I. check iptables service status
First check the status of iptables service
[root@woxplife ~]# service iptables status iptables: Firewall is not running.
The iptables service is installed, but the service is not started.
You can install it directly if it is not installed.
yum install -y iptables
[root@woxplife ~]# service iptables start iptables: Applying firewall rules: [ OK ]
If an error is reported, iptables: no config file
iptables -P OUTPUT ACCEPT service iptables save
Then start the firewall. Take a look at the current configuration of iptables
[root@woxplife ~]# iptables -L -n
2. Clear the default firewall rules
#First, change the policy INPUT to ACCEPT before clearing, indicating that all requests are accepted. #This must be done first, or it may be tragic after clearing iptables -P INPUT ACCEPT #Clear all default rules iptables -F #Clear all custom rules iptables -X #Counter set to 0 iptables -Z
III. configuration rules
#Allow packets from the lo interface #Without this rule, you will not be able to access local services through 127.0.0.1, such as ping 127.0.0.1 iptables -A INPUT -i lo -j ACCEPT #ssh port 22 iptables -A INPUT -p tcp --dport 22 -j ACCEPT #FTP port 21 iptables -A INPUT -p tcp --dport 21 -j ACCEPT #web service port 80 iptables -A INPUT -p tcp --dport 80 -j ACCEP #tomcat iptables -A INPUT -p tcp --dport xxxx -j ACCEP #mysql iptables -A INPUT -p tcp --dport xxxx -j ACCEP #Allow icmp packets to pass, that is, allow ping iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT #Allow all return packages of external requests #The local external request is equivalent to OUTPUT. The returned packets must be received, which is equivalent to INPUT. iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT #If you want to add an intranet ip trust (accept all its TCP requests) iptables -A INPUT -p tcp -s 18.104.22.168 -j ACCEPT #Filter all requests without the above rules iptables -P INPUT DROP
First, iptables -L -n to see if the configuration is correct.
After no problem, don't save it in a hurry, because it's only currently valid, and it won't take effect after restart. In case of any problem, you can force the server to restart in the background to restore the settings.
Open another ssh connection to ensure that you can log in.
Make sure it's OK to save it later
#Preservation [root@woxplife ~]# service iptables save #Add to self starting chkconfig [root@woxplife ~]# chkconfig iptables on