Abundant iptables configuration examples

Source: Internet
Author: User

Environment: redhat9 loaded the string time and other modules, the loading method reference http://bbs.chinaunix.net/forum/viewtopic.php? T = 525493

Connect etho to the Internet-ppp0
Eth1 connected to intranet-192.168.0.0/24

[Color = Blue]
#! /Bin/sh
#
Modprobe ipt_masquerade
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
Iptables-F
Iptables-T nat-F
Iptables-x
Iptables-T nat-x
########################### Input key ########### ########################
Iptables-P input drop
Iptables-A input-M state -- State established, related-J accept
Iptables-A input-p tcp-M multiport -- dports 110,80, 25-J accept
Iptables-A input-p tcp-s 192.168.0.0/24 -- dport 139-J accept
# Allow Intranet samba, SMTP, POP3, and connections
Iptables-A input-I eth1-P UDP-M multiport -- dports 53-J accept
# Allow DNS connection
Iptables-A input-p tcp -- dport 1723-J accept
Iptables-A input-P gre-J accept
# Allow Internet VPN connection
Iptables-A input-s 192.186.0.0/24-p tcp-M state -- State established, related-J accept
Iptables-A input-I ppp0-P TCP -- syn-M connlimit -- connlimit-above 15-J Drop
# To prevent too many Dos connections, a maximum of 15 Initial connections can be allowed, exceeding the discarding limit.
Iptables-A input-s 192.186.0.0/24-p tcp -- syn-M connlimit -- connlimit-above 15-J Drop
# To prevent too many Dos connections, a maximum of 15 Initial connections can be allowed, exceeding the discarding limit.
Iptables-A input-p icmp-m limit -- limit 3/S-J log -- log-level info -- log-prefix "ICMP packet in :"
Iptables-A input-p icmp-J Drop
# Prohibit ICMP communication-ping failure
Iptables-T Nat-A postrouting-O ppp0-s 192.168.0.0/24-J Masquerade
# Intranet forwarding
Iptables-N syn-flood
Iptables-A input-p tcp -- syn-J syn-flood
Iptables-I syn-flood-P TCP-m limit -- limit 3/s -- limit-burst 6-J return
Iptables-a syn-flood-J reject
# Lightweight anti-Syn Attack
####################### Forward chain ############### ############
Iptables-P forward drop
Iptables-a forward-p tcp-s 192.168.0.0/24-M multiport -- dports 80,110, 225, 1723-J accept
Iptables-a forward-p udp-s 192.168.0.0/24 -- dport 53-J accept
Iptables-a forward-P gre-s 192.168.0.0/24-J accept
Iptables-a forward-p icmp-s 192.168.0.0/24-J accept
# Allow VPN customers to connect to the Internet through the VPN Network
Iptables-a forward-M state -- State established, related-J accept
Iptables-I forward-P UDP -- dport 53-M string -- string "Tencent"-m Time -- timestart -- timestop -- days Mon, Tue, wed, Thu, Fri, sat-J Drop
# Prohibit QQ communication from-from Monday to Saturday
Iptables-I forward-P UDP -- dport 53-M string -- string "Tencent"-m Time -- timestart -- timestop -- days Mon, Tue, wed, Thu, Fri, sat-J Drop
# Prohibit QQ communication from-from Monday to Saturday
Iptables-I forward-P UDP -- dport 53-M string -- string "Tencent"-m Time -- timestart 13:30 -- timestop 20:30 -- days Mon, Tue, wed, Thu, Fri, sat-J Drop
Iptables-I forward-P UDP -- dport 53-M string -- string "Tencent"-m Time -- timestart 13:30 -- timestop 20:30 -- days Mon, Tue, wed, Thu, Fri, sat-J Drop
# Prohibit QQ communication from-from Monday to Saturday
Iptables-I forward-s 192.168.0.0/24-M string -- string "QQ.com"-m Time -- timestart -- timestop -- days Mon, Tue, wed, Thu, Fri, sat-J Drop
# Prohibit QQ webpage from-from Monday to Saturday
Iptables-I forward-s 192.168.0.0/24-M string -- string "QQ.com"-m Time -- timestart 13:00 -- timestop 20:30 -- days Mon, Tue, wed, Thu, Fri, sat-J Drop
# Prohibit QQ webpage at-from Monday to Saturday
Iptables-I forward-s 192.168.0.0/24-M string -- string "ay2000.net"-J Drop
Iptables-I forward-D 192.168.0.0/24-M string -- string "Broadband cinema"-J Drop
Iptables-I forward-s 192.168.0.0/24-M string -- string "porn"-J Drop
Iptables-I forward-P TCP -- Sport 80-M string -- string "ad"-J Drop
# Disable access to ay2000.net, broadband cinema, porn, and advertisement webpages! However, Chinese characters are not ideal.
Iptables-a forward-M ipp2p -- EDK -- KaZaA -- bit-J Drop
Iptables-a forward-p tcp-M ipp2p -- ares-J Drop
Iptables-a forward-p udp-M ipp2p -- KaZaA-J Drop
# Disable BT connection
Iptables-a forward-p tcp -- syn -- dport 80-M connlimit -- connlimit-abve 15 -- connlimit-mask 24-J Drop
# Only each group of IP addresses can be forwarded at the same time with 15 port 80
######################################## ###############################
Sysctl-W net. ipv4.ip _ forward = 1 & >;/dev/null
# Enable forwarding
######################################## ###############################
Sysctl-W net. ipv4.tcp _ syncookies = 1 &>;/dev/null
# Enable syncookie (lightweight DoS attack Prevention)
Sysctl-W net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 3800 & >;/dev/null
# Set the default TCP connection dementia duration to 3800 seconds (this option can greatly reduce the number of connections)
Sysctl-W net. ipv4.ip _ conntrack_max = 300000 &>;/dev/null
# The maximum number of connection trees supported by the settings is 30 W (based on your memory and iptables version, each connection requires more than 300 bytes)
######################################## ###############################
Iptables-I input-s 192.168.0.50-J accept
Iptables-I forward-s 192.168.0.50-J accept
#192.168.0.50 is my sub-account. All are allowed!

########### ##############################


Not carefully studied, just take the required

From: http://www.chinaunix.net/old_jh/4/602090.html

PS: the comments in the original article are also wonderful.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.