Shulou(Shulou.com)06/01 Report--

View iptables status-restart

Directory where iptables is located / etc/sysconfig/iptables

Service iptables status View iptables status

Service iptables restart iptables service restart

Service iptables stop iptables service disabled

Start iptables

Modprobe ip_tables

Turn off iptables (the shutdown command is more complex than starting)

Iptalbes-F

Iptables-X

Iptables-Z

Iptables-P INPUT ACCEPT

Iptables-P OUTPUT ACCEPT

Iptables-P FORWARD ACCEPT

Modprobe-r ip_tables

You can close iptables by executing the above command in turn, otherwise you will be prompted FATAL: Module ip_tables is in use. Modproble-r ip_tables.

Iptables-L-n

Iptables-F clears rules for all rule chains in the preset table filter

Iptables-X clears the rules in the user-customized chain in the preset table filter

Iptables-L-n

# discard all packets that do not meet the three chain rules

Iptables-P INPUT DROP

Iptables-P OUTPUT DROP

Iptables-P FORWARD DROP

# Settings: INPUT and OUTPUT links of local process lo; INPUT chain of eth0

Iptables-An INPUT-I lo-j ACCEPT

Iptables-An INPUT-I eth0-m state-- state ESTABLISHED,RELATED-jACCEPT

Iptables-An INPUT-I eth0-m state-- state NEW,INVALID-j LOG

Iptables-An OUTPUT-o lo-j ACCEPT

# Open port 22 ssh

Iptables-An INPUT-p tcp-I eth0-- dport ssh-j ACCEPT

# Open port 80 web

Iptables-An INPUT-p tcp-I eth0-- dport 80-j ACCEPT

# Open 21 and 20 ports ftp

Iptables-An INPUT-p tcp-- dport 20-j ACCEPT

Iptables-An INPUT-p tcp-- dport 21-j ACCEPT

# Open some other ports

Iptables-An INPUT-p tcp-- dport 1935-j ACCEPT

Iptables-An INPUT-p tcp-- dport 8080-j ACCEPT

Iptables-An INPUT-p tcp-- dport 443-j ACCEPT

# ditto, open the exits that require ports

Iptables-An OUTPUT-p tcp-- sport 1935-j ACCEPT

.

.

.

# if you use vsftpd and use pasv, such as pasv_min_port=6000 mx=7000 pasv_enable=YES

Iptables-An INPUT-p tcp-- dport 6000 tcp 7000-j ACCEPT

Iptables-An OUTPUT-p TCP-- sport 6000 TCP 7000-j ACCEPT

# 2 must be set, only the first one cannot be downloaded, and only the second one cannot be uploaded

# limit. 37 which ports can be connected

Iptables-An INPUT-s 192.168.0.37-p tcp-- dport 21-j ACCEPT

Iptables-An INPUT-s 192.168.0.37-p tcp-- dport 20-j ACCEPT

# Note: because of iptables-An INPUT-p tcp-- dport 20-j ACCEPT & iptables-An INPUT-p tcp-- dport 21-j ACCEPT set above

# allow 20.21 to all users

# so delete the rule

Iptables-D INPUT-p tcp-- dport 20-j ACCEPT

Iptables-D INPUT-p tcp-- dport 21-j ACCEPT

# allow loopback! (otherwise, it will cause problems such as DNS not shutting down normally.)

IPTABLES-An INPUT-I lo-p all-j ACCEPT (if INPUT DROP)

IPTABLES-An OUTPUT-o lo-p all-j ACCEPT (if OUTPUT DROP)

# it is not possible to save the above rules to the file sudo. Root permission is required (if not set, sudo passwd root can enter a new root password. Then su)

Iptables-save > / etc/iptables.up.rules

The modify / etc/network/interfaces script automatically applies these rules (the last line is added)

Auto eth0

Iface eth0 inet dhcp

Pre-up iptables-restore < / etc/iptables.up.rules

Post-down iptables-save > / etc/iptables.up.rules # save the current iptables when shutting down

Main items of vsftpd.conf are attached

Listen=YES

Anonymous_enable=NO

Local_enable=YES

Write_enable=YES

Chroot_local_user=YES

Chroot_list_enable=YES

Chroot_list_file=/etc/vsftpd.chroot_list

Pasv_min_port=6000

Pasv_max_port=7000

Pasv_enable=YES

Ls_recurse_enable=YES

Local_umask=022

File_open_mode=0755

This FTP is only for administrators to manage and upload, so the local account has more authority, so you should pay attention to it.

Only root and this account are put in / etc/vsftpd.chroot_list

Code:

# Delete the existing rules in iptables

Iptables-F

Iptables-X

# discard all packets that do not meet the three chain rules

Iptables-P INPUT DROP

Iptables-P OUTPUT DROP

Iptables-P FORWARD DROP

# Settings: INPUT and OUTPUT links of local process lo; INPUT chain of eth2

Iptables-An INPUT-I lo-j ACCEPT

Iptables-An INPUT-I eth2-m state-- state ESTABLISHED,RELATED-jACCEPT

Iptables-An INPUT-I eth2-m state-- state NEW,INVALID-j LOG

Iptables-An OUTPUT-o lo-j ACCEPT

# OUTPUT settings for other major allowed ports:

# DNS

Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 53-jACCEPT

Iptables-An OUTPUT-o eth2-p UDP-- sport 1024R 65535-- dport 53-jACCEPT

# HTTP

Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 80-jACCEPT

# HTTPS

Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 443-jACCEPT

# Email accept and send

Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 110-jACCEPT

Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 25-jACCEPT

# FTP data and Control

Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 20-jACCEPT

Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 21-jACCEPT

# DHCP

Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 68-jACCEPT

Iptables-An OUTPUT-o eth2-p UDP-- sport 1024R 65535-- dport 68-jACCEPT

# POP3S Email secure reception

Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 995-jACCEPT

# time synchronization server NTP

Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 123-jACCEPT

# reject the rest of eth2

Iptables-An OUTPUT-o eth2-- match state-- state NEW,INVALID-jLOG

Finally, there is a command about iptables storage:

Code:

Iptables-save > / etc/iptables.up.rule # where you want to store it

Code:

Iptables-restore

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.