 the DROP
# iptables -t NAT -A the PREROUTING -s 192.168.0.0/16 -j -i eth0 DROP

# prohibit all connections to an IP-
# iptables -A PREROUTING -t -d 192.168.10.1 NAT -j DROP

# disable port 80
# iptables -A PREROUTING -t -p tcp NAT --dport 80 -j DROP

# disable 80 ports of an IP
#iptables -t nat -A PREROUTING -p tcp --dport 21 -d 192.168.10.1 -j DROP



save iptables file, restart the service

# save iptables rules
Service iptables the Save

# service iptables restart the
service iptables restart