A classic and practical IPtables Shell script #! /Bin/sh # modprobe ipt_MASQUERADEmodprobe paiip_nat_ftpiptables-Fiptables-t nat-Fiptables-Xiptables-t nat-X ################# ######### INPUT key ############################ ####### iptables-p input DROPiptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPTiptables-a input-p tcp-m multiport -- dports 110,80, 25-j ACCEPTiptables-a input-p tcp-s 192.168.0.0/24 -- dp Ort 139-j ACCEPT # Allow Intranet samba, smtp, pop3, connect iptables-a input-I eth1-p udp-m multiport -- dports 53-j ACCEPT # Allow dns to connect to iptables-A INPUT-p tcp -- dport 1723-j ACCEPTiptables-A INPUT -p gre-j ACCEPT # allow Internet vpn connection iptables-a input-s 192.186.0.0/24-p tcp-m state -- state ESTABLISHED, RELATED-j ACCEPTiptables-a input-I ppp0-p tcp -- syn-m connlimit -- connlimit-above 15-j DROP # To prevent too many DOS connections, A maximum of 15 An initial connection that exceeds the discard iptables-a input-s 192.186.0.0/24-p tcp -- syn-m connlimit -- connlimit-above 15-j DROP # To prevent too many DOS connections, A maximum of 15 Initial connections are allowed, the discarded iptables-a input-p icmp-m limit -- limit 3/s-j LOG -- log-level INFO -- log-prefix "ICMP packet IN: "iptables-a input-p icmp-j DROP # Disable icmp communication-ping failure iptables-t nat-a postrouting-o ppp0-s 192.168.0.0/24-j MASQUERADE # iptables for Intranet forwarding -N syn-floodiptables-A Indium UT-p tcp -- syn-j syn-floodiptables-I syn-flood-p tcp-m limit -- limit 3/s -- limit-burst 6-j RETURNiptables-A syn-flood -j REJECT # lightweight anti-SYN Attack ###################### FORWARD chain ####### ################### iptables-p forward DROPiptables-a forward-p tcp-s 192.168.0.0/24-m multiport -- dports 80,110, 225-j, 1723-j ACCEPTiptables-a forward-p udp-s 192.168.0.0/24 -- dport 53-j ACCEPTiptables-A FO RWARD-p gre-s 192.168.0.0/24-j ACCEPTiptables-a forward-p icmp-s 192.168.0.0/24-j ACCEPT # Allow vpn customers to connect to the Internet through the vpn Network iptables-a forward- m state -- state ESTABLISHED, RELATED-j ACCEPTiptables-I FORWARD-p udp -- dport 53-m string -- string "tencent"-m time -- timestart -- timestop -- days Mon, Tue, Wed, Thu, fri, Sat-j DROP # prohibit qq communication from-from Monday to Saturday iptables-I FORWARD-p udp -- dport 53-m string -- String "TENCENT"-m time -- timestart -- timestop -- days Mon, Tue, Wed, Thu, Fri, sat-j DROP # disable qq communication from PM to pm from Monday to Saturday iptables-I FORWARD-p udp -- dport 53-m string -- string "tencent"-m time -- timestart -- timestop 20:30 -- days Mon, tue, Wed, Thu, Fri, sat-j DROPiptables-I FORWARD-p udp -- dport 53-m string -- string "TENCENT"-m time -- timestart 13:30 -- timestop 20:30 -- days Mon, Tue, Wed, Thu, Fri, sat-j DROP # prohibit QQ communication from-from Monday to Saturday iptables-I FORWARD-s 192.168.0.0/24-m string -- string "qq.com"-m time -- timestart -- timestop 12: 30 -- days Mon, tue, Wed, Thu, Fri, sat-j DROP # disable the qq webpage iptables-I FORWARD-s 192.168.0.0/24-m string -- string "qq.com"-m time -- timestart -- timestop from pm from Monday to Saturday 20: 30 -- days Mon, tue, Wed, Thu, Fri, Sat-j DROP # disable QQ webpage iptables-from PM-pm from Monday to Saturday- I forward-s 192.168.0.0/24-m string -- string "ay2000.net"-j DROPiptables-I forward-d 192.168.0.0/24-m string -- string "Broadband cinema"-j DROPiptables-I FORWARD-s 192.168.0.0/24-m string -- string "porn"-j DROPiptables-I FORWARD-p tcp -- sport 80-m string -- string "ad"-j DROP # disable ay2000.net, broadband cinema, porn, AD webpage connection! However, Chinese characters are not ideal. iptables-a forward-m ipp2p -- edk -- kazaa -- bit-j DROPiptables-a forward-p tcp-m ipp2p -- ares-j DROPiptables-a forward-p udp-m ipp2p -- kazaa-j DROP # disable BT connection to iptables-a forward-p tcp -- syn -- dport 80-m connlimit -- connlimit-above 15 -- connlimit-mask 24 ## ######################################## ########################### sysctl-w net. ipv4.ip _ forward = 1 &>/dev/null # enable forwarding ############ ######################################## ################## Sysctl-w net. ipv4.tcp _ syncookies = 1 &>/dev/null # enable syncookie (lightweight DOS protection) sysctl-w net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 3800 &>/dev/null # sets the default TCP connection dementia duration to 3800 seconds (this option can greatly reduce the number of connections) sysctl-w net. ipv4.ip _ conntrack_max = 300000 &>/dev/null # Set to support a maximum connection tree of 30 W (based on your memory and iptables version, each connection requires more than 300 bytes) ########################### ######################################## #### Iptables-I input-s 192.168.1.140-j ACCEPTiptables-I FORWARD-s 192.168.1.140-j ACCEPT #192.168.1.140 is my machine, allow all! ########### ################################### This script is good, it is very practical and can be used by yourself based on the actual application. Share it for your reference #####