Configure shell scripts for the classic iptables firewall
Source: Internet
Author: User
PS: This iptables script is good and practical. you can use it as needed. For your reference. Original author alias name. Source #! /Bin/sh # modprobeipt_MASQUERADEmodprobeip_conntrack_ftpmodprobeip_nat_ftpiptables-Fiptables-tnat-Fipta PS: This
IptablesThe script is good and practical. you can use it by yourself based on your actual application. For your reference. Original author alias name. Source
#! /Bin/sh
#
Modprobe ipt_MASQUERADE
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
Iptables-F
Iptables-t nat-F
Iptables-X
Iptables-t nat-X
########################### INPUT key ########### ########################
Iptables-P INPUT DROP
Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT
Iptables-a input-p tcp-m multiport -- dports 110,80, 25-jACCEPT
Iptables-a input-p tcp-s 192.168.0.0/24 -- dport 139-jACCEPT
# Allow Intranet samba, smtp, pop3, and connections
Iptables-a input-I eth1-p udp-m multiport -- dports 53-jACCEPT
# Allow dns connection
Iptables-a input-p tcp -- dport 1723-j ACCEPT
Iptables-a input-p gre-j ACCEPT
# Allow Internet vpn connection
Iptables-a input-s 192.186.0.0/24-p tcp-m state -- stateESTABLISHED, RELATED-j ACCEPT
Iptables-a input-I ppp0-p tcp -- syn-m connlimit -- connlimit-above 15-j DROP
# To prevent too many DOS connections, a maximum of 15 initial connections can be allowed, exceeding the discarding limit.
Iptables-a input-s 192.186.0.0/24-p tcp -- syn-m connlimit -- connlimit-above 15-j DROP
# To prevent too many DOS connections, a maximum of 15 initial connections can be allowed, exceeding the discarding limit.
Iptables-a input-p icmp-m limit -- limit 3/s-j LOG -- log-levelINFO -- log-prefix "ICMP packet IN :"
Iptables-a input-p icmp-j DROP
# Prohibit icmp communication-ping failure
Iptables-t nat-a postrouting-o ppp0-s 192.168.0.0/24-jMASQUERADE
# Intranet forwarding
Iptables-N syn-flood
Iptables-a input-p tcp -- syn-j syn-flood
Iptables-I syn-flood-p tcp-m limit -- limit 3/s -- limit-burst 6-j RETURN
Iptables-A syn-flood-j REJECT
# Lightweight anti-SYN attack
####################### FORWARD chain ############### ############
Iptables-P FORWARD DROP
Iptables-a forward-p tcp-s 192.168.0.0/24-m multiport -- dports80, 110,21, 25,1723-j ACCEPT
Iptables-a forward-p udp-s 192.168.0.0/24 -- dport 53-jACCEPT
Iptables-a forward-p gre-s 192.168.0.0/24-j ACCEPT
Iptables-a forward-p icmp-s 192.168.0.0/24-j ACCEPT
# Allow vpn customers to connect to the Internet through the vpn network
Iptables-a forward-m state -- state ESTABLISHED, RELATED-jACCEPT
Iptables-I FORWARD-p udp -- dport 53-m string -- string "tencent"-m time -- timestart -- timestop -- daysMon, Tue, Wed, Thu, Fri, sat-j DROP
# Prohibit qq communication from-from Monday to Saturday
Iptables-I FORWARD-p udp -- dport 53-m string -- string "TENCENT"-m time -- timestart -- timestop -- daysMon, Tue, Wed, Thu, Fri, sat-j DROP
# Prohibit qq communication from-from Monday to Saturday
Iptables-I FORWARD-p udp -- dport 53-m string -- string "tencent"-m time -- timestart 13:30 -- timestop 20:30 -- daysMon, Tue, Wed, Thu, Fri, sat-j DROP
Iptables-I FORWARD-p udp -- dport 53-m string -- string "TENCENT"-m time -- timestart 13:30 -- timestop 20:30 -- daysMon, Tue, Wed, Thu, Fri, sat-j DROP
# Prohibit QQ communication from-from Monday to Saturday
Iptables-I FORWARD-s 192.168.0.0/24-m string -- string "qq.com"-mtime -- timestart -- timestop -- daysMon, Tue, Wed, Thu, Fri, Sat-j DROP
# Prohibit qq webpage from-from Monday to Saturday
Iptables-I FORWARD-s 192.168.0.0/24-m string -- string "qq.com"-m time -- timestart 13:00 -- timestop 20:30 -- daysMon, Tue, Wed, Thu, Fri, sat-j DROP
# Prohibit QQ webpage at-from Monday to Saturday
Iptables-I FORWARD-s 192.168.0.0/24-m string -- string "ay2000.net"-j DROP
Iptables-I FORWARD-d 192.168.0.0/24-m string -- string "broadband cinema"-jDROP
Iptables-I FORWARD-s 192.168.0.0/24-m string -- string "porn"-jDROP
Iptables-I FORWARD-p tcp -- sport 80-m string -- string "ad"-jDROP
# Disable access to ay2000.net, broadband cinema, porn, and advertisement webpages! However, Chinese characters are not ideal.
Iptables-a forward-m ipp2p -- edk -- kazaa -- bit-j DROP
Iptables-a forward-p tcp-m ipp2p -- ares-j DROP
Iptables-a forward-p udp-m ipp2p -- kazaa-j DROP
# Disable BT connection
Iptables-a forward-p tcp -- syn -- dport 80-m connlimit -- connlimit-abve 15 -- connlimit-mask 24
######################################## ###############################
Sysctl-w net. ipv4.ip _ forward = 1 &>/dev/null
# Enable forwarding
######################################## ###############################
Sysctl-w net. ipv4.tcp _ syncookies = 1 &>/dev/null
# Enable syncookie (lightweight DOS attack prevention)
Sysctl-w net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 3800 &>/dev/null
# Set the default TCP connection dementia duration to 3800 seconds (this option can greatly reduce the number of connections)
Sysctl-w net. ipv4.ip _ conntrack_max = 300000 &>/dev/null
# The maximum number of connection trees supported by the settings is 30 W (based on your memory and iptables version, each connection requires more than 300 bytes)
######################################## ###############################
Iptables-I INPUT-s 192.168.0.50-j ACCEPT
Iptables-I FORWARD-s 192.168.0.50-j ACCEPT
#192.168.0.50 is my sub-account. All are allowed!
########### ##############################
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
