Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Server \ Linux firewall settings -DNS server articles     - The difference between Objective-C language nil, Nil, NULL, NSNull (Programming)

- Linux (Debian) install software, missing dynamic link libraries .so (Linux)

- Java threads in the life cycle (Programming)

- Kitematic how seamless and DockerFILE (Server)

- Vim useful plugin: EasyGrep (Linux)

- HTML5 Application Cache (Programming)

- PL / SQL -> UTL_FILE use presentation package (Database)

- Linux Firewall Basics (Linux)

- Lua non-blocking write log (Programming)

- CentOS 7.0 Experience with previous versions (Linux)

- Debian 8.2.0 (Jessie) fast clean installation tutorial (Linux)

- ActiveMQ5.11.1 and JDK version matching relation (Linux)

- Linux non-root user uses less than 1024 ports (Linux)

- Ceph cluster disk is no workaround for the remaining space (Server)

- Quagga use authentication on strengthening BGP session security (Linux)

- innodb storage engine backup tool --Xtrabackup (Database)

- Ubuntu 14.04 Boot Repair (Linux)

- Customize the output format in Linux history (Linux)

- C ++ pointer two third memory model (Programming)

- MySQL backup tool to back up mydumper (Database)

  Linux firewall settings -DNS server articles
  Add Date : 2018-11-21      
  Just set up a DNS server, you need to open the firewall but do not know how to set up a friend, you can refer to the following, or directly use my script given below.

If the server is a DNS server used for the vast majority of cases, in order to turn on the firewall while normally provide related services, general settings are as follows:

[1] The first step: clear the default firewall rules

iptables -F
iptables -X
iptables -Z
Parameter Description:

-F: Clear all the rules that have been developed

-X: Clear all user-defined chain (it should be said that the tables)

(Extension: table - iptables Linux firewall default, there are three tables, Filter, NAT and Mangle, of course, the custom Filter which is the default form, chain-- chain, such as filter there is INPUT, OUTPUT, FORWARD three chains)

-Z: All the chain counts and cleared traffic statistics

Set reasons:

filter of three chains, the default policies are ACCEPT, apparently for INPUT, this is very dangerous, you can use the command iptables -L -n to view the default settings, or use the iptables-save command (listed in more detail firewall configuration information).

[2] The second step: setting policy

iptables -P INPUT DROP
Set reasons:

DROP to drop, From 1, INPUT DROP strategy formulation is only relatively safe.


[3] The third step: the development of the rules according to the required service


(1) Set the machine as a trusted device

iptables -A INPUT -i lo -j ACCEPT
(2) the development of a remote ssh connection rules

iptables -A (add) INPUT (link) -p (specify the protocol) tcp (specified as the TCP protocol) --dport (specify the destination port number) 22 (specify the destination port number is 22) -j (designated operation) ACCEPT ( specify the action to accept)
(3) develop dns service rules

iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT

It allows new dns requests, while allowing to nslookup way to query to the server that is the source port 53 to query dns information.

(4) the development of other rules

iptables -A INPUT -p icmp -j ACCEPT

Can not, but in order to facilitate the detection server network connectivity, they still add.


[4] write firewall profiles

/etc/init.d/iptables save

To save, otherwise the above configuration will be made after the failure to restart the server.

Full implementation of the script is as follows:

#! / Bin / bash
PATH = / sbin: / bin: / usr / sbin: / usr / bin; export PATH
iptables -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

/etc/init.d/iptables save
Save as .sh file with administrator privileges can execute.

Other commonly used commands:

View firewall configuration summary

iptables -L -n
See detailed firewall configuration

Important note:

    The firewall configuration must be careful, especially when done in the remote configuration, if not carefully defined rules clear, again the default rule is set to INPUT DROP, then there is no way to connect remotely, and with particular attention to this point .
- Depth understanding of C language (Programming)
- Oracle 11g can not export a variety of empty table solution (Database)
- Ubuntu file security removal tool (Linux)
- Nginx server security configuration (Server)
- Oracle 12c of the auto-increment Identity Columns (Database)
- Linux Getting Started Tutorial: How to set up a static MAC address on VMware ESXi virtual machine (Mobile)
- grep command usage (Linux)
- MacBook Air install Ubuntu dual system (Linux)
- Python several standard types of built-in functions (Programming)
- Ubuntu 15.04 and Ubuntu 14.04 installed Cinnamon 2.6 (Linux)
- 10 Regulation of painless SQL Schema (Database)
- Compile and install Redis and register as a system service under RedHat5.8 environment (Database)
- Applications in Objective-C runtime mechanism (Programming)
- Linux foundation tutorial: how to modify the host name on CentOS or RHEL 7 (Linux)
- How to deploy Python Web application: Heroku deployment process complete records (Server)
- Modify Linux SSH default port 22 in several ways (Linux)
- Django how to generate content in non-HTML formats (Programming)
- Linux SVN account password to save your settings (Linux)
- According to the national position on how to block traffic in Linux (Server)
- Build Python3.4 + PyQt5.5.1 + Eric6.1.1 development platform under Mac OS X 10.11.1 (Server)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.