iptables is a simple and practical firewall component under Linux. Previously, the Good VPS Tribe mentioned it in the VPS Newbie Tutorial ⑧: Practical and Simple Security Configuration of VPS and the tutorial about DA. As for bpt2>iptables, here, I will give a simple explanation of iptables. On the one hand, it is convenient for friends who don’t understand, and on the other hand... it is also for me to look up when I forget.
1. Install the software
The VPS we purchased usually has iptables pre-installed. You can check the iptables status first to confirm whether it is installed.
service iptables status
If the prompt is iptables: unrecognized service, you need to install it.
yum install iptables #CentOS system
apt-get install iptables #Debian system
2. Configuration rules
We use CentOS as an example for the following commands, so please pay attention.
The installed iptables configuration file is in /etc/sysconfig/iptables. We can ignore the default iptables and use the following command to clear the default rules.
iptables –F
iptables –X
iptables –Z
Next, add our own iptalbes rules, open specified ports, close dangerous ports, etc. , the following, is a simple rule:
#Allow local loopback interface (that is, run the local machine to access the local machine)
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#Allow established or related connections
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
#Allow all local external access
iptables -A OUTPUT -j ACCEPT
#Allow access to port 22
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
#Allow access to port 80
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
#Allow ports 21 and 20 of the FTP service
iptables -A INPUT -p tcp –dport 21 -j ACCEPT
iptables -A INPUT -p tcp –dport 20 -j ACCEPT
#If there are other ports, the rules are similar, slightly modify the above statement Just do it
#Prohibit other unallowed rules from accessing
iptables -A INPUT -j REJECT (Note: If port 22 is not allowed to have rules added, the SSH link will be disconnected directly.)
iptables -A FORWARD -j REJECT
If there are still ports that need to be opened, you can add them above, then save the rules and restart.
service iptables save #Save
or /etc/rc.d/init.d/iptables save
service iptables restart # Restart
When writing about iptalbes rules, I will list other rules that may be involved, such as banning a single IP:
-A INPUT -s 1.2.3.4 -j DROP
3. Query, modify and delete
iptables -L –n #Query rules
iptables -L -n --line-numbers #Display rules in numerical sequence for easy deletion
iptables -D INPUT 4 #Delete the fourth rule
4. Set up startup
chkconfig iptables on
5. Other rules
The following rules are for your reference.
# Turn on syncookie (lightweight prevention of DOS attacks)
sysctl -w net.ipv4.tcp_syncookies=1 &>/dev/null
# Set the default TCP connection duration to 3800 seconds (this option can Greatly reduce the number of connections)
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 &>/dev/null
# Set the maximum supported connection tree to 30W (this depends on the memory and iptables version, each A connection requires more than 300 bytes)
sysctl -w net.ipv4.ip_conntrack_max=300000 &>/dev/null
# Prevent SYN attacks lightweight
iptables -N syn -flood
iptables -A INPUT -p tcp –syn -j syn-flood
iptables -A syn-flood -p tcp -m limit –limit 3/s –limit-burst 6 -j RETURN
iptables -A syn-flood -j REJECT
# Control IP fragments no matter where they come from, allowing 100 fragments to pass per second
iptables -A FORWARD -f -m limit –limit 100/ s –limit-burst 100 -j ACCEPT
# Control the passage of icmp packets to prevent icmp hacker attacks
iptables -A FORWARD -p icmp -m limit –limit 1/s –limit-burst 10 - j ACCEPT
# Discard bad TCP packets
iptables -A FORWARD -p TCP ! –syn -m state –state NEW -j LOG –log-prefix “New not syn:”
iptables -A FORWARD -p TCP ! –syn -m state –state NEW -j DROP
