Shulou(Shulou.com)06/02 Report--

This article introduces how the iptables setting in Linux is, and the content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

1. First of all, let's introduce the instructions and related configuration files.

Startup instruction: service iptables start

Restart instruction: service iptables restart

Shutdown instruction: service iptables stop

Then there is the related configuration: / etc/sysconfig/iptables

How to operate the configuration?

Vim / etc/sysconfig/iptables

Then go in and modify it. What should I do when the revision is finished? A lot of people here will think of the / etc/rc.d/init.d/iptables save directive, but once you do it, the changes you just made will be wasted.

The specific methods are:

The only way to modify / etc/sysconfig/iptables to make it effective is to modify it and then service iptables restart it before calling / etc/rc.d/init.d/iptables save

Because / etc/rc.d/init.d/iptables save will reload when the iptables service starts, if you call / etc/rc.d/init.d/iptables save directly before restarting, then you

two。 Here are some instructions (mainly man iptables to take a look at the relevant information)

-A: specify chain name-p: specify protocol type-d: specify destination address-dport: specify destination port (destination port destination port)-sport: specify source port (source port source port)

3. If I don't want to modify the file, can I just type the command? of course, no problem. The steps are as follows:

For example, I added the release statement to SSH:

Add input record: iptables-An INPUT-p tcp-- dport 22-j ACCEPT

Add output record: iptables-An OUTPUT-p tcp-- sport 22-j ACCEPT

4. Next to explain the steps, if the machine is not with me, I can only SSH to do iptables rules, then I must pay attention to every step, do not make a mistake, otherwise the SSH link is not possible!

1. If the SSH port is 22 (the default port is not recommended here, it is better to change the SSH port)

Iptables-An INPUT-p tcp-dport 22-j ACCEPT

Iptables-An OUTPUT-p tcp-sport 22-j ACCEPT

Note that / etc/rc.d/init.d/iptables save, it is best to execute this statement at each of the following steps, which is not repeated below.

2.vim / etc/sysconfig/iptables determines whether the configuration has been added, and takes effect after service iptables restart restart if possible

3. The following is a very dangerous operation, if you do not do the first step, it may directly cause you not to connect to SSH, remember to perform the first step before this step!

Iptables-P INPUT DROP

Iptables-P OUTPUT DROP

Iptables-P FORWARD DROP

This step is to DROP all connections that do not meet the rules of your configuration ACCEPT. After execution, if our SSH has not been dropped, then thankfully, it is safe. Restart iptables and continue with the following configuration!

4. Let's not go into details below. Specifically, it depends on which ports your server wants to open or which ports to access to make specific configurations. Here is the configuration of my own machine:

/ etc/sysconfig/iptables file is configured as follows:\ # Generated by iptables-save v1.4.7 on Fri Mar 2 19:59:43 2012 * filter: INPUT DROP [0:0]: FORWARD DROP [0:0]: OUTPUT DROP [8on Fri Mar 496]-An INPUT-m state-- state RELATED The port used by ESTABLISHED-j ACCEPT\ # ping-An INPUT-p icmp-j ACCEPT-An INPUT-I lo-j ACCEPT-An INPUT-s 127.0.0.1 INPUT 32-d 127.0.0.1 ACCEPT-An INPUT-s 192.168.2.200 INPUT 32-d 192.168.2.200 ACCEPT\ # allows the server to have its own SSH (for external requests, the server is the target, so make Use-- dport)-An INPUT-p tcp-m tcp-- dport 22-j ACCEPT\ # Port 80 needless to say Server website access port-An INPUT-p tcp-m tcp-- dport 80-j ACCEPT-An INPUT-p tcp-m tcp-- dport 3306-j ACCEPT-An INPUT-p tcp-m tcp-- dport 11211-j ACCEPT-An INPUT-p tcp-m tcp-dport 11212-j ACCEPT-A FORWARD-j REJECT-reject-with icmp-host-prohibited\ # 53 Port is DNS related Both TCP and UDP should be configured with-An INPUT-p tcp-m tcp-- dport 53-j ACCEPT-An INPUT-p udp-m udp-- dport 53-j ACCEPT\ # ping port-An OUTPUT-p icmp-j ACCEPT-An OUTPUT-s 127.0.0.1 ACCEPT 32-d 127.0.0.1 hand 32-j ACCEPT-An OUTPUT-s 192.168.2.200 and 32-d 192.168.2.200 # allow the server to SSH to other machines (use-- dport for external ports)-An OUTPUT-p tcp-m tcp-- dport 22-j ACCEPT\ # allow the server's own SSH (use-- sport for source output)-An OUTPUT-p tcp-m tcp-- sport 22-j ACCEPT\ # access external website port 80 (use-- dport for external ports)-An OUTPUT-p tcp- M tcp-- dport 80-j ACCEPT\ # if the server needs to visit an external website Then OUTPUT also needs to configure port 53 (use-- dport for external ports)-An OUTPUT-p tcp-m tcp-- dport 53-j ACCEPT-An OUTPUT-p udp-m udp-- dport 53-j ACCEPT\ # if you have access to an external mailbox Then open the mailbox-related port (use-- dport if you use the external port)-An OUTPUT-p tcp-m tcp-- dport 465-j ACCEPT-An OUTPUT-p tcp-m tcp-- dport 25-j ACCEPT-An OUTPUT-p tcp-m tcp-- dport 110-j ACCEPT\ # Server website access port (use-- sport for source output)-An OUTPUT-p tcp-m tcp-- sport 80-j ACCEPT- An OUTPUT-p tcp-m tcp-- sport 3306-j ACCEPT-An OUTPUT-p tcp-m tcp-- sport 11211-j ACCEPT-An OUTPUT-p tcp-m tcp-- sport 11212-j ACCEPT COMMIT

5. There may be times when you need to delete a rule. The easiest thing to do is to modify / etc/sysconfig/iptables, then service iptables restart, and finally / etc/rc.d/init.d/iptables save.

Look for a way to delete the rules on the Internet:

The syntax is: iptables-D chain rulenum [options] where: chain is the meaning of chain, which means INPUT FORWARD or something.

Rulenum is the number of the rule. Start with 1. You can use-line-numbers to list the number of the rule

So, for example, if you want to delete an INPUT chain rule above, you can go like this: iptables-D INPUT 3

It means to delete rule 3.

There is a second way. The second way is to map the-A command, but replace-A with-D. This is useful when the rules in your chain are complex and you don't want to calculate their numbers. In other words, how do you use iptables-A... . Statement defines a rule, delete the rule with-D instead of-An and leave the rest unchanged.

Talk about the-line-numbers option above, such as the following command:

Iptables-L INPUT-line-numbers lists all the rules of the INPUT chain

Num target prot opt source destination 1 REJECT tcp-anywhere anywhere tcp dpt:microsoft-ds reject-with icmp-port-unreachable 2 REJECT tcp-anywhere anywhere tcp dpt:135 reject-with icmp-port-unreachable 3 REJECT tcp-anywhere anywhere tcp dpt:netbios-ssn reject-with icmp-port-unreachable

...

...

Delete the specified line rule:

6. Finally, if you want to open a separate port for an IP, you can configure it as follows:

If I need to open the mysql port to a private network machine separately, it should be configured as follows:

Iptables-An INPUT-s 192.168.2.6-p tcp-m tcp-dport 3306-j ACCEPT

7. Completely prohibit access to an IP:

# the command to block a single IP is

Iptables-I INPUT-s 123.45.6.7-j DROP\ # seal the entire paragraph from 123.0.0.1 to 123.255.255.254 iptables-I INPUT-s 123.0.0.0 DROP 8-j DROP\ # seal the IP paragraph from 123.45.0.1 to 123.45.255.254 iptables-I INPUT-s 124.45.0.0 DROP 16-j DROP\ # seal the IP paragraph. The command from 1 to 123.45.6.254 is iptables-I INPUT-s 123.45.6.0 to 24-j DROP

Instruction I is an insert instruction, but it will insert in the correct position and not look at your own sort position like instruction A, so use masking because the mask IP must be loaded at the beginning, so you must use the I command to load it, and then pay attention to execute / etc/rc.d/init.d/iptables save to save and restart the service.

What is Linux system Linux is a free-to-use and free-spread UNIX-like operating system, is a POSIX-based multi-user, multi-task, multi-threaded and multi-CPU operating system, using Linux can run major Unix tools, applications and network protocols.

About how the iptables settings in Linux is shared here, I hope the above content can be of some help to you, you can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.