Last update at :2024-05-14,Edit by888u
iptables is a kernel-based firewall with very powerful functions. iptables has three built-in tables: filter, nat and mangle.
Filter is responsible for filtering data packets, including the rule chain input, output and forward;
NAT involves network address translation, including rule chains, prerouting, postrouting and output;
The mangle table is mainly used to modify the content of data packets and is used for traffic shaping. The default rule chains are: INPUT, OUTPUT, NAT, POSTROUTING, PREROUTING;
Input matches the data packet whose destination IP is the local machine; forward matches the data packets flowing through the machine; prerouting is used to modify the destination address for DNAT; Postrouting is used to modify the source address for SNAT.
I. iptables syntax
iptables -A INPUT -j ACCEPT -A --append #Add a rule to the rule chain, which is added to the end by default iptables -D INPUT -j ACCEPT -D --delete # Delete rule chain -A adds a rule to the rule chain, which is added to the end by default -T specifies the table to be operated on, the default is filter -D deletes rules from the rule chain. You can specify the sequence number or matching rules to delete. -R performs rule replacement -I inserts a rule, which is inserted into the header by default -F clears the selected chain and restores it after restarting -N creates a new user-defined rule chain -X delete user-defined rule chain -p is used to specify the protocol, which can be tcp, udp, icmp, etc. or it can be a numerical protocol number. -s specifies the source address -d specifies the destination address -i enter interface -o outgoing interface -j action taken, accept, drop, snat, dnat, masquerade --sport source port --dport destination port, the port must be used together with the protocol -P defines default rules (Policy) Syntax: iptables -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP] iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROPII. iptables common operations
iptables -L #List iptables rules iptables -F #Clear iptables built-in rules iptables -X #Clear iptables custom rules # You can add -n to view /etc/rc.d/init.d/iptables save # Save the rules. They will not take effect until you restart the machine after saving the rules. /etc/init.d/iptables status # View rules /etc/init.d/iptables stop # Disable firewall chkconfig –level 35 iptables off # Stop the firewall serviceIII. Check if iptables is valid
# Check whether port 22 is open telnet www.phpgao.com 22 # Return to telnet: connect to address 104.224.144.xxx: Connection refusedIV. Export and restore of iptables rules
iptables-save > somefile iptables-restore < somefileV. Recommended Rules
*filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT #-A OUTPUT -o lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # DNS(not need this rule, as we only accept the input with [ESTABLISHED,RELATED]) #-A INPUT -p udp --dport 53 -j ACCEPT #DNS #-A OUTPUT -p udp --dport 53 -j ACCEPT # Allow ports for testing #-A INPUT -p tcp --dport 8080:8090 -j ACCEPT # Allow ports for MOSH (mobile shell) #-A INPUT -p udp --dport 60000:61000 -j ACCEPT # Allow SSH connections # The -dport number should be the same port number you set in sshd_config -A INPUT -p tcp -m state --state NEW --dport xxx -j ACCEPT #Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT #-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT #-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT #DDoS -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT #Log -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Log iptables denied calls # -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Allow s.h.a.d.o.w.s.o.c.k.s connections # The -dport number should be the same port number you set in config.json -A INPUT -p tcp --dport xxx -j ACCEPT # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT #-A OUTPUT -j DROP COMMITReference:
http://www .cnblogs.com/argb/p/3535179.html http: //www.cnblogs.com/rockee/archive/2012/05/17/2506671.html http://yijiu.blog.51cto. com/433846/1356254 http: //linux.chinaunix.net/techdoc/net/2008/02/14/978344.shtml
Recommended site searches: me domain name, cpanel host, Hong Kong host high defense, enterprise virtual host, independent ip virtual host, website server hardware configuration, cn domain name price, website virtual host space, online proxy server free web version, icp filing Query,
发表评论