Home > Cloud Computing > Cloud Applications

Common configuration rules of iptables firewall

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
# Internet eth0 ── the ip address is automatically obtained # intranet eth1 ── ip172.16.0.0/16 #! /Bin/sh # modprobeipt_MASQUERADEmodprobeip_conntrack_ftpmodprobeip_nat_ftpiptables-Fiptables-tnat-Fiptables-Xiptables-tn # Internet eth0 ── ip is automatically obtained # intranet eth1 ── ip 172.16.0.0/16
#! /Bin/sh
#
Modprobe ipt_MASQUERADE
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
Iptables-F
Iptables-t nat-F
Iptables-X
Iptables-t nat-X
# INPUT
Iptables-P INPUT DROP
Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT
# Allow Intranet samba (a linux protocol that can share communication with windows files, and do not enable it unless necessary), smtp, pop3, imap and other protocols, please add the corresponding port on your own
Iptables-a input-p tcp-m multiport -- dports110, 80, 25, 445,1863, 5222-j ACCEPT
Iptables-a input-p tcp-s 172.16.0.0/16 -- dport 139-j ACCEPT
# Allow dns resolution. if a DNS server (forwarder) is configured on the intranet, only the IP address of the forwarder can be used. modify the ip address (-s IP address) on your own)
Iptables-a input-I eth1-p udp-m multiport -- dports 53-jACCEPT
# Allow Internet vpn connections (enterprise users need to enable VPN connections)
# Iptables-a input-p tcp -- dport 1723-j ACCEPT
# Iptables-a input-p gre-j ACCEPT
Iptables-a input-s 172.16.0.0/16-p tcp-m state -- stateESTABLISHED, RELATED-j ACCEPT
# Only up to 20 initial connections are allowed, and more than 20 initial connections are discarded.
Iptables-a input-I eth0-p tcp -- syn-m connlimit -- connlimit-abve 20-j DROP
# A maximum of 20 initial connections are allowed, and the number of dropped connections exceeds the limit.
Iptables-a input-s 172.16.0/16-p tcp -- syn-m connlimit -- connlimit-above 20-j DROP
# Disable icmp communication-do not enable the ping command during testing.
# Iptables-a input-p icmp-m limit -- limit 3/s-j LOG -- log-levelINFO -- log-prefix "ICMP packet IN :"
# Iptables-a input-p icmp-j DROP
# Intranet forwarding
Iptables-t nat-a postrouting-o eth0-s 192.168.0.0/24-jMASQUERADE
# Lightweight anti-SYN attack
Iptables-N syn-flood
Iptables-a input-p tcp -- syn-j syn-flood
Iptables-I syn-flood-p tcp-m limit -- limit 3/s -- limit-burst 6-j RETURN
Iptables-A syn-flood-j REJECT
# FORWARD
Iptables-P FORWARD DROP
Iptables-a forward-p tcp-s 172.16.0.0/16-m multiport -- dports80, 110,21, 25,1723-j ACCEPT
Iptables-a forward-p udp-s 172.16.0/16 -- dport 53-j ACCEPT
# Allow vpn customers to connect to the Internet through the vpn network (Internet cafes generally do not need to be opened, enterprises need to open VPN)
# Iptables-a forward-p gre-s 172.16.0.0/16-j ACCEPT
# Iptables-a forward-p icmp-s 172.16.0.0/16-j ACCEPT
# The following is a ban on QQ. do not remove it from internet cafes #
# Iptables-a forward-m state -- state ESTABLISHED, RELATED-jACCEPT
# Iptables-I FORWARD-p udp -- dport 53-m string -- string "tencent"-m time -- timestart -- timestop -- daysMon, Tue, Wed, Thu, Fri, sat-j DROP
# Prohibit qq communication from-from Monday to Saturday
# Iptables-I FORWARD-p udp -- dport 53-m string -- string "TENCENT"-m time -- timestart -- timestop -- daysMon, Tue, Wed, Thu, Fri, sat-j DROP
# Prohibit qq communication from-from Monday to Saturday
# Iptables-I FORWARD-p udp -- dport 53-m string -- string "tencent"-m time -- timestart 13:30 -- timestop 20:30 -- daysMon, Tue, Wed, Thu, Fri, sat-j DROP
# Iptables-I FORWARD-p udp -- dport 53-m string -- string "TENCENT"-m time -- timestart 13:30 -- timestop 20:30 -- daysMon, Tue, Wed, Thu, Fri, sat-j DROP
# Prohibit QQ communication from-from Monday to Saturday
# Iptables-I FORWARD-s 172.16.0.0/16-m string -- string "qq.com"-m time -- timestart -- timestop -- daysMon, Tue, Wed, Thu, Fri, sat-j DROP
# Prohibit qq webpage from-from Monday to Saturday
# Iptables-I FORWARD-s 172.16.0.0/24-m string -- string "qq.com"-m time -- timestart 13:00 -- timestop 20:30 -- daysMon, Tue, Wed, Thu, Fri, sat-j DROP
# Prohibit QQ webpage at-from Monday to Saturday
# The following section prohibits multiple sites from being used together with the wrong IP addresses provided by self-built DNS servers on the intranet.
Iptables-I FORWARD-s 172.16.0.0/16-m string -- string "xxx.com"-j DROP
Iptables-I FORWARD-s 172.16.0.0/16-m string -- string "**"-jDROP
Iptables-I FORWARD-p tcp -- sport 80-m string -- string "ad"-jDROP
# Some websites are not allowed, and the overhead is relatively high.
# The following section prohibits BT and requires an ipp2p module
Iptables-a forward-m ipp2p -- edk -- kazaa -- bit-j DROP
Iptables-a forward-p tcp-m ipp2p -- ares-j DROP
Iptables-a forward-p udp-m ipp2p -- kazaa-j DROP
# Disable BT connection
# Control concurrent connections
# Only each group of ip addresses can be forwarded at the same time with 20 port 80
Iptables-a forward-p tcp -- syn -- dport 80-m connlimit -- connlimit-abve 20 -- connlimit-mask 16-j DROP
# You can modify the/etc/sysconfig/sysctl file after forwarding in redhat.
Sysctl-w net. ipv4.ip _ forward = 1 &>/dev/null
# Enable syncookie below (lightweight DOS attack prevention)
Sysctl-w net. ipv4.tcp _ syncookies = 1 &>/dev/null
# Set the default TCP connection dementia duration to 3800 seconds (this option can greatly reduce the number of connections)
Sysctl-wnet. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 3800 &>/dev/null
# The maximum number of connection trees supported by the settings is 30 W (based on your memory and iptables version, each connection requires more than 300 bytes)
Sysctl-w net. ipv4.ip _ conntrack_max = 300000 &>/dev/null

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More