This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Other Technologies Windows/Linux Alibaba Cloud Centos configures iptables firewall
View: 13709|Reply: 0

[linux] Alibaba Cloud Centos configures iptables firewall

[Copy link]
Posted on 11/3/2014 3:41:54 PM | | |

Although Alibaba Cloud has launched the Cloud Shield service, it is always safer to add another layer of firewall, the following is the process of configuring the firewall on Alibaba Cloud VPS, currently only INPUT is configured. OUTPUT and FORWORD are both rules for ACCEPT

1. Check the status of the iptables service

Start by checking the status of the iptables service

  1. [root@woxplife ~]# service iptables status
  2. iptables: Firewall is not running.
Copy code

The iptables service is installed, but the service is not started.
If you don't have it, you can install it directly

  1. yum install -y iptables
Copy code

Start iptables

  1. [root@woxplife ~]# service iptables start
  2. iptables: Applying firewall rules:                         [  OK  ]
Copy code

Take a look at the current configuration of iptables

  1. [root@woxplife ~]# iptables -L -n
Copy code
2. Clear the default firewall rules
  1. #首先在清除前要将policy INPUT改成ACCEPT,表示接受一切请求。
  2. #这个一定要先做,不然清空后可能会悲剧
  3. iptables -P INPUT ACCEPT

  5. #清空默认所有规则
  6. iptables -F

  8. #清空自定义的所有规则
  9. iptables -X

  11. #计数器置0
  12. iptables -Z
Copy code
3. Configuration rules
  1. #允许来自于lo接口的数据包
  2. #如果没有此规则,你将不能通过127.0.0.1访问本地服务,例如ping 127.0.0.1
  3. iptables -A INPUT -i lo -j ACCEPT

  5. #ssh端口22
  6. iptables -A INPUT -p tcp --dport 22 -j ACCEPT

  8. #FTP端口21
  9. iptables -A INPUT -p tcp --dport 21 -j ACCEPT

  11. #web服务端口80
  12. iptables -A INPUT -p tcp --dport 80 -j ACCEP

  14. #tomcat
  15. iptables -A INPUT -p tcp --dport xxxx -j ACCEP

  17. #mysql
  18. iptables -A INPUT -p tcp --dport xxxx -j ACCEP

  20. #允许icmp包通过,也就是允许ping
  21. iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

  23. #允许所有对外请求的返回包
  24. #本机对外请求相当于OUTPUT,对于返回数据包必须接收啊,这相当于INPUT了
  25. iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

  27. #如果要添加内网ip信任(接受其所有TCP请求)
  28. iptables -A INPUT -p tcp -s 45.96.174.68 -j ACCEPT

  30. #过滤所有非以上规则的请求
  31. iptables -P INPUT DROP
Copy code
4. Preservation

First, iptables -L -n to see if the configuration is correct.
After no problem, don't rush to save, because if you don't save, it is only valid for now, and it will not take effect after restarting, so that in case there is any problem, you can force the server to restart the settings in the background.
Open another SSH connection to ensure you can log in.

Make sure to save it later

  1. #保存
  2. [root@woxplife ~]# service iptables save

  4. #添加到自启动chkconfig
  5. [root@woxplife ~]# chkconfig iptables on
Copy code







Previous:DIY mahjong, you deserve it!
Next:Linux web server, firewall iptables is the simplest configuration

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com