[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

[YouTube] Beyond official channel “Biyomaru Channel”

[For beginners] How to restrict access using the iptables command.

Hello! This is Shimeji from the System Solutions Department.
It's been three months since I joined the company, but I'm still confused by all the things I don't understand.
However, the seniors at beyond are very kind and give me various "realizations" every day.
I'm really grateful to everyone.

Today, I will briefly write about access restrictions using the iptables command used in CentOS6.

What is iptables?

It's a packet filter implemented in Linux.
It's called a firewall.
This feature allows you to restrict or allow specific access.
Simply put,

  • Access from unauthorized persons is prohibited.
  • We welcome access from good people.

That's what it means! !
And the command to operate iptables is the iptables command!
It's just like that.

Apply restrictions with iptables

Please see below first.

[root@localhost vagrant]# iptables -L Chain INPUT (policy ACCEPT) target prot opt ​​source destination Chain FORWARD (policy ACCEPT) target prot opt ​​source destination Chain OUTPUT (policy ACCEPT) target prot opt ​​source destination

The above is the execution result of the [iptables -L] command.

You can see that it is divided into three fields from the top, and in order,
[ INPUT ] is the chain related to input, [ FORWARD ] is the chain related to transfer, and [ OUTPUT ] is the chain related to output.
Think of a chain as a rule that inspects packets.

Look next to Chain INPUT.
(policy ACCEPT).
This is called
policy Policies are rules that apply to the entire chain.
ACCEPT means allow all input.

Conversely, if you want to limit it, change this to DROP.
The command is

iptables -P INPUT DROP

OK!!
(You will also not be able to make your own SSH connection. Please run the command to allow access with iptables listed at the bottom first.)

Let's check it with the [iptables -L] command!

[root@localhost vagrant]# iptables -L Chain INPUT (policy DROP) target prot opt ​​source destination Chain FORWARD (policy ACCEPT) target prot opt ​​source destination Chain OUTPUT (policy ACCEPT) target prot opt ​​source destination

It has changed to DROP.

Now you can restrict all access from outside! !

Allow access with iptables

See below.

[root@localhost vagrant]# iptables -L Chain INPUT (policy DROP) target prot opt ​​source destination ACCEPT all -- 192.168.33.1 anywhere Chain FORWARD (policy ACCEPT) target prot opt ​​source destination Chain OUTPUT (policy ACCEPT) target prot opt ​​source destination

【ACCEPT all -- 192.168.33.1 anywhere】

The number of such descriptions is increasing!
This means "All access from 192.168.33.1 is allowed."
This is called rule

Run the following command to add a rule to allow access.

iptables -A INPUT -s [IP address to allow access] -j ACCEPT

Now you can prohibit all access and allow access from specific IP addresses.

By the way, you can also set things like ``allow access to a specific port.''

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

This is a command that allows access to port 80 (WEB server).
You can also change to another port by changing the number after --dport! !

Changes to these settings will be undone if you restart the machine.
If you want to make the settings permanent,

service iptables save

Save your settings using this command.

This method of prohibiting all accesses and allowing only specific accesses
is called the "whitelist method."

summary

Although I have described it in a very rough and concise manner, the above is a simple way to use the iptables command.
There are configuration methods that do not use the iptables command, and there are more detailed configuration methods, but I will omit them here.

Everyone, please use the iptables command and have a good computer life!

If you found this article helpful , please give it a like!
6
Loading...
6 votes, average: 1.00 / 16
46,146
X facebook Hatena Bookmark pocket
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

The person who wrote this article

About the author

Shimeji mushrooms

CERTIFICATE:
- TOEIC 835
- LPIC304
- AWS Solution Architect Associate
- AWS Solution Architect Professional
- GCP Professional Cloud Architect
- IPA SC (not registered)

Kagome, Kagome,
the old man behind me, that's it.

It's my uncle. (2018)