Linux firewall configuration

Last updated:2021-08-03 18:56:33

Use iptables to configure dynamic firewall rules for a Linux server, which specifies the connection status for sending or receiving packets. Use this command to define, maintain, and check the IP packet filter rules defined for the Linux kernel.
Supported types of system-defined firewall tables are Filter, NAT, and Mangle, and the default table is Filter. User-defined firewall tables are also supported.
A chain defines the sequence of filter rules maintained by iptables. For example, a Filter table supports the following chains: INPUT, OUTPUT and FORWARD.
The following example shows the procedure of creating a Filter table.

  1. Clear existing rules.

    [[email protected] ~]# iptables -F   //Clear all rules in the rule chains from the default Filter table.
    [[email protected] ~]# iptables -X  //Clear all rules in the user-defined chains from the default Filter table.
    
  2. Set predefined rules.

    [[email protected] ~]# iptables -P INPUT DROP
    [[email protected] ~]# iptables -P OUTPUT ACCEPT
    [[email protected] ~]# iptables -P FORWARD DROP
    
  3. Add rules.

    Allow remote SSH login (port 22).

    [[email protected] ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    [[email protected] ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
    

    Allow the web service (port 80).

    [r[email protected] ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    

    Allow the mail service (ports 25 and 110).

    [[email protected] ~]# iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    [[email protected] ~]# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    

    Allow the FTP server (port 21).

    [[email protected] ~]# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
    

    Allow the DNS server (port 53).

    [[email protected] ~]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    

    Allow the HTTPS service (port 443).

    [[email protected] ~]# iptables -A INPUT -p tcp --dport 443-j ACCEPT
    

    Port 445 is prohibited by ISPs and is unavailable.

    If you have created other servers, add rules for the corresponding ports based on the previous commands.

    The above rules are for INPUT chains. All other rules are set to DROP.

    Permit ICMP (permit pings).

    [[email protected] ~]# iptables -A OUTPUT -p icmp -j ACCEPT (assume OUTPUT is set to DROP) 
    [[email protected] ~]# iptables -A INPUT -p icmp -j ACCEPT (assuming INPUT is set to DROP)
    

    Permit loopback (otherwise problems such as incorrect DNS shutdown might occur).

    IPTABLES -A INPUT -i lo -p all -j ACCEPT (assuming INPUT is set to DROP) 
    IPTABLES -A OUTPUT -o lo -p all -j ACCEPT (assuming OUTPUT is set to DROP)
    

Did you find the above information helpful?

Unhelpful
Mostly Unhelpful
A little helpful
Helpful
Very helpful

What might be the problems?

Insufficient
Outdated
Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions

0/200

Please give us your feedback.

Submitted

Thank you for your feedback.

问题反馈