Cấu hình iptables cơ bản bảo mật VPS

Took a look at secure logs and access logs, more than half are brute force and scanning, although the password is extremely complex, but always so consuming server resources is not, simply put SSH ports and FTP modification and then write the iptables protected a little bit better. There is a thing called Fail2Ban, can automatically detect brute force password error exceeds a certain number of times ends ban on off, but I really don’t want to open a service instead of ports should be no problem …

Only the most basic configuration of flood defense was too lazy to write, really somebody else to DDOS my Cho hung up …

# Configuration, ban, allow, permit loopback adapter
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Allow ping, does not allow deleting rows
iptables -A INPUT -p icmp -j ACCEPT
# Allow ssh
iptables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
# Allow FTP
iptables -A INPUT -p tcp -m tcp –dport 20 -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 21 -j ACCEPT
# Allow FTP passive range of interfaces, in the FTP profile, you can set
iptables -A INPUT -p tcp –dport 20000:30000 -j ACCEPT
# Felix, set to local SMTP
iptables -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT -s 127.0.0.1
iptables -A INPUT -p tcp -m tcp –dport 25 -j REJECT
# Allow DNS
iptables -A INPUT -p tcp -m tcp –dport 53 -j ACCEPT
iptables -A INPUT -p udp -m udp –dport 53 -j ACCEPT
# Allow HTTP and HTTPS
iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
# Allow stateful inspection, too lazy to explain
iptables -A INPUT -p all -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p all -m state –state INVALID,NEW -j DROP

# Save the configuration
iptables-save > /etc/iptables

Save on the line, Debian does not require a separate service iptbles, specifically how to get iptables automatically load, please see the article of iptables firewall under the Debian boot automatically load to achieve

I gave above and the following are written to the sh, start{} and stop{}. Empty when you need to modify the rules directly to the reconstruction is better, because the rules have order questions.

# Empty configuration
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT