Iptables advanced application instance

Source: Internet
Author: User
Tags inif
1 iptables good script (reference)
Quote:
[Root @ server ~] # Cat/opt/iptables. Rule
#! /Bin/bash
#
# The interface that connect Internet
Extif = "ppp0"
# The inside interface. If you don't have this one
# And you must let this be black ex> inif = ""
Inif = "eth0"
Innet = "192.168.1.0/24" # This is for Nat's Network
Kver = 'uname-r | cut-C 1-3'
If ["$ kver "! = "2.4"] & ["$ kver "! = "2.5"] & ["$ kver "! = "2.6"]; then
Echo "your Linux kernel version may not be suported by this script! "
Echo "This scripts will not be runing"
Exit
Fi
Ipchains = 'lsmod | grep ipchains'
If ["$ ipchains "! = ""]; Then
Echo "Unload ipchains in your system"
Rmmod ipchains 2>/dev/null
Fi
# Load related modules
Path =/sbin:/bin:/usr/sbin:/usr/bin
Export path extif inif innet
Modprobe ip_tables>/dev/null 2> & 1
Modprobe iptable_nat>/dev/null 2> & 1
Modprobe ip_nat_ftp>/dev/null 2> & 1
Modprobe ip_nat_irc>/dev/null 2> & 1
Modprobe ipt_mark>/dev/null 2> & 1
Modprobe ip_conntrack>/dev/null 2> & 1
Modprobe ip_conntrack_ftp>/dev/null 2> & 1
Modprobe ip_conntrack_irc>/dev/null 2> & 1
Modprobe ipt_masquerade>/dev/null 2> & 1
# Clear all firewall rules
/Sbin/iptables-F
/Sbin/iptables-x
/Sbin/iptables-z
/Sbin/iptables-F-T Nat
/Sbin/iptables-X-T Nat
/Sbin/iptables-z-T Nat
/Sbin/iptables-P input drop
/Sbin/iptables-P output accept
/Sbin/iptables-P forward drop
/Sbin/iptables-T nat-P prerouting accept
/Sbin/iptables-T nat-P postrouting accept
/Sbin/iptables-T nat-P output accept
# Allow Intranet samba, SMTP, POP3, and connections
/Sbin/iptables-A input-M state -- State established, related-J accept
/Sbin/iptables-A input-p tcp-M multiport -- dports 1863,443,110,-J accept
/Sbin/iptables-A input-p tcp-S $ innet -- dport 139-J accept
# Allow DNS connection
/Sbin/iptables-A input-I $ inif-P UDP-M multiport -- dports 53-J accept
# To prevent too many Dos connections, a maximum of 15 Initial connections can be allowed, exceeding the discarding limit.
/Sbin/iptables-A input-S $ innet-p tcp-M state -- State established, related-J accept
/Sbin/iptables-A input-I $ extif-P TCP -- syn-M connlimit -- connlimit-above 15-J Drop
/Sbin/iptables-A input-S $ innet-p tcp -- syn-M connlimit -- connlimit-above 15-J Drop
# Set the ICMP width and record the attacker
/Sbin/iptables-A input-p icmp-m limit -- limit 3/S-J log -- log-level info -- log-prefix "ICMP packet in :"
/Sbin/iptables-A input-p icmp-m limit -- limit 6/m-J accept
/Sbin/iptables-A input-p icmp-J Drop
# L7 layer patch filtering...
#/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto msnmessenger-J Drop
#/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto skypeout-J Drop
#/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto skypetoskype-J Drop
/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto BitTorrent-J Drop
/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto FastTrack-J Drop
/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto eDonkey-J Drop
/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto kugoo-J Drop
/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto Xunlei-J Drop
/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto code_red-J Drop
/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto kameng-J Drop
/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto poco-J Drop
/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto baiduxiaba-J Drop
/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto 100bao-J Drop
/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto socks-J Drop
/Sbin/iptables-T mangle-I postrouting-M layer7 -- l7proto Nimda-J Drop
# Lightweight anti-Syn Attack
/Sbin/iptables-N syn-flood
/Sbin/iptables-A input-p tcp -- syn-J syn-flood
/Sbin/iptables-I syn-flood-P TCP-m limit -- limit 3/s -- limit-burst 6-J return
/Sbin/iptables-a syn-flood-J reject
# Forward chain
/Sbin/iptables-a forward-M layer7 -- l7proto QQ-m Time -- timestart 8:00 -- timestop 12:00 -- days sun, Mon, Tue, wed, Thu, Fri, sat-J Drop
/Sbin/iptables-a forward-M layer7 -- l7proto QQ-m Time -- timestart 13:30 -- timestop 21:00 -- days sun, Mon, Tue, wed, Thu, Fri, sat-J Drop
/Sbin/iptables-a forward-p tcp-S $ innet-M multiport -- dports 25,110,443,186 3-J accept
/Sbin/iptables-a forward-p udp-S $ innet -- dport 53-J accept
/Sbin/iptables-a forward-P gre-S $ innet-J accept
/Sbin/iptables-a forward-p icmp-S $ innet-J accept
# Disable BT connection
/Sbin/iptables-I forward-M state -- State established, related-J accept
/Sbin/iptables-a forward-M ipp2p -- EDK -- KaZaA -- bit-J Drop
/Sbin/iptables-a forward-p tcp-M ipp2p -- ares-J Drop
/Sbin/iptables-a forward-p udp-M ipp2p -- KaZaA-J Drop
# Only each group of IP addresses can be forwarded at the same time with 15 port 80
/Sbin/iptables-a forward-p tcp -- syn -- dport 80-M connlimit -- connlimit-abve 15 -- connlimit-mask 24-J Drop
# Enable syncookie (lightweight DoS attack Prevention)
Sysctl-W net. ipv4.tcp _ syncookies = 1 &>/dev/null
# Set the default TCP connection dementia duration to 3800 seconds (this option can greatly reduce the number of connections)
Sysctl-W net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 3800 &>/dev/null
# Set the maximum connection tree to 30 W (based on your memory and iptables version, each connection? Why? More than 300 bytes)
Sysctl-W net. ipv4.ip _ conntrack_max = 300000 &>/dev/null
# Intranet IP Forwarding
/Sbin/iptables-A input-I lo-J accept
If ["$ inif "! = ""]; Then
/Sbin/iptables-A input-I $ inif-J accept
Echo "1">/proc/sys/NET/IPv4/ip_forward
/Sbin/iptables-T Nat-A postrouting-S $ innet-o $ extif-J Masquerade
#/Sbin/iptables-T Nat-A prerouting-I eth0-P TCP -- dport 80-J redirect -- to-ports 3128
/Sbin/iptables-T Nat-A prerouting-p tcp-M iprange -- Src-range 192.168.1.3-192.168.1.253 -- dport 80-J redirect -- to-ports 3128
Fi
# Load trusted and rejected domain files
If [-F/opt/iptables. Deny]; then
SH/opt/iptables. Deny
Fi
If [-F/opt/iptables. Allow]; then
SH/opt/iptables. Allow
Fi
# Network bandwidth limit
If [-F/opt/iptables/QoS. Sh]; then
SH/opt/iptables/QoS. Sh
Fi
# Network Attack Protection
If [-F/opt/httpd-err/http-netstat.sh]; then
SH/opt/httpd-err/http-netstat.sh
Fi
# Allow ICMP packets to pass through established connections
/Sbin/iptables-A input-M state -- State established, related-J accept
Aicmp = "0 3 3/4 4 11 12 14 16 18"
For tyicmp in $ aicmp
Do
/Sbin/iptables-A input-I $ extif-P ICMP -- ICMP-type $ tyicmp-J accept
Done
# Open ports
/Sbin/iptables-A input-p tcp-I $ extif -- dport 21-J accept # ftp
#/Sbin/iptables-A input-p tcp-I $ extif -- dport 22-J accept # SSH
/Sbin/iptables-A input-p tcp-I $ extif -- dport 25-J accept # SMTP
/Sbin/iptables-A input-p udp-I $ extif -- dport 53-J accept # DNS
/Sbin/iptables-A input-p tcp-I $ extif -- dport 53-J accept
/Sbin/iptables-A input-p tcp-I $ extif -- dport 80-J accept # WWW
/Sbin/iptables-A input-p tcp-I $ extif -- dport 110-J accept # POP3
/Sbin/iptables-A input-p tcp-I $ extif -- dport 113-J accept # auth
Quote:
[Root @ server ~] # Cat/opt/iptables. Allow
#! /Bin/bash
#
# This program is used to allow some IP or hosts to access your server
# Mac and IP Address binding verification
/Sbin/iptables-a forward-s 192.168.1.3-M Mac -- Mac-source 00: 03: 0d: 32: 39: 92-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.4-M Mac -- Mac-source 00: 11: 5b: 83: C2: 17-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.5-M Mac -- Mac-source 00: 11: 5b: E3: F1: 39-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.6-M Mac -- Mac-source 00: 0b: 6a: 6d: 5E: 7b-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.7-M Mac -- Mac-source 00: 05: 5D: F6: B4: 82-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.8-M Mac -- Mac-source 00: 11: 5b: 9e: Be: 5C-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.9-M Mac -- Mac-source 00: 0C: 6e: B6: 84: 9B-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.10-M Mac -- Mac-source 00: 0d: 5E: A8: 9d: 4f-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.11-M Mac -- Mac-source 00: 06: 1b: Ce: 7b: 36-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.12-M Mac -- Mac-source 00: 11: 2f: E5: 33: 15-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.13-M Mac -- Mac-source 00: 0a: EB: FD: 89: 9B-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.14-M Mac -- Mac-source 00: 0b: 6a: E8: 36: F5-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.15-M Mac -- Mac-source 00: 11: 5b: F3: C0: 4D-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.16-M Mac -- Mac-source 00: 00: E8: 18: C1: 64-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.17-M Mac -- Mac-source 00: 14: 2a: 31: 98: 99-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.18-M Mac -- Mac-source 00: 0a: EB: 95: 68: 44-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.19-M Mac -- Mac-source 00: 0b: 6a: 6C: F5: 85-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.20-M Mac -- Mac-source 00: E0: 06: 09: 55: 66-p tcp -- dport 80-J accept
/Sbin/iptables-a forward-s 192.168.1.21-M Mac -- Mac-source 00: C0: 9f: 9B: 20: 53-p tcp -- dport 80-J accept
# Add Nb to the advanced group
/Sbin/iptables-T mangle-A prerouting-s 192.168.1.3-J mark -- Set-mark 60
/Sbin/iptables-T mangle-A postrouting-D 192.168.1.3-J mark -- Set-mark 60
# Add Rita to the advanced group
/Sbin/iptables-T mangle-A prerouting-s 192.168.1.7-J mark -- Set-mark 60
/Sbin/iptables-T mangle-A postrouting-D 192.168.1.7-J mark -- Set-mark 60
# Add workstation to the advanced group
/Sbin/iptables-T mangle-A prerouting-s 192.168.1.8-J mark -- Set-mark 60
/Sbin/iptables-T mangle-A postrouting-D 192.168.1.8-J mark -- Set-mark 60
# Allow all Nb data packets
/Sbin/iptables-I input-s 192.168.1.3-J accept
/Sbin/iptables-I forward-s 192.168.1.3-J accept
# Allow all wujie data packets
/Sbin/iptables-I input-s 192.168.1.6-J accept
/Sbin/iptables-I forward-s 192.168.1.6-J accept
# Allow all Rita data packets
/Sbin/iptables-I input-s 192.168.1.7-J accept
/Sbin/iptables-I forward-s 192.168.1.7-J accept
# Allow all workstation data packets
/Sbin/iptables-I input-s 192.168.1.8-J accept
/Sbin/iptables-I forward-s 192.168.1.8-J accept
[Root @ server ~] # Cat/opt/iptables. Deny
#! /Bin/bash
#
# This script will deny computer from LAN
# Prohibit production department clerks from using the Internet
/Sbin/iptables-I forward-M Mac -- Mac-source 00: 0d: 61: 98: 8d: 98-J Drop
/Sbin/iptables-I input-M Mac -- Mac-source 00: 0d: 61: 98: 8d: 98-J Drop
# Disable 192.168.1.12 from using QQ
/Sbin/iptables-T mangle-A postrouting-M layer7 -- l7proto QQ-s 192.168.1.12/32-J Drop
/Sbin/iptables-T mangle-A postrouting-M layer7 -- l7proto QQ-D 192.168.1.12/32-J Drop
# Disable 192.168.1.12 from using MSN
#/Sbin/iptables-T mangle-A postrouting-M layer7 -- l7proto msnmessenger-s 192.168.1.12/32-J Drop
#/Sbin/iptables-T mangle-A postrouting-M layer7 -- l7proto msnmessenger-D 192.168.1.12/32-J Drop
# Adding a user to a QoS group using MAC Authentication
#/Sbin/iptables-T mangle-A prerouting-M Mac -- Mac-source 00: 11: 2f: E5: 33: 15-J mark -- Set-mark 20
#/Sbin/iptables-T mangle-A prerouting-M Mac -- Mac-source 00: 03: 0d: 32: 39: 92-J mark -- Set-mark 60
# Beginner users, traffic restriction
/Sbin/iptables-T mangle-A prerouting-s 192.168.1.12-J mark -- Set-mark 20
/Sbin/iptables-T mangle-A postrouting-D 192.168.1.12-J mark -- Set-mark 20
# Restrict traffic for specific users
/Sbin/iptables-T mangle-A prerouting-s 192.168.1.4-J mark -- Set-mark 30
/Sbin/iptables-T mangle-A postrouting-D 192.168.1.4-J mark -- Set-mark 30
[Root @ server ~] # Cat/opt/iptables/QoS. Sh
#! /Bin/sh
#
# Coyote local command init script
# External NIC: eth1
# Intranet NIC: eth0
# Clear all queue rules of eth1
TC qdisc del Dev eth1 Root 2>/dev/null
# Define the top-level (Root) queue rule and specify the default Category Number
TC qdisc add Dev eth1 root handle 10: htb default 50
# Define the 10:1 class of the first layer (total bandwidth)
TC class add Dev eth1 parent 10: classid 10:1 htb rate 64 Kbps Ceil 64 Kbps
# Define the second leaf category
# Rate: guaranteed bandwidth; Ceil maximum bandwidth; PRIO priority
TC class add Dev eth1 parent 10:1 classid 1010htb rate 1 kbps Ceil 2 kbps PRIO 0
TC class add Dev eth1 parent 10classid htb rate 2 kbps Ceil 8 kbps PRIO 2
TC class add Dev eth1 parent 10classid htb rate 4 kbps Ceil 12 kbps PRIO 3
TC class add Dev eth1 parent 10classid htb rate 8 kbps Ceil 16 kbps PRIO 1
TC class add Dev eth1 parent 10classid htb rate 32 Kbps Ceil 40 kbps PRIO 4
TC class add Dev eth1 parent 10:1 classid 10: 60 htb rate 32 Kbps Ceil 40 kbps PRIO 4
# Define queue rules for various leaf categories
# Parent category number, handle leaf category queue rule number
# Because the FW filter is used, the queue rules of pfifo can be used here.
TC qdisc add Dev eth1 parent handle 101: pfifo
TC qdisc add Dev eth1 parent handle 102: pfifo
TC qdisc add Dev eth1 parent handle 103: pfifo
TC qdisc add Dev eth1 parent handle 104: pfifo
TC qdisc add Dev eth1 parent handle 105: pfifo
TC qdisc add Dev eth1 parent 10: 60 handle 106: pfifo
# Set a filter
# Specify the packets with 10 tags (handle), which are classified into 10: 10 categories, and so on.
TC filter add Dev eth1 parent 10: Protocol ip prio 100 handle 10 FW classid 10: 10
TC filter add Dev eth1 parent 10: Protocol ip prio 100 handle 20 FW classid 10: 20
TC filter add Dev eth1 parent 10: Protocol ip prio 100 handle 30 FW classid 10: 30
TC filter add Dev eth1 parent 10: Protocol ip prio 100 handle 40 FW classid 10: 40
TC filter add Dev eth1 parent 10: Protocol ip prio 100 handle 50 FW classid 10: 50
TC filter add Dev eth1 parent 10: Protocol ip prio 100 handle 60 FW classid 10: 60
# QoS eth0 download
#
# Clearing all queue rules of eth0
TC qdisc del Dev eth0 Root 2>/dev/null
# Define the top-level (Root) queue rule and specify the default Category Number
TC qdisc add Dev eth0 root handle 10: htb default 50
# Define the 10:1 class of the first layer (total bandwidth)
TC class add Dev eth0 parent 10: classid 10htb rate 256 kbps Ceil 256 kbps
# Define the second leaf category
# Rate: guaranteed bandwidth; Ceil maximum bandwidth; PRIO priority
TC class add Dev eth0 parent 10classid htb rate 1 kbps Ceil 2 kbps PRIO 0
TC class add Dev eth0 parent 10classid htb rate 4 kbps Ceil 32 Kbps PRIO 2
TC class add Dev eth0 parent 10classid htb rate 8 kbps Ceil 188 kbps PRIO 3
TC class add Dev eth0 parent 10classid htb rate 16 kbps Ceil 196 kbps PRIO 1
TC class add Dev eth0 parent 10classid htb rate 32 Kbps Ceil 212 kbps PRIO 4
TC class add Dev eth0 parent 10classid 10: 60 htb rate 32 Kbps Ceil 212 kbps PRIO 4
# Define queue rules for various leaf categories
# Parent category number, handle leaf category queue rule number
TC qdisc add Dev eth0 parent handle 101: pfifo
TC qdisc add Dev eth0 parent handle 102: pfifo
TC qdisc add Dev eth0 parent handle 103: pfifo
TC qdisc add Dev eth0 parent handle 104: pfifo
TC qdisc add Dev eth0 parent handle 105: pfifo
TC qdisc add Dev eth0 parent 10: 60 handle 106: pfifo
# Set a filter
TC filter add Dev eth0 parent 10: Protocol ip prio 100 handle 10 FW classid 10: 10
TC filter add Dev eth0 parent 10: Protocol ip prio 100 handle 20 FW classid
TC filter add Dev eth0 parent 10: Protocol ip prio 100 handle 30 FW classid 10: 30
TC filter add Dev eth0 parent 10: Protocol ip prio 100 handle 40 FW classid
TC filter add Dev eth0 parent 10: Protocol ip prio 100 handle 50 FW classid
TC filter add Dev eth0 parent 10: protocolip PRIO 100 handle 60 FW classid 10: 60

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.