Iptables-F # clear all rules iptables-X # clear all custom rules iptables-Z # count to zero iptables-PINPUTDROP # set the default rules of the input chain to discard iptables-POUTPUTDROP # the default output chain rule is set to discard iptables-AINPUT-ilo-jACCEPTiptab.
Iptables-F # clear all rules
Iptables-X # clear all custom rules
Iptables-Z # counting to zero
Iptables-p input drop # set the default rules of the input chain to discard
Iptables-p output drop # set the default output chain rule to discard
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT # Allow all services running on the local loopback address
Iptables-a input-m state? State ESTABLISHED, RELATED-jACCEPT # insert this statement at the beginning of the input chain (the first one), and allow connections in the state of ESTABLISHED and RELATED.
Iptables-a output-p tcp? Dport 80-j ACCEPT # Allow local access to other 80 services
Iptables-a output-p udp? Dport 53-j ACCEPT # allow the local machine to send domain name requests
Iptables-a output-p icmp-j ACCEPT # Allow All icmp protocols sent from the local machine. In fact, if you only allow the local machine to ping other machines, A more rigorous approach is to modify this statement:
Iptables-a output-p icmp? Icmp-type echo-request-jACCEPT
To put it simply, the packets in the status of ESTABLISHED and RELATED are allowed to be sent to the other host. This statement is very important, saving you the trouble of writing many iptables statements, especially on ftp servers. If you understand this, you should know that with this statement, 6th statements can be omitted.
Website:
Iptables-F
Iptables-X
Iptables-Z
Iptables-P OUTPUT DROP
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
Iptables-a output-p udp? Dport 53-j ACCEPT
Iptables-a output-p tcp-s 192.168.1.10-d www.qq.com-jDROP (website prohibited)
Iptables-a forward-p tcp-s 192.168.1.11/24-d www.qq.com-oeth0-j DROP (disable network segments)
Iptables-a forward-p tcp-s 192.168.1.12-d 192.168.1.13-oeth0-j DROP (disable IP)
Iptables-a output-p tcp? Dport 80-j ACCEPT (this is written below the forbidden website)
# Security rules are similar to windows Firewall
Iptables-a input-p tcp? Dport :1024-j DROP
Iptables-a input-p udp? Dport-j DROP can prevent nmap detection
Iptables-a input-p tcp? Dport **-j ACCEPT (port to be opened)
# Change the protocol to the allowed Port)
========================================================== ====
Set up a secure vsftp server using iptables
In actual work, you can use the following script to set up a very internal FTP. of course, you can also use Wireshark to understand the passive and active differences between vsftpd. take the local machine 192.168.0.10 as an example. the script is as follows:
#! /Bin/bash
-F
Iptables-X
Iptables-Z
Iptables-t nat-F
Iptables-t nat-X
Iptables-t nat-Z
# Enable ip forwarding
Echo "1">/proc/sys/net/ipv4/ip_forward
# Some module functions required for loading ftp
Modprobe ip_conntrack_ftp
Modprobe ip_conntrack-tftp
Modprobe ip_nat_ftp
Modprobe ip_nat_tftp
# To be safer, define the default OUTPUT policy as DROP
Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
Iptables-P FORWARD ACCEPT
# Open the lo loopback port of the local machine. it is recommended that you open the loopback Port. otherwise, some inexplicable problems may occur.
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
# The following script sets up a secure vsftpd key. the last two scripts allow the server to send a response to the client and connect to the data packet that has been established. because the Passive FTP is complicated, there are six handshakes, so the status is used here.
Iptables-a input-s 192.168.0.0/24-p tcp? Dport 21-j ACCEPT
Iptables-a output-d 192.168.0.0/24-p tcp? Sport 21-j ACCEPT
Iptables-a input-m state? State RELATED, ESTABLISHED-j ACCEPT
Iptables-a output-m state? State RELATED, ESTABLISHED-j
ACCEPT
============================================
The intranet web server is suitable for medium and small enterprises that have an intranet server.
============================================
Attack Prevention scanning
Sync Flood prevention)
# Iptables-a forward-p tcp? Syn-m limit? Limit 1/s-j ACCEPT
Some people write
# Iptables-a input-p tcp? Syn-m limit? Limit 1/s-j ACCEPT
? Limit 1/s limits the number of syn concurrent connections per second. you can modify the number as needed.
Prevents various port scans
# Iptables-a forward-p tcp? Tcp-flags SYN, ACK, FIN, RST-m
Limit? Limit 1/s-j ACCEPT
Ping flood attack (Ping of Death)
# Iptables-a forward-p icmp? Icmp-type echo-request-m limit
? Limit 1/s-j ACCEPT
# Null Scan (possibly) XiKc. om
Iptables-a input-I eth0-p tcp? Tcp-flags all none-j DROP
# Saving and loading ubuntu
Iptables-save> iptables. up. rules
Cp iptables. up. rules/etc/
Vi/etc/network/interfaces
Iptables-save> iptables. up. rules cp iptables. up. rules/etc/
Vi/etc/network/interfaces
# Add at the end of interfaces
Pre-up iptables-restore </etc/iptables. up. rules
Pre-up iptables-restore </etc/iptables. up. rules
# You can also set the rules for network card disconnection.
Post-down iptables-restore </etc/iptables. down. rules
Post-down iptables-restore </etc/iptables. down. rules
# Save
Service iptables save
Force all clients to access the website 192.168.1.100
Iptables-t nat-I prerouting-I eth0-p tcp? Dport 80-j DNAT? To-destination 192.168.1.100 (PREROUTING and DNAT are used together, and POSTROUTING and SNAT are used together)
Publish the intranet web server 192.168.1.10
Iptables-t nat-I PREROUTING-p tcp? Dport 80-j DNAT? To-destination 192.168.1.10
Port ING to intranet 3389
Iptables-t nat-I PREROUTING-p tcp? Dport 3389-j DNAT? To-destination 192.168.1.10: 3389