Use and set centos iptables

Source: Internet
Author: User

Common commands

Service iptables [save | start | restart | stop]

Iptables-L-n

Simple shell commands

Iptables-P INPUT DROP
Iptables-P FORWARD DROP
Iptables-P OUTPUT DROP
Iptables-a input-p tcp -- dport 22-j ACCEPT
Iptables-a input-p tcp-m multiport -- destination-port, 80,-j ACCEPT

Redirect settings

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth2 -j SNAT --to A.B.C.Diptables -t nat -A POSTROUTING -s 192.168.168.0/24 -o eth2 -j SNAT --to A.B.C.Diptables -t nat -A PREROUTING -s 192.168.100.0/24 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128iptables -t nat -A PREROUTING -s 192.168.168.0/24 -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128service iptables save

Eg:

# Generated by iptables-save v1.4.7 on Sun Aug 5 21:15:37 2012
* Filter
: Forward accept [0: 0]
: Input accept [0: 0]
: Output accept [0: 0]
-A input-m state -- state ESTABLISHED, RELATED-j ACCEPT
-A input-p tcp -- dport 22-j ACCEPT
-A input-p tcp -- dport 8080-j ACCEPT
-A input-p tcp -- dport 9000-j ACCEPT
-A input-p tcp -- dport 10000-j ACCEPT
-A input-p tcp -- dport 3306-j ACCEPT
-A input-p icmp-j DROP
-A input-j DROP
COMMIT
# Completed on Sun Aug 5 21:15:37 2012
# Generated by iptables-save v1.4.7 on Sun Aug 5 21:15:37 2012
* Mangle
: Prerouting accept [379: 49473]
: Input accept [377: 49409]
: Forward accept [0: 0]
: Output accept [360: 147434]
: Postrouting accept [360: 147434]
COMMIT
# Completed on Sun Aug 5 21:15:37 2012
# Generated by iptables-save v1.4.7 on Sun Aug 5 21:15:37 2012
* Nat
: Prerouting accept [23: 1575]
: Postrouting accept [7:508]
: Output accept [7:508]
COMMIT
# Completed on Sun Aug 5 21:15:37 2012

The blue statement disables icmp to prevent attack detection.

The deep red statement is very important, indicating that all ports except the above permitted ports are disabled.

References:

The following are the ports, first, completely seal and then open some IPiptables-I input-p tcp -- dport 9889-j DROP iptables-I INPUT-s 192.168.1.0/24-p tcp -- dport 9889-j ACCEPT if it is used for NAT forwarding, remember to use the following commands to take effect: iptables-I forward-p tcp -- dport 80-j DROP iptables-I FORWARD-s 192.168.1.0/24-p tcp -- dport 80-j ACCEPT the IPTABLES rules are as follows: only emails can be sent and received. Disable iptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-j DROPiptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p udp -- dport 53-j ACCEPTiptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p tcp -- dport 25-j ACCEPTiptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p tcp -- dport 110-j acceptipsec nat policy iptables-I PFWanPriv-d 192.168.100.2-j ACCEPTiptables-t nat-A PREROUTING-p tcp -- dport 80-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 80 iptables-t nat-A PREROUTING -P tcp -- dport 1723-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 1723 iptables-t nat-a prerouting-p udp -- dport 1723-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 1723 iptables-t nat-a prerouting-p udp -- dport 500-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 500 iptables-t nat-a prerouting-p udp -- dport 4500-d $ INTERNET_ADDR-j DNAT -- to-destination 192.16 8.100.2: NATiptables-I PFWanPriv-p tcp -- dport 21-d 192.168.100.200-j ACCEPTiptables-t nat-A PREROUTING-p tcp -- dport 21-d $ INTERNET_ADDR-j DNAT -- -destination 192.168.100.200: 21 only access to the specified URL iptables-A Filter-p udp -- dport 53-j ACCEPTiptables-A Filter-p tcp -- dport 53-j ACCEPTiptables-A Filter-d www.3322.org-j ACCEPTiptables -A Filter-d img.cn99.com-j ACCEPTiptables- Filter-j DROP opens some ports of an IP address, all others close iptables-A Filter-p tcp -- dport 80-s 192.168.100.200-d www.pconline.com.cn-j ACCEPTiptables-A Filter-p tcp -- dport 25-s 192.168.100.200-j ACCEPTiptables-A Filter -p tcp -- dport 109-s 192.168.100.200-j ACCEPTiptables-A Filter-p tcp -- dport 110-s 192.168.100.200-j ACCEPTiptables-A Filter-p tcp -- dport 53-j ACCEPTiptables- A Filter-p udp -- dport 53- J ACCEPTiptables-A Filter-j DROP multiple ports iptables-A Filter-p tcp-m multiport -- destination-port 22, 53, 80,110-s 192.168.20.3-j REJECT continuous port iptables-A Filter-p tcp-m multiport -- source-port, 80,110-s 192.168.20.3-j REJECT iptables-A Filter-p tcp -- source-port 2: 80-s 192.168.20.3-j REJECT specified time to access the Internet iptables-A Filter-s 10.10.10.253-m time -- timestart -- timestop -- days Mon, Tue, We D, Thu, Fri, Sat, Sun-j DROPiptables-A Filter-m time -- timestart 12:00 -- timestop 13:00 -- days Mon, Tue, Wed, Thu, Fri, Sat, sun-j ACCEPTiptables-A Filter-m time -- timestart 17:30 -- timestop 8:30 -- days Mon, Tue, Wed, Thu, Fri, Sat, sun-j ACCEPT prevents multiple port services from iptables-A Filter-m multiport-p tcp -- dport, 80-j ACCEPT: NAT the WAN port to PCiptables-t nat-a prerouting-I $ INTERNET_IF-d $ INTERNET_ADDR-j DNAT -- to-de Stination 192.168.0.1 NAT the port 8000 of the WAN port to port 192. 168. 100. Port 80 of 200 iptables-t nat-a prerouting-p tcp -- dport 8000-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: port iptables-t nat-a prerouting-p tcp -- dport 110-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 110 iptables-t nat-a prerouting-p tcp -- dport 25-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 25 only PING 202 is allowed. 96. 134. 133, other services disable iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.20.- j ACCEPTiptables-A Filter-j DROP disable BT configuration iptables-A Filter-p tcp-dport 6000: 20000-j DROP disable QQ firewall configuration iptables-A Filter-p udp -- dport! 53-j DROPiptables-A Filter-d 218.17.209.0/24-j DROPiptables-A Filter-d 218.18.95.0/24-j DROPiptables-A Filter-d 219.133.40.177-j drop mac-based, only emails can be sent and received. All others reject iptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: a1-j DROPiptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: a1-p tcp -- dport 25-j ACCEPTiptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: a1-p tcp -- dport 110-j ACCEPT disable MSN Configuration Set iptables-A Filter-p udp -- dport 9-j DROPiptables-A Filter-p tcp -- dport 1863-j DROPiptables-A Filter-p tcp -- dport 80-d 207.68.178.238-j DROPiptables-A Filter-p tcp -- dport 80-d 207.46.110.0/24-j DROP only allows PING 202. 96. 134. 133 PINGiptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.127- j ACCEPTiptables-A Filter-p icmp-j DROP is not allowed for other public IP addresses to access the internet: iptables-I Filter-m mac -- mac-source 00: 20: 18: 8F: 72: F8-j DROP disable PING from an IP address: iptables-A Filter-p icmp-s 192.168.0.1-j DROP disables an IP address service: iptables-A Filter-p tcp-s 192.168.0.1 -- dport 80-j DROPiptables-A Filter-p udp-s 192.168.0.1 -- dport 53-j DROP only some services are allowed, reject all others (2 Rules) iptables-A Filter-p tcp-s 192.168.0.1 -- dport 1000-j ACCEPTiptables-A Filter-j DROP disable A port service iptables-A Filter-p tcp-s 10.10.10.253 -- dport 80-j ACCEPTiptables-A Filter-p tcp-s 10.10.10.253 -- dport 80-j DROP disable A port service of a mac address iptables-I Filter-p tcp-m mac -- mac -source 00: 20: 18: 8F: 72: F8 -- dport 80-j DROP prohibit a MAC address from accessing the internet: iptables-I Filter-m mac -- mac-source 00: 11: 22: 33: 44: 55-j DROP disable PING of an IP Address: iptables-A Filter-p icmp-s 192.168.0.1-j DROP

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.