| |
By operating in this tutorial, make sure you can use Linux native. If you are using a remote ssh, but can not directly operate the machine, then first add the following code. Of course, the worst result is that all the ports are not visit, not even landing ssh, but five minutes later, the timer will help you turn off iptables firewall.
[Root @ localhost ~] # crontab -uroot -e
* / 5 * * * * /etc/init.d/iptables stop ## timed 5 minutes off the firewall settings to prevent the error, leading to not be able to ssh login
First, speak few simple commands:
/etc/init.d/iptables save ## save the firewall rules, then if you do not save, then restart iptables rule will disappear
iptables -L -n ## view the current firewall rules
PS: Before adding a rule to use iptables -L -n look at the current rules, if the display does not rule, may be your iptables is not turned on. If after this time will cover add rules before saving rules. If you want to continue using the previous rules, first turn iptables service, this time you can see the previous rule, and then add in the previous basis.
Let's add two rules
iptables -A INPUT -p tcp --dport 22 -j ACCEPT ## add a rule input stream port 22 open
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT ## add a rule output stream port 22 open
After adding the above two rules, do not worry about not landing SSH, and want to learn more about using the command iptables --help
Focus here to talk about the difference between iptables inside dport and sport of:
dport: Destination port
sport: Source port
By way of example two INPUT, we distinguish at INPUT and sport inside dport
Example 1:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
This rule can be so described INPUT:
1. This is an internal data into the local server from the outside.
2. The purpose of the data packet (dport) address is 22, is to visit my local port 22.
3. Allow the above data through behavior.
Example 2:
1
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
This rule can be so described INPUT:
1. This is an internal data into the local server from the outside.
2. Source port packet is the (sport) 22, is the other side of the packet is sent over port 22.
3. To allow more data behavior.
By way of example two OUTPUT, we distinguish under OUTPUT inside dport and sport
Example 1:
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
This rule can be so described OUTPUT:
1. This is a line from the inside out data.
2. Objective out (dport) port is 22.
3. To allow more data behavior.
Example 2:
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
This rule can be so described OUTPUT:
1. This is a line from the inside out data.
2. Source port packet is the (sport) 22, data is sent from the port 22 of the server.
3. To allow more data behavior.
The default INPUT, OUTPUT, FORWARD ACCEPT all of
Do not add rule, the data for all ports comers ~
iptables -P INPUT DROP # If you do not accept the rules add port 22, do not run this command
If you run the above command, then the rule is added in addition to the INPUT DROP packets are dropped. . .
Similarly, there are these commands:
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Usually the INPUT is set to DROP. So we need to add some rules for the ACCEPT INPUT rules:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh port open
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # web service port open
iptables -A INPUT -p tcp --dport 21 -j ACCEPT # ftp service port open
iptables -A INPUT -p icmp -j ACCEPT # Allow icmp packet to pass, that is, to allow ping
iptables -A INPUT -i lo -p all -j ACCEPT # Allow loopback
##### If you have made other servers, which need to open ports, according to the writing on the line.
Usually the OUTPUT is set to ACCEPT. So we need to add some rules for the OUTPUT DROP rules:
Close some ports
iptables -A OUTPUT -p tcp --sport 27444 -j DROP
iptables -A OUTPUT -p tcp --sport 27665 -j DROP
iptables -A OUTPUT -p tcp --sport 31337 -j DROP |
|
|
|