In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >
Share
Shulou(Shulou.com)06/01 Report--
View iptables status-restart
Directory where iptables is located / etc/sysconfig/iptables
Service iptables status View iptables status
Service iptables restart iptables service restart
Service iptables stop iptables service disabled
Start iptables
Modprobe ip_tables
Turn off iptables (the shutdown command is more complex than starting)
Iptalbes-F
Iptables-X
Iptables-Z
Iptables-P INPUT ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-P FORWARD ACCEPT
Modprobe-r ip_tables
You can close iptables by executing the above command in turn, otherwise you will be prompted FATAL: Module ip_tables is in use. Modproble-r ip_tables.
Iptables-L-n
Iptables-F clears rules for all rule chains in the preset table filter
Iptables-X clears the rules in the user-customized chain in the preset table filter
Iptables-L-n
# discard all packets that do not meet the three chain rules
Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
Iptables-P FORWARD DROP
# Settings: INPUT and OUTPUT links of local process lo; INPUT chain of eth0
Iptables-An INPUT-I lo-j ACCEPT
Iptables-An INPUT-I eth0-m state-- state ESTABLISHED,RELATED-jACCEPT
Iptables-An INPUT-I eth0-m state-- state NEW,INVALID-j LOG
Iptables-An OUTPUT-o lo-j ACCEPT
# Open port 22 ssh
Iptables-An INPUT-p tcp-I eth0-- dport ssh-j ACCEPT
# Open port 80 web
Iptables-An INPUT-p tcp-I eth0-- dport 80-j ACCEPT
# Open 21 and 20 ports ftp
Iptables-An INPUT-p tcp-- dport 20-j ACCEPT
Iptables-An INPUT-p tcp-- dport 21-j ACCEPT
# Open some other ports
Iptables-An INPUT-p tcp-- dport 1935-j ACCEPT
Iptables-An INPUT-p tcp-- dport 8080-j ACCEPT
Iptables-An INPUT-p tcp-- dport 443-j ACCEPT
# ditto, open the exits that require ports
Iptables-An OUTPUT-p tcp-- sport 1935-j ACCEPT
.
.
.
# if you use vsftpd and use pasv, such as pasv_min_port=6000 mx=7000 pasv_enable=YES
Iptables-An INPUT-p tcp-- dport 6000 tcp 7000-j ACCEPT
Iptables-An OUTPUT-p TCP-- sport 6000 TCP 7000-j ACCEPT
# 2 must be set, only the first one cannot be downloaded, and only the second one cannot be uploaded
# limit. 37 which ports can be connected
Iptables-An INPUT-s 192.168.0.37-p tcp-- dport 21-j ACCEPT
Iptables-An INPUT-s 192.168.0.37-p tcp-- dport 20-j ACCEPT
# Note: because of iptables-An INPUT-p tcp-- dport 20-j ACCEPT & iptables-An INPUT-p tcp-- dport 21-j ACCEPT set above
# allow 20.21 to all users
# so delete the rule
Iptables-D INPUT-p tcp-- dport 20-j ACCEPT
Iptables-D INPUT-p tcp-- dport 21-j ACCEPT
# allow loopback! (otherwise, it will cause problems such as DNS not shutting down normally.)
IPTABLES-An INPUT-I lo-p all-j ACCEPT (if INPUT DROP)
IPTABLES-An OUTPUT-o lo-p all-j ACCEPT (if OUTPUT DROP)
# it is not possible to save the above rules to the file sudo. Root permission is required (if not set, sudo passwd root can enter a new root password. Then su)
Iptables-save > / etc/iptables.up.rules
The modify / etc/network/interfaces script automatically applies these rules (the last line is added)
Auto eth0
Iface eth0 inet dhcp
Pre-up iptables-restore < / etc/iptables.up.rules
Post-down iptables-save > / etc/iptables.up.rules # save the current iptables when shutting down
Main items of vsftpd.conf are attached
Listen=YES
Anonymous_enable=NO
Local_enable=YES
Write_enable=YES
Chroot_local_user=YES
Chroot_list_enable=YES
Chroot_list_file=/etc/vsftpd.chroot_list
Pasv_min_port=6000
Pasv_max_port=7000
Pasv_enable=YES
Ls_recurse_enable=YES
Local_umask=022
File_open_mode=0755
This FTP is only for administrators to manage and upload, so the local account has more authority, so you should pay attention to it.
Only root and this account are put in / etc/vsftpd.chroot_list
Code:
# Delete the existing rules in iptables
Iptables-F
Iptables-X
# discard all packets that do not meet the three chain rules
Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
Iptables-P FORWARD DROP
# Settings: INPUT and OUTPUT links of local process lo; INPUT chain of eth2
Iptables-An INPUT-I lo-j ACCEPT
Iptables-An INPUT-I eth2-m state-- state ESTABLISHED,RELATED-jACCEPT
Iptables-An INPUT-I eth2-m state-- state NEW,INVALID-j LOG
Iptables-An OUTPUT-o lo-j ACCEPT
# OUTPUT settings for other major allowed ports:
# DNS
Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 53-jACCEPT
Iptables-An OUTPUT-o eth2-p UDP-- sport 1024R 65535-- dport 53-jACCEPT
# HTTP
Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 80-jACCEPT
# HTTPS
Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 443-jACCEPT
# Email accept and send
Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 110-jACCEPT
Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 25-jACCEPT
# FTP data and Control
Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 20-jACCEPT
Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 21-jACCEPT
# DHCP
Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 68-jACCEPT
Iptables-An OUTPUT-o eth2-p UDP-- sport 1024R 65535-- dport 68-jACCEPT
# POP3S Email secure reception
Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 995-jACCEPT
# time synchronization server NTP
Iptables-An OUTPUT-o eth2-p TCP-- sport 1024R 65535-- dport 123-jACCEPT
# reject the rest of eth2
Iptables-An OUTPUT-o eth2-- match state-- state NEW,INVALID-jLOG
Finally, there is a command about iptables storage:
Code:
Iptables-save > / etc/iptables.up.rule # where you want to store it
Code:
Iptables-restore
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.