Elastic Compute (KEC)

      Documentation Elastic Compute (KEC) Common System Settings Linux system settings Linux firewall configuration

      Linux firewall configuration

      Last updated:2021-08-03 18:56:33

      Use iptables to configure dynamic firewall rules for a Linux server, which specifies the connection status for sending or receiving packets. Use this command to define, maintain, and check the IP packet filter rules defined for the Linux kernel.
      Supported types of system-defined firewall tables are Filter, NAT, and Mangle, and the default table is Filter. User-defined firewall tables are also supported.
      A chain defines the sequence of filter rules maintained by iptables. For example, a Filter table supports the following chains: INPUT, OUTPUT and FORWARD.
      The following example shows the procedure of creating a Filter table.

      1. Clear existing rules.

        [root@tp ~]# iptables -F   //Clear all rules in the rule chains from the default Filter table.
[root@tp ~]# iptables -X  //Clear all rules in the user-defined chains from the default Filter table.

      2. Set predefined rules.

        [root@tp ~]# iptables -P INPUT DROP
[root@tp ~]# iptables -P OUTPUT ACCEPT
[root@tp ~]# iptables -P FORWARD DROP

      3. Add rules.

        Allow remote SSH login (port 22).

        [root@tp ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@tp ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

        Allow the web service (port 80).

        [root@tp ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

        Allow the mail service (ports 25 and 110).

        [root@tp ~]# iptables -A INPUT -p tcp --dport 110 -j ACCEPT
[root@tp ~]# iptables -A INPUT -p tcp --dport 25 -j ACCEPT

        Allow the FTP server (port 21).

        [root@tp ~]# iptables -A INPUT -p tcp --dport 21 -j ACCEPT

        Allow the DNS server (port 53).

        [root@tp ~]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT

        Allow the HTTPS service (port 443).

        [root@tp ~]# iptables -A INPUT -p tcp --dport 443-j ACCEPT

        Port 445 is prohibited by ISPs and is unavailable.

        If you have created other servers, add rules for the corresponding ports based on the previous commands.

        The above rules are for INPUT chains. All other rules are set to DROP.

        Permit ICMP (permit pings).

        [root@tp ~]# iptables -A OUTPUT -p icmp -j ACCEPT (assume OUTPUT is set to DROP) 
[root@tp ~]# iptables -A INPUT -p icmp -j ACCEPT (assuming INPUT is set to DROP)

        Permit loopback (otherwise problems such as incorrect DNS shutdown might occur).

        IPTABLES -A INPUT -i lo -p all -j ACCEPT (assuming INPUT is set to DROP) 
IPTABLES -A OUTPUT -o lo -p all -j ACCEPT (assuming OUTPUT is set to DROP)
      Previous:Cancel automatic mounting of fstab
      Next:Common Windows commands

      Did you find the above information helpful?

      Unhelpful
      Mostly Unhelpful
      A little helpful
      Helpful
      Very helpful

      What might be the problems?

      Insufficient
      Outdated
      Unclear or awkward
      Redundant or clumsy
      Lack of context for the complex system or functionality

      More suggestions

      0/200

      Please give us your feedback.

      Submitted

      Thank you for your feedback.

      问题反馈