Because of a recent issue centos own web server has been constantly find centos security information. Here to share a common iptables rules:
$IPT -P INPUT DROP #1
$IPT -P FORWARD DROP #1
$IPT -P OUTPUT DROP #1
$IPT -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT #2
$IPT -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT #3
$IPT -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT #3
$IPT -A INPUT -p tcp -m tcp –dport 21 -j ACCEPT #3
$IPT -A INPUT -p tcp -m tcp –dport 873 -j ACCEPT #3
$IPT -A INPUT -i lo -j ACCEPT #4
$IPT -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT #5
$IPT -A INPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT #5
$IPT -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT #6
$IPT -A OUTPUT -p udp -m udp –dport 53 -j ACCEPT #7
$IPT -A OUTPUT -o lo -j ACCEPT #4
$IPT -A OUTPUT -p tcp -m tcp –dport 80 -j ACCEPT #8
$IPT -A OUTPUT -p tcp -m tcp –dport 25 -j ACCEPT #9
$IPT -A OUTPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT #10
$IPT -A OUTPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT #10
service iptables save
service iptables restart
#1, set the default target for the INPUT,FORWARD,OUTPUT chain DROP, or external cannot communicate with the server.
#2, set when the connection is RELATED and when ESTABLISHED, allowing data access server.
#3, set up an external client connects to the server port 80,22,21,873.
#4, allowing internal data through the back.
#5, allow external ping servers.
#6, set the status as RELATED and ESTABLISHED data sent from the server to the external.
#7, allowing the use external DNS servers to resolve domain names.
#8, set the server to connect to an external server on port 80.
#9, allow the server to send mail.
#10, allowed from outside the server ping
This disables all ports except SSH, http, and FTP, outer, of course we could use other ports for management, for example, we used PureFTPd in lnmp to manage FTP, so the first thing we need to edit the following/etc/proftpd.conf, configure the following:
PassivePorts 25000-26000 # (port number may choose)
And then also need to add a line in the code above:
$ TCP dport – 25,000:26,000 – ACCEPT # the 25000-26000 and the port number must be added for you
While some people may be using a VNC, then continue to add line:
$ TCP-dport 5901-ACCEPT#5901 into your VNC port
After all of the ports are configured, save the script as iptables.sh, uploaded to the VPS, Executive sh iptables.sh can automatically configure the firewall.
In this way, we find laws, other port you can choose according to their needs and open and then re-execute the script ~