Example: I want to allow inbound "tcp" traffic to port 139
允许139端口被访问(入站)
-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
Let's go over what this line does...
-A - this tells iptables to "append" the new rule to the current iptables ruleset.
INPUT - The new rule will be appended to the "INPUT" portion of the ruleset, which controls inbound server traffic.
-p - Indicates what protocol the rule applies to. Popular protocols are "tcp", "udp", "icmp" and several others.
-m - Indicates a matching protocal value. Usually, this is set to the same value as the -p flag.
--dport - Specifies the destination port to which the traffic will be directed. In this case, it's port 139.
-j - Instructs the firewall to "jump" to specified state. In this case, request to TCP port 139 "jump" to "ACCEPT" and are threfore accepted and allowed to pass through the firewall.
ACCEPT - As denoted above, this is the state that the rule "jumps" to. In the example above, any inbound traffic to TCP port 139 will "jump" to an "ACCEPT" state, and thus will be able to pass through the firewall.
So the breakdown above should tell you that the rule we are adding is going to allow all inbound traffic to TCP port 139. Once you add that line to the "INPUT" section of the firewall script, you can then import the new firewall with the following command:
iptables-restore < /root/primary_firewall
Wow, now wasn't that easy?
What if I want to close a port?
The answer to this is similar to the previous question. However, you need to remember that your firewall, as it stands now, automatically blocks ALL inbound, outbound and fowarded traffic by default. The only way that a port gets opened is if there is a rule telling the firewall to open that port.
Let's take an example...
Example: I was to close TCP port 143 inbound.
In the firewall script that comes with this guide, you will notice the following entry that open up inbound traffic to TCP port 143 (For IMAP). That rule looks like this:
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
Well, if you wanted to close port 143, all you would have to do is edit the firewall script at /root/primary_firewall and remove that line. Once the line is gone and you've saved the changes, you would activate the change by re-importing the firewall script back into the iptables ruleset like so
:
iptables-restore < /root/primary_firewall
Now wasn't that easy?
Now, let's take another example so that I can demonstrate something that you
DON'T need to worry about.
Example: I want to block all inbound traffic to TCP port 3389.
Again, let's take the firewall that comes with this guide. All of the sudden you get it in your head that you need to close TCP port 3389. What to do? Well, if you take a look at the firewall script you will notice that TCP port 3389 is not mentioned anywhere in the script and, to be more specific, it is not mentioned in the "INPUT" portion of the script. Well, since our firewall is configured to block ALL traffic by default and only open ports on request, 3389 is ALREADY CLOSED. In other words, you don't need to worry about that port because it has been automatically closed by the firewall. The only way it would be open is if you created a specific rule that rquested that the port be open. Get it?
What if I want to completely block someone from my server?
The procedure for this is just the same as the ones above. Basically, all you're going to do is edit the firewall script, add a rule to block whoever, save the changes and then re-import the firewall script back into the server's ruleset. Easy as hell.
So let's take an example:
Example: I want to block anyone from the host
1.2.3.4 from accessing my server.
Open the /root/primary_firewall script and add the following line to the INPUT section of the script:
-A INPUT -s 1.2.3.4 -j DROP
Now let's break that down to see what this rule is doing..
-A - this tells iptables to "append" the new rule to the current iptables ruleset.
INPUT - The new rule will be appended to the "INPUT" portion of the ruleset, which controls inbound server traffic.
-s - Specifies the source address of the request. In this case we are specifying
1.2.3.4 as the source.
-j - Instructs the firewall to "jump" to specified state. In this case, request coming from source
1.2.3.4 "jump" to a DENY state, thus blocking anyone from that addresss from accessing your server at all.
DROP - As denoted above, this is the state that the rule "jumps" to. In the example above, any traffic to coming from
1.2.3.4 will "jump" to an "DROP" state, and thus will be blocked.
What if I only want to block someone from accessing a certain port, while allowing them to access all others?
This would just be a more specific version of the above rule. In this case, you would specify the destination port and the protocal type with the "-p", "-m" and "--dport" flags. If you wanted to block anyone from
1.2.3.4 from accessing port 25 on your server, it would look like this:
-A INPUT -s 1.2.3.4 -p tcp -m tcp --dport 25 -j DROP