All Documents
Current Document

Content is empty

If you don't find the content you expect, please try another search term

Documentation

Linux firewall configuration

Last updated:2021-08-03 18:56:33

Use iptables to configure dynamic firewall rules for a Linux server, which specifies the connection status for sending or receiving packets. Use this command to define, maintain, and check the IP packet filter rules defined for the Linux kernel. Supported types of system-defined firewall tables are Filter, NAT, and Mangle, and the default table is Filter. User-defined firewall tables are also supported. A chain defines the sequence of filter rules maintained by iptables. For example, a Filter table supports the following chains: INPUT, OUTPUT and FORWARD. The following example shows the procedure of creating a Filter table.

  1. Clear existing rules.

    [root@tp ~]# iptables -F   //Clear all rules in the rule chains from the default Filter table.
    [root@tp ~]# iptables -X  //Clear all rules in the user-defined chains from the default Filter table.
  2. Set predefined rules.

    [root@tp ~]# iptables -P INPUT DROP
    [root@tp ~]# iptables -P OUTPUT ACCEPT
    [root@tp ~]# iptables -P FORWARD DROP
  3. Add rules.

    Allow remote SSH login (port 22).

    [root@tp ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    [root@tp ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

    Allow the web service (port 80).

    [root@tp ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

    Allow the mail service (ports 25 and 110).

    [root@tp ~]# iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    [root@tp ~]# iptables -A INPUT -p tcp --dport 25 -j ACCEPT

    Allow the FTP server (port 21).

    [root@tp ~]# iptables -A INPUT -p tcp --dport 21 -j ACCEPT

    Allow the DNS server (port 53).

    [root@tp ~]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT

    Allow the HTTPS service (port 443).

    [root@tp ~]# iptables -A INPUT -p tcp --dport 443-j ACCEPT

    Port 445 is prohibited by ISPs and is unavailable.

    If you have created other servers, add rules for the corresponding ports based on the previous commands.

    The above rules are for INPUT chains. All other rules are set to DROP.

    Permit ICMP (permit pings).

    [root@tp ~]# iptables -A OUTPUT -p icmp -j ACCEPT (assume OUTPUT is set to DROP) 
    [root@tp ~]# iptables -A INPUT -p icmp -j ACCEPT (assuming INPUT is set to DROP)

    Permit loopback (otherwise problems such as incorrect DNS shutdown might occur).

    IPTABLES -A INPUT -i lo -p all -j ACCEPT (assuming INPUT is set to DROP) 
    IPTABLES -A OUTPUT -o lo -p all -j ACCEPT (assuming OUTPUT is set to DROP)
On this page
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen
Feedback