English | 简体中文 | 繁體中文 | Русский язык | Français | Español | Português | Deutsch | 日本語 | 한국어 | Italiano | بالعربية
Although Alibaba Cloud has launched the Cloud Shield service, adding an extra layer of firewall is always safer. Below is the process of configuring the firewall on my Alibaba Cloud VPS, so far only INPUT is configured. OUTPUT and FORWARD are set to ACCEPT rules
One, check the iptables service status
First, check the status of the iptables service
[root@woxplife ~]# service iptables status iptables: Firewall is not running.
It is indicated that the iptables service is installed, but the service has not been started.
If not installed, you can install it directly using yum
yum install -y iptables
Start iptables
[root@woxplife ~]# service iptables start iptables: Applying firewall rules: [ OK ]
Check the current iptables configuration
[root@woxplife ~]# iptables -L -n
Two, clear the default firewall rules
#First, change the policy INPUT to ACCEPT before clearing, indicating that all requests are accepted. #This must be done first, otherwise you may suffer a tragedy after clearing iptables -P INPUT ACCEPT #Clear all default rules iptables -F #Clear all custom rules iptables -X #Counter set to 0 iptables -Z
Three, configure rules
#Allow packets from the lo interface #If there is no such rule, you will not be able to go through127.0.0.1Access local services, such as ping 127.0.0.1 iptables -A INPUT -i lo -j ACCEPT #SSH port22 iptables -A INPUT -p tcp --dport 22 -j ACCEPT #FTP port21 iptables -A INPUT -p tcp --dport 21 -j ACCEPT #Web service port80 iptables -A INPUT -p tcp --dport 80 -j ACCEP #tomcat iptables -A INPUT -p tcp --dport xxxx -j ACCEP # mysql iptables -A INPUT -p tcp --dport xxxx -j ACCEP # Allow icmp packets to pass, that is, allow ping iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Allow all return packets of outgoing requests # The request from this machine to the outside is equivalent to OUTPUT, and the return data packets must be received, which is equivalent to INPUT iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT # If you want to add the internal network IP to be trusted (accept all its TCP requests) iptables -A INPUT -p tcp -s 45.96.174.68 -j ACCEPT # Filter all requests not above the rules iptables -P INPUT DROP
Four, save
First iptables -L -Check whether the configuration is correct.
After there are no problems, do not hurry to save, because the current effective is not saved, it will not take effect after the restart, so in case there is any problem, you can restart the server in the background to restore the settings.
Open another ssh connection to ensure that you can log in.
Make sure there are no problems and then save
# Save [root@woxplife ~]# service iptables save # Add to startup chkconfig [root@woxplife ~]# chkconfig iptables on
That's all for this article, I hope it will be helpful to everyone's learning, and I also hope everyone will support the Yelling Tutorial more.
Declaration: The content of this article is from the Internet, the copyright belongs to the original author, the content is contributed and uploaded by Internet users spontaneously, this website does not own the copyright, does not undergo artificial editing, and does not assume relevant legal liability. If you find any content suspected of copyright infringement, please send an email to: notice#oldtoolbag.com (Please replace # with @ when sending an email for reporting, and provide relevant evidence. Once verified, this site will immediately delete the suspected infringing content.)