• Linux的iptables常用配置范例(1)


    以下是来自 http://wiki.ubuntu.org.cn/IptablesHowTo 上的配置说明

    可以通过/sbin/iptables -F清除所有规则来暂时停止防火墙: (警告:这只适合在没有配置防火墙的环境中,如果已经配置过默认规则为deny的环境,此步骤将使系统的所有网络访问中断)

    如果想清空的话,先执行
    /sbin/iptables -P INPUT ACCEPT
    然后执行
    /sbin/iptables -F
    通过iptables -L 看到如下信息
    Chain INPUT (policy DROP 0 packets, 0 bytes) (注意 是DROP)
    执行/sbin/iptables -F就肯定立马断开连接
    当执行了
    /sbin/iptables -P INPUT ACCEPT
    再次通过iptables -L看信息的话就是
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    所以现在是可以安全使用
    /sbin/iptables -F了

    ——————————————————————

    常用的IPTABLES规则如下:
    只能收发邮件,别的都关闭
    iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -j DROP
    iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -p udp --dport 53 -j ACCEPT
    iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -p tcp --dport 25 -j ACCEPT
    iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -p tcp --dport 110 -j ACCEPT

    IPSEC NAT 策略
    iptables -I PFWanPriv -d 192.168.100.2 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 80 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:80
    iptables -t nat -A PREROUTING -p tcp --dport 1723 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:1723
    iptables -t nat -A PREROUTING -p udp --dport 1723 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:1723
    iptables -t nat -A PREROUTING -p udp --dport 500 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:500
    iptables -t nat -A PREROUTING -p udp --dport 4500 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:4500

    FTP服务器的NAT
    iptables -I PFWanPriv -p tcp --dport 21 -d 192.168.100.200 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 21 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:21

    只允许访问指定网址
    iptables -A Filter -p udp --dport 53 -j ACCEPT
    iptables -A Filter -p tcp --dport 53 -j ACCEPT
    iptables -A Filter -d www.3322.org -j ACCEPT
    iptables -A Filter -d img.cn99.com -j ACCEPT
    iptables -A Filter -j DROP

    开放一个IP的一些端口,其它都封闭
    iptables -A Filter -p tcp --dport 80 -s 192.168.100.200 -d www.pconline.com.cn -j ACCEPT
    iptables -A Filter -p tcp --dport 25 -s 192.168.100.200 -j ACCEPT
    iptables -A Filter -p tcp --dport 109 -s 192.168.100.200 -j ACCEPT
    iptables -A Filter -p tcp --dport 110 -s 192.168.100.200 -j ACCEPT
    iptables -A Filter -p tcp --dport 53 -j ACCEPT
    iptables -A Filter -p udp --dport 53 -j ACCEPT
    iptables -A Filter -j DROP

    多个端口
    iptables -A Filter -p tcp -m multiport –destination-port 22,53,80,110 -s 192.168.20.3 -j REJECT

    连续端口
    iptables -A Filter -p tcp -m multiport –source-port 22,53,80,110 -s 192.168.20.3 -j REJECT iptables -A Filter -p tcp –source-port 2:80 -s 192.168.20.3 -j REJECT

    指定时间上网
    iptables -A Filter -s 10.10.10.253 -m time –timestart 6:00 –timestop 11:00 –days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
    iptables -A Filter -m time –timestart 12:00 –timestop 13:00 –days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j ACCEPT
    iptables -A Filter -m time –timestart 17:30 –timestop 8:30 –days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j ACCEPT
    禁止多个端口服务
    iptables -A Filter -m multiport -p tcp --dport 21,23,80 -j ACCEPT

    将WAN 口NAT到PC
    iptables -t nat -A PREROUTING -i $INTERNET_IF -d $INTERNET_ADDR -j DNAT –to-destination 192.168.0.1

    将WAN口8000端口NAT到192。168。100。200的80端口
    iptables -t nat -A PREROUTING -p tcp --dport 8000 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:80

    MAIL服务器要转的端口
    iptables -t nat -A PREROUTING -p tcp --dport 110 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:110
    iptables -t nat -A PREROUTING -p tcp --dport 25 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:25

    只允许PING 202。96。134。133,别的服务都禁止
    iptables -A Filter -p icmp -s 192.168.100.200 -d 202.96.134.133 -j ACCEPT
    iptables -A Filter -j DROP
    禁用BT配置
    iptables –A Filter –p tcp --dport 6000:20000 –j DROP
    禁用QQ防火墙配置
    iptables -A Filter -p udp --dport ! 53 -j DROP
    iptables -A Filter -d 218.17.209.0/24 -j DROP
    iptables -A Filter -d 218.18.95.0/24 -j DROP
    iptables -A Filter -d 219.133.40.177 -j DROP
    基于MAC,只能收发邮件,其它都拒绝
    iptables -I Filter -m mac –mac-source 00:0A:EB:97:79:A1 -j DROP
    iptables -I Filter -m mac –mac-source 00:0A:EB:97:79:A1 -p tcp --dport 25 -j ACCEPT
    iptables -I Filter -m mac –mac-source 00:0A:EB:97:79:A1 -p tcp --dport 110 -j ACCEPT
    禁用MSN配置
    iptables -A Filter -p udp --dport 9 -j DROP
    iptables -A Filter -p tcp --dport 1863 -j DROP
    iptables -A Filter -p tcp --dport 80 -d 207.68.178.238 -j DROP
    iptables -A Filter -p tcp --dport 80 -d 207.46.110.0/24 -j DROP
    只允许PING 202。96。134。133 其它公网IP都不许PING
    iptables -A Filter -p icmp -s 192.168.100.200 -d 202.96.134.133 -j ACCEPT
    iptables -A Filter -p icmp -j DROP
    禁止某个MAC地址访问internet:
    iptables -I Filter -m mac –mac-source 00:20:18:8F:72:F8 -j DROP
    禁止某个IP地址的PING:
    iptables –A Filter –p icmp –s 192.168.0.1 –j DROP
    禁止某个IP地址服务:
    iptables –A Filter -p tcp -s 192.168.0.1 --dport 80 -j DROP
    iptables –A Filter -p udp -s 192.168.0.1 --dport 53 -j DROP
    只允许某些服务,其他都拒绝(2条规则)
    iptables -A Filter -p tcp -s 192.168.0.1 --dport 1000 -j ACCEPT
    iptables -A Filter -j DROP
    禁止某个IP地址的某个端口服务
    iptables -A Filter -p tcp -s 10.10.10.253 --dport 80 -j ACCEPT
    iptables -A Filter -p tcp -s 10.10.10.253 --dport 80 -j DROP
    禁止某个MAC地址的某个端口服务
    iptables -I Filter -p tcp -m mac –mac-source 00:20:18:8F:72:F8 --dport 80 -j DROP
    禁止某个MAC地址访问internet:
    iptables -I Filter -m mac –mac-source 00:11:22:33:44:55 -j DROP
    禁止某个IP地址的PING:
    iptables –A Filter –p icmp –s 192.168.0.1 –j DROP
    ————————————————————————————————

    IPFW 或 Netfilter 的封包流向,local process 不会经过 FORWARD Chain,
    因此 lo 只在 INPUT 及 OUTPUT 二个 chain 作用。
    样例1:

    #!/bin/sh
    #
    # 静态安全防火墙脚本
    #
    # created by yejr,2007-03-20
    #
    #
    #定义信任IP列表
    #内部ip子网
    MY_IP_LIST_1=192.168.8.0/24
    #外部ip子网
    MY_IP_LIST_2=1.2.3.0/24
    #所有
    ALL_IP=0/0
    #北京ADSL动态IP列表
    BJADSL_IP_LIST=221.218.0.0/16
    #定义端口列表
    #涉及ftp端口
    FTP_PORT_1=20
    FTP_PORT_RANGE=”1023:65535″
    FTP_PORT_2=21
    #dns端口
    DNS_PORT=53
    #httpd端口
    HTTP_PORT=80
    #ssh 端口
    SSH_PORT=4321
    IPT=”/sbin/iptables”
    # 内网
    LC_IFACE=”eth1″
    LC_ADDR=”192.168.8.2″
    # 公网
    INET_IFACE=”eth0″
    INET_ADDR=”1.2.3.4″
    # 本机
    LO_IFACE=”lo”
    LO_ADDR=127.0.0.1
    # 定义接受请求速率限制
    MAX_NUM_PACKS=1024
    # 核心模块
    /sbin/modprobe ip_tables
    # ftp模块
    /sbin/modprobe ip_nat_ftp
    # 限速模块
    /sbin/modprobe ip_conntrack
    # 重新设置防火墙到默认状态
    $IPT -P INPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    #$IPT -P OUTPUT ACCEPT
    $IPT -F
    $IPT -X
    # 先拒绝所有请求
    $IPT -P INPUT DROP
    #$IPT -P OUTPUT DROP
    $IPT -P FORWARD DROP
    ##########################################
    # 设定一些内核参数
    ##########################################
    #启动 SYN 泛洪保护
    echo ”1″ > /proc/sys/net/ipv4/tcp_syncookies
    #启用反向路径源认证,防止欺骗
    echo ”1″ > /proc/sys/net/ipv4/conf/all/rp_filter
    #关闭 icom echo 广播包请求
    echo ”1″ > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    #拒绝源路由包
    echo ”0″ > /proc/sys/net/ipv4/conf/all/accept_source_route
    #仅仅接收发给默认网关列表中网关的ICMP重定向消息
    echo ”1″ > /proc/sys/net/ipv4/conf/all/secure_redirects
    #记录来自非法ip的请求
    echo ”1″ > /proc/sys/net/ipv4/conf/all/log_martians
    ##########################################
    # 建立规则
    ##########################################
    # 无效请求包规则
    $IPT -N bad_packets
    # 另一个恶意 TCP 包规则
    $IPT -N bad_tcp_packets
    # ICMP规则(进/出)
    $IPT -N icmp_packets
    # 来自公网的UDP请求规则
    $IPT -N inet_udp_inbound
    # 从本机发往公网的UDP请求规则,默认全部允许
    $IPT -N udp_outbound
    # 来自公网的 TCP 请求规则
    $IPT -N inet_tcp_inbound
    # 从本机发往公网的 TCP 请求规则,默认全部允许
    $IPT -N tcp_outbound
    ##########################################
    # 恶意请求规则
    ##########################################
    # 立刻断掉非法的包并且记录
    $IPT -A bad_packets -p ALL -m state --state INVALID
    -j LOG –log-prefix ”IPTABLES_INVALID_PACKET:”
    $IPT -A bad_packets -p ALL -m state --state INVALID
    -j DROP
    # 再次检查 TCP 包是否还有问题
    $IPT -A bad_packets -p tcp -j bad_tcp_packets
    # 都正确了,返回
    $IPT -A bad_packets -p ALL -j RETURN
    ##########################################
    # 恶意 TCP 请求
    ##########################################
    #
    # 所有的 TCP 请求都必须经过以下规则过滤. 任何新请求都
    # 必须以一个 sync 包开始.
    # 如果不是这样的话,很可能表示这是一个扫描动作,这些有
    # NEW 状态的包会被丢弃
    #
    $IPT -A bad_tcp_packets -p tcp ! –syn -m state --state
    NEW -j LOG –log-prefix ”IPTABLES_NEW_NOT_SYN:”
    $IPT -A bad_tcp_packets -p tcp ! –syn -m state --state
    NEW -j DROP
    $IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j
    LOG –log-prefix ”IPTABLES_STEALTH_SCAN:”
    $IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j DROP
    $IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j
    LOG –log-prefix ”IPTABLES_STEALTH_SCAN:”
    $IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j DROP
    $IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH
    -j LOG –log-prefix ”IPTABLES_STEALTH_SCAN:”
    $IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH
    -j DROP
    $IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG
    -j LOG –log-prefix ”IPTABLES_STEALTH SCAN:”
    $IPT -A bad_tcp_packets -p tcp –tcp-flags ALL
    SYN,RST,ACK,FIN,URG -j DROP
    $IPT -A bad_tcp_packets -p tcp –tcp-flags
    SYN,RST SYN,RST -j LOG –log-prefix
    “IPTABLES_STEALTH SCAN:”
    $IPT -A bad_tcp_packets -p tcp –tcp-flags
    SYN,RST SYN,RST -j DROP
    $IPT -A bad_tcp_packets -p tcp –tcp-flags
    SYN,FIN SYN,FIN -j LOG –log-prefix
    “IPTABLES_STEALTH SCAN:”
    $IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
    # 都没问题了,返回
    $IPT -A bad_tcp_packets -p tcp -j RETURN
    ##########################################
    # ICMP 包规则
    ##########################################
    #
    # ICMP 包必须封装在一个2层的帧中,因此它们不会有碎片.
    # 带有碎片的 ICMP 包通常被
    # 标记为恶意攻击
    #
    $IPT -A icmp_packets –fragment -p ICMP -j LOG
    –log-prefix ”IPTABLES_ICMP Fragment:”
    $IPT -A icmp_packets –fragment -p ICMP -j DROP
    #
    # 默认地,所有丢弃的 ICMP 包都不记录日志. ”冲击波”
    # 以及 ”蠕虫” 会导致系统发起大量
    # ping 请求. 如果想要记录 icmp log 就不要把本行注释掉
    #
    # 允许自有服务器ip及北京地区adsl ip进行 PING
    $IPT -A icmp_packets -p ICMP -s $MY_IP_LIST_2 -j ACCEPT
    $IPT -A icmp_packets -p ICMP -s $BJADSL_IP_LIST -j ACCEPT
    # 拒掉其他 PING
    $IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j DROP
    # 接受超时 icmp 包
    $IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT
    ##########################################
    # TCP & UDP 包规则
    ##########################################
    ##########################################
    # 来自公网的 UDP 请求
    ##########################################
    #$IPT -A inet_udp_inbound -p UDP
    -s $MY_IP_LIST_2 --dport $DNS_PORT -j ACCEPT
    # 都没问题了,返回
    $IPT -A inet_udp_inbound -p UDP -j RETURN
    ##########################################
    # 发往公网的 UDP 请求
    ##########################################
    # 都没问题了,返回
    $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
    ##########################################
    # 来自公网的 TCP 请求
    ##########################################
    # sshd 只对 北京ADSL IP段开放
    $IPT -A inet_tcp_inbound -p TCP
    -s $BJADSL_IP_LIST --dport $SSH_PORT -j ACCEPT
    # 允许自有服务器 IP 的 FTP 端口请求
    # FTP Data fix
    $IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2
    –sport $FTP_PORT_1 --dport $FTP_PORT_RANGE ! –syn
    -m state --state RELATED -j ACCEPT
    $IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2
    -m state --state ESTABLISHED -j ACCEPT
    $IPT -A inet_tcp_inbound -p UDP -s $MY_IP_LIST_2
    --dport $FTP_PORT_RANGE -j ACCEPT
    $IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2
    --dport $FTP_PORT_1 ! –syn -j ACCEPT
    $IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2
    --dport $FTP_PORT_2 -j ACCEPT
    #允许所有ip访问 http 服务
    $IPT -A inet_tcp_inbound -p TCP -s $ALL_IP
    --dport $HTTP_PORT -j ACCEPT
    # 都没问题了,返回
    $IPT -A inet_tcp_inbound -p TCP -j RETURN
    ##########################################
    # 发往公网的 TCP 请求
    ##########################################
    # 都没问题了,返回
    $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
    ##########################################
    # 其他收到的请求
    ##########################################
    # 允许本机及本子网间的任何通信
    $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
    $IPT -A INPUT -p ALL -d $LC_ADDR -j ACCEPT
    # 来自信任ip的任何请求都接受
    $IPT -A INPUT -p ALL -s $MY_IP_LIST_1 -j ACCEPT
    $IPT -A INPUT -p ALL -s $MY_IP_LIST_2 -j ACCEPT
    # 丢弃任何错误包
    $IPT -A INPUT -p ALL -j bad_packets
    # 拒掉 DOCSIS 请求
    $IPT -A INPUT -p ALL -d 224.0.0.1 -j REJECT
    # 接受 Established 连接
    $IPT -A INPUT -p ALL -i $INET_IFACE -m state
    --state ESTABLISHED,RELATED -j ACCEPT
    # 定义上面的几条路由规则
    $IPT -A INPUT -p TCP -d $INET_ADDR -j inet_tcp_inbound
    $IPT -A INPUT -p UDP -d $INET_ADDR -j inet_udp_inbound
    $IPT -A INPUT -p ICMP -d $INET_ADDR -j icmp_packets
    # 丢弃且不记录广播包
    $IPT -A INPUT -m pkttype –pkt-type broadcast -j REJECT
    # 记录其他未匹配到的包
    $IPT -A INPUT -m limit –limit $MAX_NUM_PACKS/minute
    –limit-burst $MAX_NUM_PACKS -j LOG –log-prefix
    “IPTABLES_MISS_MATCH_INPUT:”
    ##########################################
    # 其他发出的请求
    ##########################################
    # 无论如何都丢弃错误的 ICMP 包,防止溢出
    $IPT -A OUTPUT -m state -p icmp --state INVALID
    -j REJECT
    # 允许对外的任何请求
    $IPT -A OUTPUT -p ALL -s $ALL_IP -j ACCEPT
    # 记录其他未匹配到的包
    $IPT -A OUTPUT -m limit –limit $MAX_NUM_PACKS/minute
    –limit-burst $MAX_NUM_PACKS -j LOG –log-prefix
    “IPTABLES_MISS_MATCH_OUTPUT: ”

    ——————————————
    我的样例:
    ——————————————

    #!/bin/sh
    #
    # rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.6.x and iptables
    #
    # Copyright (C) 2006 Oskar Andreasson <bluefluxATkoffeinDOTnet>
    #
    # This program is free software; you can redistribute it and/or modify
    # it under the terms of the GNU General Public License as published by
    # the Free Software Foundation; version 2 of the License.
    #
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    # GNU General Public License for more details.
    #
    # You should have received a copy of the GNU General Public License
    # along with this program or from the site that you downloaded it
    # from; if not, write to the Free Software Foundation, Inc., 59 Temple
    # Place, Suite 330, Boston, MA 02111-1307 USA
    #
    ###########################################################################
    #
    # 1. Configuration options.
    #
    #
    # 1.1 Internet Configuration.
    #
    INET_IP=”1.2.3.4″
    INET_IP_1=”1.2.3.5″
    INET_IFACE=”eth0″
    INET_BROADCAST=”1.2.3.127″
    #
    # 1.1.1 DHCP
    #
    #
    # 1.1.2 PPPoE
    # 1.2 Local Area Network configuration.
    #
    # your LAN’s IP range and localhost IP. /24 means to only use the first 24
    # bits of the 32 bit IP address. the same as netmask 255.255.255.0
    #
    LAN_IP=”192.168.0.33″
    LAN_IP_RANGE=”192.168.0.0/24″
    LAN_IFACE=”eth1″
    #
    # 1.3 DMZ Configuration.
    #
    #
    # 1.4 Localhost Configuration.
    #
    LO_IFACE=”lo”
    LO_IP=”127.0.0.1″
    #
    # 1.5 IPTables Configuration.
    #
    IPTABLES=”/sbin/iptables”
    #
    # 1.6 Other Configuration.
    #
    ###########################################################################
    #
    # 2. Module loading.
    #
    #
    # Needed to initially load modules
    /sbin/depmod -a
    #
    # 2.1 Required modules
    #
    /sbin/modprobe ip_tables
    /sbin/modprobe ip_conntrack
    /sbin/modprobe iptable_filter
    #/sbin/modprobe iptable_mangle
    #/sbin/modprobe iptable_nat
    /sbin/modprobe ipt_LOG
    /sbin/modprobe ipt_limit
    /sbin/modprobe ipt_state
    #
    # 2.2 Non-Required modules
    #
    #/sbin/modprobe ipt_owner
    #/sbin/modprobe ipt_REJECT
    #/sbin/modprobe ipt_MASQUERADE
    #/sbin/modprobe ip_conntrack_ftp
    #/sbin/modprobe ip_conntrack_irc
    #/sbin/modprobe ip_nat_ftp
    #/sbin/modprobe ip_nat_irc
    ###########################################################################
    #
    # 3. /proc set up.
    #
    #
    # 3.1 Required proc configuration
    #
    #echo ”1″ > /proc/sys/net/ipv4/ip_forward
    echo ”1″ > /proc/sys/net/ipv4/tcp_syncookies
    echo ”1″ > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    # 3.2 Non-Required proc configuration
    #
    #echo ”1″ > /proc/sys/net/ipv4/conf/all/rp_filter
    #echo ”1″ > /proc/sys/net/ipv4/conf/all/proxy_arp
    #echo ”1″ > /proc/sys/net/ipv4/ip_dynaddr
    #echo ”1″ > /proc/sys/net/ipv4/tcp_syncookies
    #启用反向路径源认证,防止欺骗
    #echo ”1″ > /proc/sys/net/ipv4/conf/all/rp_filter
    #关闭 icom echo 广播包请求
    #echo ”1″ > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    #拒绝源路由包
    #echo ”0″ > /proc/sys/net/ipv4/conf/all/accept_source_route
    #仅仅接收发给默认网关列表中网关的ICMP重定向消息
    #echo ”1″ > /proc/sys/net/ipv4/conf/all/secure_redirects
    #记录来自非法ip的请求
    #echo ”1″ > /proc/sys/net/ipv4/conf/all/log_martians
    ###########################################################################
    #
    # 4. rules set up.
    #
    ######
    # 4.1 Filter table
    #
    #
    # 4.1.1 Set policies
    #
    $IPTABLES -F
    $IPTABLES -X
    $IPTABLES -F -t mangle
    $IPTABLES -t mangle -X
    $IPTABLES -F -t nat
    $IPTABLES -t nat -X
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP
    #
    # 4.1.2 Create userspecified chains
    #
    #
    # Create chain for bad tcp packets
    #
    $IPTABLES -N bad_tcp_packets
    #
    # Create separate chains for ICMP, TCP and UDP to traverse
    #
    $IPTABLES -N allowed
    $IPTABLES -N tcp_packets
    $IPTABLES -N udp_packets
    $IPTABLES -N icmp_packets
    #
    # 4.1.3 Create content in userspecified chains
    #
    #
    # bad_tcp_packets chain
    #
    $IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT –reject-with tcp-reset
    $IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state --state NEW -j LOG –log-prefix ”New not syn:”
    #$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state --state NEW -j DROP
    #$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG –log-prefix ”IPTABLES_INVALID_PACKET:”
    #$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
    #
    # allowed chain
    #
    $IPTABLES -A allowed -p TCP –syn -j ACCEPT
    $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A allowed -p TCP -j DROP
    #
    # TCP rules
    #
    #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 30000 -j allowed
    #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 10050 -j allowed
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 10051 -j allowed
    $IPTABLES -A tcp_packets -p TCP -s 0/0 -d $INET_IP_1 --dport 25 -j allowed
    $IPTABLES -A tcp_packets -p TCP -s 0/0 -d $INET_IP_1 --dport 110 -j allowed
    #$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2009 -j allowed
    #
    # UDP ports
    #
    #$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 53 -j ACCEPT
    #$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 123 -j ACCEPT
    #$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 2074 -j ACCEPT
    #$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 4000 -j ACCEPT
    #
    # In Microsoft Networks you will be swamped by broadcasts. These lines
    # will prevent them from showing up in the logs.
    #
    $IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST –destination-port 135:139 -j DROP
    #
    # If we get DHCP requests from the Outside of our network, our logs will
    # be swamped as well. This rule will block them from getting logged.
    #
    $IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 –destination-port 67:68 -j DROP
    #
    # ICMP rules
    #
    $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT
    $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT
    #
    # 4.1.4 INPUT chain
    #
    #
    # Bad TCP packets we don’t want.
    #
    $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
    #
    # Special rule for DHCP requests from LAN, which are not caught properly
    # otherwise.
    #
    #$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 –sport 68 -j ACCEPT
    #
    # Rules for incoming packets from the internet.
    #
    $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A INPUT -p ALL -d $INET_IP_1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
    $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
    $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
    # Rules for special networks not part of the Internet
    #
    $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP_1 -j ACCEPT
    #
    # If you have a Microsoft Network on the outside of your firewall, you may
    # also get flooded by Multicasts. We drop them so we do not get flooded by
    # logs
    #
    $IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
    #
    # Log weird packets that don’t match the above.
    #
    $IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix ”IPT INPUT packet died: ”
    #
    # 4.1.5 FORWARD chain
    #
    #
    # Bad TCP packets we don’t want
    #
    #$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
    #
    # Accept the packets we actually want to forward
    #
    #$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
    #$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    #
    # Log weird packets that don’t match the above.
    #$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix ”IPT FORWARD packet died: ”
    #
    # 4.1.6 OUTPUT chain
    #
    #
    # Bad TCP packets we don’t want.
    #
    $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
    #
    # Special OUTPUT rules to decide which IP’s to allow.
    #
    $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
    $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
    $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
    $IPTABLES -A OUTPUT -p ALL -s $INET_IP_1 -j ACCEPT
    #
    # Log weird packets that don’t match the above.
    #
    #$IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix ”IPT OUTPUT packet died: ”
    ######
    # 4.2 nat table
    #
    #
    # 4.2.1 Set policies
    #
    #
    # 4.2.2 Create user specified chains
    #
    #
    # 4.2.3 Create content in user specified chains
    #
    #
    # 4.2.4 PREROUTING chain
    #
    #
    # 4.2.5 POSTROUTING chain
    #
    #
    # Enable simple IP Forwarding and Network Address Translation
    #
    #$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP
    #
    # 4.2.6 OUTPUT chain
    #
    ######
    # 4.3 mangle table
    #
    #
    # 4.3.1 Set policies
    #
    #
    # 4.3.2 Create user specified chains
    #
    #
    # 4.3.3 Create content in user specified chains
    #
    #
    # 4.3.4 PREROUTING chain
    #
    #
    # 4.3.5 INPUT chain
    #
    #
    # 4.3.6 FORWARD chain
    #
    #
    # 4.3.7 OUTPUT chain
    #
    #
    # 4.3.8 POSTROUTING chain
    #
    ------------------------------------

    来源:http://www.ha97.com/3928.html

  • 相关阅读:
    20182316胡泊 实验5报告
    20182316胡泊 第6周学习总结
    20182316胡泊 第5周学习总结
    20182316胡泊 实验4报告
    20182316胡泊 实验3报告
    20182316胡泊 第4周学习总结
    20182316胡泊 第2,3周学习总结
    实验2报告 胡泊
    《数据结构与面向对象程序设计》第1周学习总结
    实验1报告
  • 原文地址:https://www.cnblogs.com/losbyday/p/5851132.html
Copyright © 2020-2023  润新知