Common iptables configuration rules
Last Update:2014-05-27
Source: Internet
Author: User
Flood protection: iptables-tnat-FFloodiptables-tnat-IFlood-jDROPiptables-tnat-IFlood-mlimit -- limit3/hour -- limit-burst5-jLOG -- log-prefixFlood-dropped: iptables-tn flood protection:
Iptables -T nat-F Flood
Iptables-t nat-I Flood-j DROP
Iptables-t nat-I Flood-m limit -- limit 3/hour -- limit-burst 5-j LOG -- log-level 4 -- log-prefix "Flood-dropped :"
Iptables-t nat-I Flood-m limit -- limit 20/second -- limit-burst 10-j RETURN
Increase the number of network connections to 8000
Sysctl-w net. ipv4.ip _ conntrack_max = 80000
Disable download of some btsoftware
Iptables-A Filter-p tcp -- dport 10000: 60000-j DROP
Iptables-A Filter-p udp -- dport 10000: 60000-j DROP
Bind the IP address and MAC address on the firewall (only packets with IP addresses and MAC addresses can pass through)
Iptables-A Filter-s 192.168.0.200-m mac -- mac-source 00: 0A: E4: 3D: A3: D7-j ACCEPT
Iptables-A Filter-j DROP
Logs of intranet access
Iptables-I FORWARD-j LOG-s 192.168.30.0/24 -- log-prefix" "
Specify IP range as firewall policy (Version 3.1.3)
Iptables-A Filter-m iprange -- src-range 192.168.6.10-192.168.6.20-j ACCEPT
Can I only allow external hosts to Ping VPN devices?
You can first select "accept response request (external ping)" on the "external access" interface, and then add specific rules for external interfaces in the firewall rules, select "add self-built firewall rules to built-in rules"
The following rule allows x. x/y to ping the VPN device. x indicates the network address or host address, and y indicates the subnet mask count.
Iptables-I WanIn-p icmp -- icmp-type 8-s x. x/y-j ACCEPT
Cylan vpn as the firewall policy of the router
Cp/etc/1/proc/sys/net/ipv4/ip_forward
Iptables-F
Iptables-t nat-F
Iptables-t mangle-F
Iptables-a forward-s 192.168.11.200-p icmp-j DROP
Iptables-a forward-s 192.168.11.250-p icmp-j DROP
Iptables-P INPUT ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-P FORWARD ACCEPT
Maps ESP protocol numbers 50 and AH protocol numbers 51 to 192.168.6.123
Iptables-t nat-a prerouting-I $ INTERNET_IF-d $ INTERNET_ADDR-p 50-j DNAT -- to-destination 192.168.6.123
Iptables-A ExtAcc-p 50-d 192.168.6.123-j ACCEPT
Iptables-t nat-a prerouting-I $ INTERNET_IF-d $ INTERNET_ADDR-p 51-j DNAT -- to-destination 192.168.6.123
Iptables-A ExtAcc-p 51-d 192.168.6.123-j ACCEPT
Specify an internet route for multiple lines
Iptables-t mangle-a prerouting-s 192.168.6.0/24-m conntrack -- ctstate NEW-j CONNMARK -- set-mark 0x16
Iptables-t mangle-d prerouting-j CONNMARK -- restore-mark
Iptables-t mangle-a prerouting-j CONNMARK -- restore-mark
Open SMTP Port
Iptables-I PFPrivWan-p tcp -- dport 25-j ACCEPT
Open POP3 port
Iptables-I PFPrivWan-p tcp -- dport 110-j ACCEPT
QOS traffic control. The following rule limits the download speed of two hosts. the speed of 192.168.6.18 is 128 kbit, and the speed of 192.168.6.200 is 256kbit.
Tc qdisc add dev eth0 root handle 1: htb default 10
Tc class add dev eth0 parent classid htb rate 1800 kbit burst 6 k prio 1
Tc class add dev eth0 parent classid htb rate 128 kbit burst 6 k prio 2
Tc class add dev eth0 parent classid htb rate 256 kbit burst 6 k prio 2
Tc qdisc add dev eth0 parent :10 handle 10: sfq perturb 10
Tc qdisc add dev eth0 parent :20 handle 20: sfq perturb 10
Tc qdisc add dev eth0 parent :30 handle 30: sfq perturb 10
Tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip dst 192.168.6.18 flowid :20
Tc filter add dev eth0 parent 1:0 protocol ip prio 10 u32 match ip dst 192.168.6.200 flowid :30
Policy on IPSEC
Iptables-I PrivFwd 1-o ipsec0-s 192.168.4.0/24-m time -- timestart -- timestop -- days Mon, Tue, Wed, Thu, Fri, Sat, Sun-j DROP
Iptables-I PrivFwd 2-I ipsec0-d 192.168.6.2-j ACCEPT
Iptables-I PrivFwd 3-I ipsec0-j DROP
Configure MAC in an IPSEC Tunnel (local)
Iptables-I PrivFwd 1-o ipsec0-m mac -- mac-source 00: C0: 9F: 7F: B1: 33-j DROP
Restrict the IPSEC start of a public IP address
Iptables-a output-d 202.33.44.5-j DROP
Restrict the IPSEC access (MAC) of a public IP address)
Iptables-I INPUT-s 202.33.44.5-m mac -- mac-source 00: 11: 15: 00: 08: 37-j DROP
Only emails can be sent and received. All other emails are disabled.
Iptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-j DROP
Iptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p udp -- dport 53-j ACCEPT
Iptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p tcp -- dport 25-j ACCEPT
Iptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p tcp -- dport 110-j ACCEPT
NAT policy
Iptables-I PFWanPriv-d 192.168.100.2-j ACCEPT
Iptables-t nat-a prerouting-p tcp -- dport 80-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 80
Iptables-t nat-a prerouting-p tcp -- dport 1723-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 1723
Iptables-t nat-a prerouting-p udp -- dport 1723-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 1723
Iptables-t nat-a prerouting-p udp -- dport 500-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 500
Iptables-t nat-a prerouting-p udp -- dport 4500-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 4500
NAT of the FTP server
Iptables-I PFWanPriv-p tcp -- dport 21-d 192.168.100.200-j ACCEPT
Iptables-t nat-a prerouting-p tcp -- dport 21-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 21
Only access to the specified URL is allowed
Iptables-A Filter-p udp -- dport 53-j ACCEPT
Iptables-A Filter-p tcp -- dport 53-j ACCEPT
Iptables-A Filter-d www.3322.org-j ACCEPT
Iptables-A Filter-d img.cn99.com-j ACCEPT
Iptables-A Filter-j DROP
Open some ports of an IP address, and other ports are closed
Iptables-A Filter-p tcp -- dport 80-s 192.168.100.200-d www.pconline.com.cn-j ACCEPT
Iptables-A Filter-p tcp -- dport 25-s 192.168.100.200-j ACCEPT
Iptables-A Filter-p tcp -- dport 109-s 192.168.100.200-j ACCEPT
Iptables-A Filter-p tcp -- dport 110-s 192.168.100.200-j ACCEPT
Iptables-A Filter-p tcp -- dport 53-j ACCEPT
Iptables-A Filter-p udp -- dport 53-j ACCEPT
Iptables-A Filter-j DROP
Multiple ports
Iptables-A Filter-p tcp-m multiport -- destination-port 22,53, 80,110-s 192.168.20.3-j REJECT
Continuous Port
Iptables-A Filter-p tcp-m multiport -- source-port 80,110,-s 192.168.20.3-j REJECT
Iptables-A Filter-p tcp -- source-port 2: 80-s 192.168.20.3-j REJECT
Internet access at specified time
Iptables-A Filter-s 10.10.10.253-m time -- timestart 6:00 -- timestop 11:00 -- days Mon, Tue, Wed, Thu, Fri, Sat, Sun-j DROP
Iptables-A Filter-m time -- timestart 12:00 -- timestop 13:00 -- days Mon, Tue, Wed, Thu, Fri, Sat, Sun-j ACCEPT
Iptables-A Filter-m time -- timestart 17:30 -- timestop 8:30 -- days Mon, Tue, Wed, Thu, Fri, Sat, Sun-j ACCEPT
Disable multiple port services
Iptables-A Filter-m multiport-p tcp -- dport 21,23, 80-j ACCEPT
Nat wan port to PC
Iptables-t nat-a prerouting-I $ INTERNET_IF-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.0.1
NAT port 8000 of the WAN port to port 192. 168. 100. Port 80 of 200
Iptables-t nat-a prerouting-p tcp -- dport 8000-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 80
Port to be transferred by the MAIL server
Iptables-t nat-a prerouting-p tcp -- dport 110-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 110
Iptables-t nat-a prerouting-p tcp -- dport 25-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 25
Only PING 202 is allowed. 96. 134. 133. All other services are prohibited.
Iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.small-j ACCEPT
Iptables-A Filter-j DROP
Disable BT configuration
Iptables-A Filters-p tcp-dport 11000: 60000-j DROP
Disable QQ firewall configuration
Iptables-A Filter-p udp -- dport! 53-j DROP
Iptables-A Filter-d 218.17.209.0/24-j DROP
Iptables-A Filter-d 218.18.95.0/24-j DROP
Iptables-A Filter-d 61.144.238.0/24-j DROP
Iptables-A Filter-d 202.104.129.0/24-j DROP
Iptables-A Filter-d 58.60.14.0/24-j DROP
Iptables-A Filter-d 219.133.0.0/16-j DROP
Iptables-A Filter-d 58.251.63.0/24-j DROP
Iptables-A Filter-d 202.96.170.0/24-j DROP
Iptables-A Filter-d 58.61.33.0/24-j DROP
Disable QQ _ TM
Iptables-A Filter-d 221.236.11.0/24-j DROP
Iptables-A Filter-d 218.85.138.0/24-j DROP
Based on MAC, only emails can be sent and received, and other emails are rejected.
Iptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: A1-j DROP
Iptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: A1-p tcp -- dport 25-j ACCEPT
Iptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: A1-p tcp -- dport 110-j ACCEPT
Disable MSN configuration
Iptables-A Filter-p udp -- dport 9-j DROP
Iptables-A Filter-p tcp -- dport 1863-j DROP
Iptables-A Filter-p tcp -- dport 80-d 207.68.178.238-j DROP
Iptables-A Filter-p tcp -- dport 80-d 207.46.110.0/24-j DROP
Only PING 202 is allowed. 96. 134. 133 other public IP addresses cannot be pinged.
Iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.small-j ACCEPT
Iptables-A Filter-p icmp-j DROP
Prohibit a MAC address from accessing the internet:
Iptables-I Filter-m mac -- mac-source 00: 20: 18: 8F: 72: F8-j DROP
Disable PING from an IP address:
Iptables-A Filter-p icmp-s 192.168.0.1-j DROP
Disable an IP address service:
Iptables-A Filter-p tcp-s 192.168.0.1 -- dport 80-j DROP
Iptables-A Filter-p udp-s 192.168.0.1 -- dport 53-j DROP
Only some services are allowed, and others are rejected (2 rules)
Iptables-A Filter-p tcp-s 192.168.0.1 -- dport 1000-j ACCEPT
Iptables-A Filter-j DROP
Disable a port service of an IP address
Iptables-A Filter-p tcp-s 10.10.10.253 -- dport 80-j ACCEPT
Iptables-A Filter-p tcp-s 10.10.10.253 -- dport 80-j DROP
Disable a port service of a MAC address
Iptables-I Filter-p tcp-m mac -- mac-source 00: 20: 18: 8F: 72: F8 -- dport 80-j DROP
Prohibit a MAC address from accessing the internet:
Iptables-I Filter-m mac -- mac-source 00: 11: 22: 33: 44: 55-j DROP
Disable PING from an IP address:
Iptables-A Filter-p icmp-s 192.168.0.1-j DROP
Mark host logs in logs
Iptables-I INPUT-j LOG-p tcp -- syn-s 192.168.5.200 -- log-prefix "// zgs --- log //:"