| |
First, remove all pre-set
iptables -F # Clear filter preset table all the rules in the rule chain
iptables -X # Clear filter preset table in user-defined chain rules
Secondly, the setting only allows you to specify the ip address to access the specified port
iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -d xxx.xxx.xxx.xxx -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -d xxx.xxx.xxx.xxx -p tcp --sport 3306 -j ACCEPT
These two above, please note --dport as the destination port, when the data into the server from the outside as the destination port; on the contrary, compared with the data from the data source server out port, use --sport
Similarly, -s is the source address is specified, -d specified destination.
Then, close all the ports
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Finally, save the current rule
/etc/rc.d/init.d/iptables save
service iptables restart
This rule only applies to iptables is set to act as MySQL server administration and maintenance of the external address does not provide any services.
If you want to run yum you can then also need to add the following to allow port 53 DNS request to allow downloading randomly generated high port
iptables -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 10000: 65535 -j ACCEPT
/etc/rc.d/init.d/iptables save
service iptables restart |
|
|
|