Of Stack

Aliyun Centos configuration iptables firewall tutorial

  • 2020-05-12 06:39:56
  • OfStack

Although ali cloud launched cloud shield services, but their own plus a layer of firewall is always more secure, the following is my aliyun vps firewall configuration process, currently only configuration INPUT. OUTPUT and FORWORD are both rules of ACCEPT

1. Check the service status of iptables

First check the status of the iptables service 


[root@woxplife ~]# service iptables status
iptables: Firewall is not running.

Note that the iptables service is installed but not started.
You can install yum directly if you don't have one

yum install -y iptables

Start the iptables 


[root@woxplife ~]# service iptables start
iptables: Applying firewall rules:             [ OK ]

Take a look at the current configuration of iptables

[root@woxplife ~]# iptables -L -n

Clear the default firewall rules 


# The first thing to do before clearing policy INPUT to ACCEPT, Said to accept 1 Cut the request. 
# this 1 You have to do it first, or you might end up with a tragedy 
iptables -P INPUT ACCEPT

# Clear all default rules 
iptables -F

# Clear all custom rules 
iptables -X

# Counter set 0
iptables -Z

3. Configuration rules 


# Permission comes from lo Interface packet 
# Without this rule, you will not be able to pass 127.0.0.1 Access local services, for example ping 127.0.0.1
iptables -A INPUT -i lo -j ACCEPT 
 
#ssh port 22
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
#FTP port 21
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
 
#web Service port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEP
 
#tomcat
iptables -A INPUT -p tcp --dport xxxx -j ACCEP
 
#mysql
iptables -A INPUT -p tcp --dport xxxx -j ACCEP
 
# allow icmp Package through , Which is to allow ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 
# Allows all outgoing requests to return packages 
# Local request equivalent OUTPUT, The return packet has to be received INPUT the 
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
 
# If you want to add an Intranet ip Trust (accept) what they have TCP Request) 
iptables -A INPUT -p tcp -s 45.96.174.68 -j ACCEPT
 
# Filter all requests that are not part of the above rules 
iptables -P INPUT DROP

4. Save
First, see if iptables-L-n is configured correctly.
No problem, do not rush to save, because not to save is only currently valid, will not take effect after the restart, so if there is any problem, you can force the background to restart the server to restore the Settings.
Open another ssh connection to make sure you can log in.

Make sure you save it when it's ok 


# save 
[root@woxplife ~]# service iptables save
 
# Add to auto boot chkconfig
[root@woxplife ~]# chkconfig iptables on
Related articles: