One 、 Concept

iptables yes Linux Under the powerful firewall tools , Because it is integrated in Linux kernel , So it's very efficient .

Two 、 classification

Classify according to the operation category of the data packet ,iptables Can be divided into 4 Tables , According to different Hook Points can be divided into 5 A chain .
among 4 Two tables are filter surface （ For general filtering ）、nat surface （ Address or port mapping ）、mangle surface （ Modifications to specific packets ）、raw surface , The most commonly used one is filter surface ;
5 The two chains are PREROUTING chain （ Before the packet enters the routing decision ）、INPUT（ Routing decisions for native packets ）、FORWARD（ Routing decisions are not native packets ）、OUTPUT（ Outgoing packets generated by the machine ）、POSTROUTING（ Packet before sending to network card ）, The most common is INPUT、OUTPUT chain .

3、 ... and 、 Work strategy

The first is to accept only allowed data , This kind of policy is generally to set the default policy of the firewall to reject all packets （ That is to say, the data packets on the network card are rejected ）, Then release the specific access ; The second is to prevent only disallowed data access requests , This policy is generally to set the default policy of the firewall to allow all packets , Deny only known illegal access to data . In terms of safety effect , The former firewall strategy performs better /

Four 、 Configuration rules

#cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow established and related packets to enter  /  Represents the host that has established a connection with this machine , Still connected 
-A INPUT -p icmp -j ACCEPT # stay INPUT Add allow... To the rule chain ICMP Flow in 
-A INPUT -i lo -j ACCEPT
-A INPUT -i bond0 -s x.x.x.x -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # Allow fixed IP can SSH Go to the server 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow access to 80 port 

-A INPUT -s x.x.x.x -p tcp -m multiport --dports 80,10011,3000,6379,9307 -j ACCEPT # Allow fixed IP Can access some ports of the server 

-A INPUT -p tcp --dport 3000 -d 127.0.0.1 -j ACCEPT
-A INPUT -p tcp --dport 3000 -j DROP #DROP（ discarded ）

-A OUTPUT -p tcp --sport 5900:5930 -j DROP

-A INPUT -j REJECT --reject-with icmp-host-prohibited #REJECT（ Refuse ）
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

5、 ... and 、 Configure and save rules directly

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # add to 
iptables -D INPUT -p tcp -m tcp --dport 80 -j ACCEPT # clear 
iptables -L # see 

preservation

service iptables save

It will take effect permanently after restart

service iptables restart

6、 ... and 、 Reference link

iptables Configuration rules
About iptables Rule configuration method
linux Check your settings in the system iptables The rules