iptables simple application

iptables is a simple and practical firewall component under Linux, which basically must be installed.

1. Install software

The VPS we purchase usually has iptables pre-installed. You can check the status of iptables first to confirm whether it is installed.

service iptables status

If the prompt is iptables: unrecognized service, you need to install it.

yum install iptables #CentOS system

apt-get install iptables #Debian system

2. Configuration rules

We use CentOS as an example for the following commands, so please pay attention.

The installed iptables configuration file is in /etc/sysconfig/iptables. We can ignore the default iptables and use the following command to clear the default rules.

iptables -F

iptables –X

iptables –Z

Next, add our own iptalbes rules, open specified ports, close dangerous ports, etc. , the following, is a simple rule:

#Allow local loopback interface (that is, running the local machine to access the local machine)

iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# Allow established or associated traffic

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

#Allow all external access from this machine

iptables -A OUTPUT -j ACCEPT

# Allow access to port 22

iptables -A INPUT -p tcp –dport 22 -j ACCEPT

#Allow access to port 80

iptables -A INPUT -p tcp –dport 80 -j ACCEPT

#Allow ports 21 and 20 for FTP service

iptables -A INPUT -p tcp –dport 21 -j ACCEPT

iptables -A INPUT -p tcp –dport 20 -j ACCEPT

#If there are other ports, the rules are similar. Just modify the above statement slightly.

#Prohibit access by other rules that are not allowed

iptables -A INPUT -j REJECT #Note: If port 22 is not added to the allow rule, the SSH link will be disconnected directly.

iptables -A FORWARD -j REJECT

If there are still ports that need to be opened, you can add them above, then save the rules and restart, otherwise the above changes will be invalid.

service iptables save #save

service iptables restart #restart

Ban a single IP:

-A INPUT -s 1.2.3.4 -j DROP

3. Query modification and deletion

iptables -L –n #Query rules

iptables -L -n --line-numbers #Display rules in numerical order for easy deletion

iptables -D INPUT 4 #Delete the fourth rule

4. Setting startup

chkconfig iptables on

5. Other rules

The following are some rules for your reference.

# Turn on syncookie (lightweight prevention of DOS attacks)

sysctl -w net.ipv4.tcp_syncookies=1 &>/dev/null

#Set the default TCP connection duration to 3800 seconds. This option can greatly reduce the number of connections.

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 &>/dev/null

#Set the maximum supported connection tree to 30W (this is based on the memory and iptables version, each connection requires more than 300 bytes)

sysctl -w net.ipv4.ip_conntrack_max=300000 &>/dev/null

# Prevent SYN attacks lightweight

iptables -N syn-flood

iptables -A INPUT -p tcp –syn -j syn-flood

iptables -A syn-flood -p tcp -m limit –limit 3/s –limit-burst 6 -j RETURN

iptables -A syn-flood -j REJECT

# Control IP fragments no matter where they come from, allowing 100 fragments to pass per second

iptables -A FORWARD -f -m limit –limit 100/s –limit-burst 100 -j ACCEPT

# Control the passing of icmp packets to prevent icmp hacker attacks

iptables -A FORWARD -p icmp -m limit –limit 1/s –limit-burst 10 -j ACCEPT

# Discard bad TCP packets

iptables -A FORWARD -p TCP ! –syn -m state –state NEW -j LOG –log-prefix “New not syn:”

iptables -A FORWARD -p TCP ! –syn -m state –state NEW -j DROP

Recommended site search: Wanwang registered domain name registration domain name purchase, US PHP space, registered domain name, US vps server, how to buy a real cloud host, https proxy ip, Hong Kong server rental, Hong Kong server rental 99idc, ip address Detailed inquiry,