Environment: redhat9 loaded the string time and other modules, the loading method reference http://bbs.chinaunix.net/forum/viewtopic.php? T = 525493
Connect etho to the Internet-ppp0
Eth1 connected to intranet-192.168.0.0/24
[Color = Blue]
#! /Bin/sh
#
Modprobe ipt_masquerade
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
Iptables-F
Iptables-T nat-F
Iptables-x
Iptables-T nat-x
########################### Input key ########### ########################
Iptables-P input drop
Iptables-A input-M state -- State established, related-J accept
Iptables-A input-p tcp-M multiport -- dports 110,80, 25-J accept
Iptables-A input-p tcp-s 192.168.0.0/24 -- dport 139-J accept
# Allow Intranet samba, SMTP, POP3, and connections
Iptables-A input-I eth1-P UDP-M multiport -- dports 53-J accept
# Allow DNS connection
Iptables-A input-p tcp -- dport 1723-J accept
Iptables-A input-P gre-J accept
# Allow Internet VPN connection
Iptables-A input-s 192.186.0.0/24-p tcp-M state -- State established, related-J accept
Iptables-A input-I ppp0-P TCP -- syn-M connlimit -- connlimit-above 15-J Drop
# To prevent too many Dos connections, a maximum of 15 Initial connections can be allowed, exceeding the discarding limit.
Iptables-A input-s 192.186.0.0/24-p tcp -- syn-M connlimit -- connlimit-above 15-J Drop
# To prevent too many Dos connections, a maximum of 15 Initial connections can be allowed, exceeding the discarding limit.
Iptables-A input-p icmp-m limit -- limit 3/S-J log -- log-level info -- log-prefix "ICMP packet in :"
Iptables-A input-p icmp-J Drop
# Prohibit ICMP communication-ping failure
Iptables-T Nat-A postrouting-O ppp0-s 192.168.0.0/24-J Masquerade
# Intranet forwarding
Iptables-N syn-flood
Iptables-A input-p tcp -- syn-J syn-flood
Iptables-I syn-flood-P TCP-m limit -- limit 3/s -- limit-burst 6-J return
Iptables-a syn-flood-J reject
# Lightweight anti-Syn Attack
####################### Forward chain ############### ############
Iptables-P forward drop
Iptables-a forward-p tcp-s 192.168.0.0/24-M multiport -- dports 80,110, 225, 1723-J accept
Iptables-a forward-p udp-s 192.168.0.0/24 -- dport 53-J accept
Iptables-a forward-P gre-s 192.168.0.0/24-J accept
Iptables-a forward-p icmp-s 192.168.0.0/24-J accept
# Allow VPN customers to connect to the Internet through the VPN Network
Iptables-a forward-M state -- State established, related-J accept
Iptables-I forward-P UDP -- dport 53-M string -- string "Tencent"-m Time -- timestart -- timestop -- days Mon, Tue, wed, Thu, Fri, sat-J Drop
# Prohibit QQ communication from-from Monday to Saturday
Iptables-I forward-P UDP -- dport 53-M string -- string "Tencent"-m Time -- timestart -- timestop -- days Mon, Tue, wed, Thu, Fri, sat-J Drop
# Prohibit QQ communication from-from Monday to Saturday
Iptables-I forward-P UDP -- dport 53-M string -- string "Tencent"-m Time -- timestart 13:30 -- timestop 20:30 -- days Mon, Tue, wed, Thu, Fri, sat-J Drop
Iptables-I forward-P UDP -- dport 53-M string -- string "Tencent"-m Time -- timestart 13:30 -- timestop 20:30 -- days Mon, Tue, wed, Thu, Fri, sat-J Drop
# Prohibit QQ communication from-from Monday to Saturday
Iptables-I forward-s 192.168.0.0/24-M string -- string "QQ.com"-m Time -- timestart -- timestop -- days Mon, Tue, wed, Thu, Fri, sat-J Drop
# Prohibit QQ webpage from-from Monday to Saturday
Iptables-I forward-s 192.168.0.0/24-M string -- string "QQ.com"-m Time -- timestart 13:00 -- timestop 20:30 -- days Mon, Tue, wed, Thu, Fri, sat-J Drop
# Prohibit QQ webpage at-from Monday to Saturday
Iptables-I forward-s 192.168.0.0/24-M string -- string "ay2000.net"-J Drop
Iptables-I forward-D 192.168.0.0/24-M string -- string "Broadband cinema"-J Drop
Iptables-I forward-s 192.168.0.0/24-M string -- string "porn"-J Drop
Iptables-I forward-P TCP -- Sport 80-M string -- string "ad"-J Drop
# Disable access to ay2000.net, broadband cinema, porn, and advertisement webpages! However, Chinese characters are not ideal.
Iptables-a forward-M ipp2p -- EDK -- KaZaA -- bit-J Drop
Iptables-a forward-p tcp-M ipp2p -- ares-J Drop
Iptables-a forward-p udp-M ipp2p -- KaZaA-J Drop
# Disable BT connection
Iptables-a forward-p tcp -- syn -- dport 80-M connlimit -- connlimit-abve 15 -- connlimit-mask 24-J Drop
# Only each group of IP addresses can be forwarded at the same time with 15 port 80
######################################## ###############################
Sysctl-W net. ipv4.ip _ forward = 1 & >;/dev/null
# Enable forwarding
######################################## ###############################
Sysctl-W net. ipv4.tcp _ syncookies = 1 &>;/dev/null
# Enable syncookie (lightweight DoS attack Prevention)
Sysctl-W net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 3800 & >;/dev/null
# Set the default TCP connection dementia duration to 3800 seconds (this option can greatly reduce the number of connections)
Sysctl-W net. ipv4.ip _ conntrack_max = 300000 &>;/dev/null
# The maximum number of connection trees supported by the settings is 30 W (based on your memory and iptables version, each connection requires more than 300 bytes)
######################################## ###############################
Iptables-I input-s 192.168.0.50-J accept
Iptables-I forward-s 192.168.0.50-J accept
#192.168.0.50 is my sub-account. All are allowed!
########### ##############################
Not carefully studied, just take the required
From: http://www.chinaunix.net/old_jh/4/602090.html
PS: the comments in the original article are also wonderful.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
