Shulou(Shulou.com)06/01 Report--

This article is about how to use Linux Firewall iptables. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

A few days ago, the micro-demon tribe was again attacked by individual attackers with ulterior motives. By the way, I recharged myself to review some of the contents of iptables, a common firewall under linux, but many tutorials on the Internet are more tedious. For the purpose of concise learning, the micro-demon removes a lot of redundant content, extracts as much essence as possible, and studies together with you. The contents of this article include the following

Linux Firewall iptables Concise tutorial

1. Install iptables

two。 View existing iptables rules

3. Delete an iptables rule

4. Clear existing iptables rules

5. Create a rule

6. Set up boot boot

7. Save iptables rules

Simple application of 8.iptables in manual defense against CC attacks

1. Install iptables

Many Linux already have iptables installed by default. You can use the view command below to test whether it is installed.

Execute under CentOS/RedHat:

Execute under yum install iptablesDebian/Ubuntu:

Apt-get install iptables

two。 View existing iptables rules

The line-number after the command is to display the line number (output the rule one by one, and display the line number), which is optional to facilitate the following delete instructions.

Iptables-L-n-- line-numbers

3. Delete an iptables rule

For example, delete the rule on line 12, and the line number can be viewed by the previous command

Iptables-D INPUT 12

4. Clear existing iptables rules

Iptables-F

Iptables-X

Iptables-Z

5. Create a rule

a)。 Open port

The command iptables-An INPUT-j REJECT will block other unauthorized ports, so be sure to open port 22 to ensure a normal SSH connection.

The code is as follows:

# allow local access

Iptables-An INPUT-s 127.0.0.1-d 127.0.0.1-j ACCEPT

# allow established or related traffic

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

# allow all local outward access

Iptables-An OUTPUT-j ACCEPT

# allow access to port 22

Iptables-An INPUT-p tcp-- dport 22-j ACCEPT

# allow access to port 80

Iptables-An INPUT-p tcp-- dport 80-j ACCEPT

# allow ports 21 and 20 of FTP service

Iptables-An INPUT-p tcp-- dport 21-j ACCEPT

Iptables-An INPUT-p tcp-- dport 20-j ACCEPT

# if there are other ports, the rules are similar, just modify the above statement slightly

# prohibit access to other unauthorized rules

Iptables-An INPUT-j REJECT

Iptables-A FORWARD-j REJECT

b)。 Shielding ip

Iptables-I INPUT-s 123.123.123.123-j DROP can shield the ip segment by replacing the above ip with the ip segment.

If you want to mask the entire ip segment (123.0.0.1 to 123.255.255.254), change it to 123.0.0.0Uni8.

If you need to mask the ip segments 123.123.0.1 to 123.123.255.254, change it to 124.123.0.0Uni16.

If you need to shield the ip segments 123.123.123.1 to 123.123.254, change it to 123.123.123.0Uni24.

6. Set up boot boot

Generally speaking, after the installation of iptables is completed, boot will be automatically set up successfully, but on individual CentOS systems, there seems to be some problems. You can use the following command to set it manually.

Chkconfig-level 345 iptables on

7. Save iptables rules

Service iptables save

Simple application of 8.iptables in manual defense against CC attacks

There are many ways to get the attacker's ip, such as viewing the website log, which will not be discussed in this article.

a)。 Create an ip/ip segment file to be masked, named ip.txt

# masked ip

123.4.5.6

# masked ip segment (written in the same way as above)

123.4.5.6Comp24b). Create a block_ip.sh script file

The code is as follows:

#! / bin/sh

# Filename: block_ip.sh

# Purpose: blocks all IP address/network found in a text file

# The text file must have one IP address or network per line

#

# Change the following path/filename to match yours

IP_LIST_FILE=/path/to/ip.txt

#

# Don't change anything below unless you are a smarty pant!

#

IPTABLES_BIN=/sbin/iptables

# Get the IP address/network from the file and ignore any line starting with # (comments)

BAD_IP_ADDR_LIST=$ (grep-Ev "^ #" $IP_LIST_FILE)

# Now loop through the IP address/network list and ban them using iptabels

For i in $BAD_IP_ADDR_LIST

Do

Echo-n "Blocking $I..."

$IPTABLES_BIN-An INPUT-s $I-j DROP

$IPTABLES_BIN-An OUTPUT-d $I-j DROP

Echo "DONE."

Done

#

# END OF SCRIPT-NOTHING TO SEE HERE-THAT'S ALL FOLKS!

#

c)。 Run the script

Sh / path/to/block_ip.sh

Thank you for reading! This is the end of this article on "how to use Linux Firewall iptables". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.