# 0 x01
The iptables command is commonly used on Linux firewall software, is a part of the netfilter project
Iptables documents set path: command: vim/etc/sysconfig/iptables - config
0 x02 note
If you are using a contos7 before so default Firewall is the Firewall in this way, he will use iptables Firewall before the closing in
Close the Firewall command
Command: # systemctl stop firewalld shut firewall
Command: systemctl disable firewalld # prohibited startup
0 x03 check whether installed iptables
Command: service iptables status
0 x04 installation iptables
Command: yum install - y iptables
0 x05 upgrade iptables
Command: yum update iptables
0 x06 installation iptables - services
Command: yum install iptables - services
0 x07 open firewall
Command: systemctl start iptables firewall service # start
Command: systemctl enable iptables. Service since the launch of # set boot
0 x08 shut firewall
Command: systemctl stop iptables service # close the firewall
Command: systemctl disable iptables. Service # prohibited startup
0 x09 view iptables status
Command: systemctl status iptables. Service
0 x10 view iptables existing rules
Command: iptables - L - n
0 x11 key: remove the default firewall rules
11.1 installation complete basic configuration - allowing all request to prevent the tragedy
First before removing the policy to INPUT into the ACCEPT, said ACCEPT all requests,
This must be done first, or you may directly after emptying tragedy
Set the INPUT direction all requests to allow the
Command: iptables -p INPUT ACCEPT
Basic configuration - 11.2 installation is complete to empty all the default rules
Command: iptables -f
Basic configuration - 11.3 installation is complete to empty all the custom rules
Command: iptables - X
11.4 installation complete basic configuration - all counter to 0
Command: iptables -z
0 x12 key: configuration rules
12.1 allow packets from lo interface
If there is no this rule, you will not be able to visit a local service via 127.0.0.1, such as ping 127.0.0.1
Command: iptables -a INPUT -i lo -j ACCEPT
12.2 open a port
Iptables -a INPUT -p TCP -- dport port -j ACCEPT
12.2.1 example: open port 80,
Command: iptables -a INPUT -p TCP -- dport 80 - j ACCEPT
Command: iptables -a INPUT -p TCP -- dport 22 -j ACCEPT
12.3 icmp packets will be allowed to pass, that is, to allow the ping
Command: iptables -a INPUT -p icmp -m icmp, icmp -type 8 - j ACCEPT
12.4 allows all foreign request return package
The native foreign request is equivalent to the OUTPUT, for return packets must receive ah, this is equivalent to the INPUT
Command: iptables -a INPUT -m state - the state ESTABLISHED -j ACCEPT
12.5 if you want to add a network IP trust (accept its all TCP requests)
Iptables -a INPUT -p TCP -s 192.168.1.50 (to allow IP network) - j ACCEPT
12.6 in addition to filter the iptables rules all requests for
Command: iptables -p INPUT DROP
0 x13 key: save the rulesNote: after the completion of the set to execute the command iptables - L - n look at the configuration is correct,
No problem, don't rush to save, because no save only the currently valid, after the restart is not effective, so that one thousand have what problem, can restore background forced to restart the server Settings,
In addition to open an SSH connection, ensure the can log on to
Make sure no problem after in to save
Save command: service iptables save
0 x14 restart the firewall
Systemctl restart iptables. Service
0 x15 miscellaneous
15.1 to closure one IP, use the following command
Command: iptables -i INPUT - s... -j DROP
15.2 to unlock a IP, use the following command
Command: iptables INPUT - s - D... -j DROP
0 x16 delete an existing rulesTo delete rules so we need to show with serial number tag all the iptables rules first, execution:
Command: iptables - L - n - line - Numbers
Like to be removed in the INPUT sequence number is 8 rules, perform:
Command: iptables - 8 D INPUT
0 x17 example: complete setup script
#!/bin/sh
# check the iptables rules existing
The iptables - L - n
# allows all of the first, or you may have
The iptables -p INPUT ACCEPT
# to empty all the default rules
The iptables -f
# to empty all the custom rules
The iptables - X
# all counter to 0
The iptables -z
# allows packets from lo interface (local access)
Iptables -a INPUT -i lo -j ACCEPT
# 22 open port
Iptables -a INPUT -p TCP -- dport 22 -j ACCEPT
21 # open port (FTP)
Iptables -a INPUT -p TCP -- dport 21 -j ACCEPT
# open port 80 (HTTP)
Iptables -a INPUT -p TCP -- dport 80 -j ACCEPT
# open port 443 (HTTPS)
Iptables -a INPUT -p TCP -- dport 443 -j ACCEPT
# allows ping
Iptables -a INPUT -p icmp, icmp -type 8 - j ACCEPT
# allowed to accept the machine request after the return of the RELATED data, is set up for FTP
Iptables -a INPUT -m state - the state RELATED to ESTABLISHED -j ACCEPT
# other inbound will be discarded
The iptables -p INPUT DROP
# all outbound are green
The iptables -p OUTPUT ACCEPT
# all forwarding are discarded
The iptables -p FORWARD DROP
# save
Service iptables save
# restart
Serv systemctl restart iptables service
CodePudding user response:
Thanks for sharingCodePudding user response:
Thanks for sharingCodePudding user response:
Thanks for sharing