Iptables Common configuration examples for Linux (2)

Source: Internet
Author: User
Tags iptables

Iptables-f #清除所有规则
Iptables-x #清除所有自定义规则
Iptables-z #各项计数归零
Iptables-p INPUT DROP #将input链默认规则设置为丢弃
Iptables-p OUTPUT DROP #将output链默认规则设置为丢弃
Iptables-a input-i lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT #对运行在本机回环地址上的所有服务放行
Iptables-a input-m state–state established,related-j ACCEPT #把这条语句插在input链的最前面 (first), and the connection to the status established,related is released.
Iptables-a output-p tcp–dport 80-j ACCEPT #允许本机访问其他80服务
Iptables-a output-p udp–dport 53-j ACCEPT #允许本机发送域名请求
Iptables-a output-p icmp-j ACCEPT #对本机出去的所有icmp协议放行, in fact, if only to allow the native ping other machines, it is more rigorous practice is to modify this statement to:
Iptables-a output-p icmp–icmp-type echo-request-j ACCEPT

The status of established and related package release, in short, that is allowed to go out of the package is received by the other host, the host responds to the incoming packet release. This statement is important, you can save a lot of iptables statements, especially in the case of FTP server. You understand the meaning, you should know that with this statement, the 6th sentence can be omitted.

Web site:
iptables-f
iptables-x
iptables-z
iptables-p OUTPUT DROP
Iptables-a input-i lo-j Accept
Iptables-a output-o lo-j accept
iptables-a output-p udp–dport 53-j acceptiptables-a output-p tcp-s 192.168.1.10-d www.qq.com-j DROP (Forbidden site)
Iptables-a forward-p tcp-s 192.168.1.11 /24-d www.qq.com-o eth0-j DROP (Forbidden network segment)
Iptables-a forward-p tcp-s 192.168.1.12-d 192.168.1.13 -o eth0- J DROP (disable IP)
iptables-a output-p tcp–dport 80-j ACCEPT (This is written under the Forbidden Web site)

# Security rules like Windows Firewall
Iptables-a input-p tcp–dport 1:1024-j DROP
Iptables-a input-p Udp–dport 1:1024-j DROP These two can prevent nmap detection
Iptables-a input-p tcp–dport * *-j ACCEPT (ports to open)
# allow the port, relative to the Protocol to change it, (port over)
============================================

Iptables erecting a secure vsftp server

In the actual work, the following script can be used to set up a very internal FTP, of course, with Wireshark understand the vsftpd of the passive and active differences, to the native 192.168.0.10 as an example, the script is as follows:

#!/bin/bash
-F
iptables-x
Iptables-z
iptables-t nat-f
iptables-t nat-x
Iptables -T nat-z
#开启ip转发功能
echo "1" >/proc/sys/net/ipv4/ip_forward
#加载ftp需要的一些模块功能
modprobe ip_conntrack_ FTP
modprobe ip_conntrack-tftp
modprobe ip_nat_ftp
modprobe ip_nat_tftp
#为了更安全, define the output default policy as Drop
Iptables-p INPUT Drop
iptables-p OUTPUT drop
iptables-p FORWARD ACCEPT
#开放本机的lo环回口, suggested open, non-open will have some inexplicable problems
Iptables-a input-i lo-j Accept
Iptables-a output-o lo-j Accept
#下面的脚本是架设安全的vsftpd关健, the latter two script is to release the server to respond to the client and the established connection The packet, because the passive FTP complex, six times handshake, so here uses the state to do
Iptables-a input-s 192.168.0.0/24-p tcp–dport 21-j ACCEPT
iptables-a output-d 192.168.0.0/24-p Tcp–sport 21-j Accept
Iptables-a input-m state–state related,established-j Accept
Iptables- A output-m state–state related,established-j ACCEPT

=====================================
Intranet Web server for small and medium-sized companies with intranet server published IPT
=====================================

Prevent attack scanning
Prevent sync packet flooding (sync Flood)
# iptables-a forward-p tcp–syn-m limit–limit 1/s-j ACCEPT
Someone else is writing.
#iptables-A input-p tcp–syn-m limit–limit 1/s-j ACCEPT
–limit 1/s Limit syn concurrency by 1 times per second and can be modified to suit your needs
Prevent various port scans
# iptables-a forward-p tcp–tcp-flags syn,ack,fin,rst rst-m limit–limit 1/s-j ACCEPT
Ping flood attack (ping of Death)
# iptables-a forward-p icmp–icmp-type echo-request-m limit–limit 1/s-j ACCEPT
# Null Scan (possibly) xikc.om
Iptables-a input-i eth0-p tcp–tcp-flags all none-j DROP

#ubuntu保存与开机加载
Iptables-save > Iptables.up.rules
CP iptables.up.rules/etc/
Vi/etc/network/interfaces

Iptables-save > Iptables.up.rules cp iptables.up.rules/etc/vi/etc/network/interfaces

#在interfaces末尾加入
Pre-up Iptables-restore </etc/iptables.up.rules
Pre-up Iptables-restore </etc/iptables.up.rules

#也可以设置网卡断开的rules.
Post-down Iptables-restore </etc/iptables.down.rules
Post-down Iptables-restore </etc/iptables.down.rules

#保存
Service Iptables Save
Force all clients to access 192.168.1.100 this site
Iptables-t nat-i prerouting-i eth0-p tcp–dport 80-j dnat–to-destination 192.168.1.100 (prerouting and DNAT used together, POSTROUT ing and Snat used together)
Publish intranet Web server 192.168.1.10
Iptables-t nat-i prerouting-p tcp–dport 80-j dnat–to-destination 192.168.1.10
Port mapped to 3389 of the Intranet
Iptables-t nat-i prerouting-p tcp–dport 3389-j dnat–to-destination 192.168.1.10:3389

Source: http://www.ha97.com/3929.html

Iptables Common configuration examples for Linux (2)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.