iptables Firewall Setup Instance

Source: Internet
Author: User

1. All ICMP protocol packets that are denied access to the firewall
Iptables-i input-p icmp-j REJECT

2. Allow the firewall to forward all packets except the ICMP protocol
Iptables-a forward-p! Icmp-j ACCEPT
Description: Use "! "The condition can be reversed.

3. Refuse to forward data from 192.168.1.10 hosts, allowing the forwarding of data from the 192.168.0.0/24 network segment
Iptables-a forward-s 192.168.1.11-j REJECT
Iptables-a forward-s 192.168.0.0/24-j ACCEPT
Note: Pay attention to the refusal to put in front or it will not work ah.

4. Discard packets from the External network interface (ETH1) into the firewall native source address for the private network address
Iptables-a input-i eth1-s 192.168.0.0/16-j DROP
Iptables-a input-i eth1-s 172.16.0.0/12-j DROP
Iptables-a input-i eth1-s 10.0.0.0/8-j DROP

5. Block the network segment (192.168.1.0/24), two hours after the closure.
[Email protected] ~]# iptables-i input-s 10.20.30.0/24-j DROP
[Email protected] ~]# iptables-i forward-s 10.20.30.0/24-j DROP
[Email protected] ~]# at now +2 hours
at> iptables-d INPUT 1
at> iptables-d FORWARD 1
Description: This strategy we have to use Crond planning task to complete, it is no better.
[1]+ Stopped at now +2 hours

6. Only allow administrators to Telnet to the firewall host from the 202.13.0.0/16 network segment using SSH.
Iptables-a input-p TCP--dport 22-s 202.13.0.0/16-j ACCEPT
Iptables-a input-p TCP--dport 22-j DROP
Description: This usage is more suitable for remote management of the device, such as the SQL Server located in the branch office needs to be managed by the Administrator of the head office.

7. Allow the native to open application services from TCP port 20-1024.
Iptables-a input-p TCP--dport 20:1024-j ACCEPT
Iptables-a output-p TCP--sport 20:1024-j ACCEPT

8. Allow forwarding of DNS resolution request packets from the 192.168.0.0/24 LAN segment.
Iptables-a forward-s 192.168.0.0/24-p UDP--dport 53-j ACCEPT
Iptables-a forward-d 192.168.0.0/24-p UDP--sport 53-j ACCEPT

9. Prevent other hosts from pinging the firewall host, but allow other hosts to be ping from the firewall
Iptables-i input-p ICMP--icmp-type echo-request-j DROP
Iptables-i input-p ICMP--icmp-type echo-reply-j ACCEPT
Iptables-i input-p ICMP--icmp-type destination-unreachable-j ACCEPT

10. Disable forwarding of packets from the MAC address 00:0c:29:27:55:3f and the host
Iptables-a Forward-m mac--mac-source 00:0c:29:27:55:3f-j DROP
Description: A display match was called using the form "-M module keyword" in iptables. Here we use "-M mac–mac-source" to represent the source MAC address of the packet.

11. Allow firewall native to open to TCP ports 20, 21, 25, 110, and Passive mode FTP port 1250-1280
Iptables-a input-p tcp-m multiport--dport 20,21,25,110,1250:1280-j ACCEPT
Description: Use "-M multiport–dport" to specify the destination port and range

12. Disable forwarding of TCP packets with a source IP address of 192.168.1.20-192.168.1.99.
Iptables-a forward-p tcp-m iprange--src-range 192.168.1.20-192.168.1.99-j DROP
Description: The IP range is specified here with "-m–iprange–src-range".

13. Disable forwarding of non--syn request packets unrelated to the normal TCP connection.
Iptables-a forward-m State--state new-p TCP! --syn-j DROP
Description: "-M state" indicates the connection status of the packet, and "new" indicates that it is not related to any connection.

14. Deny access to new packets for the firewall, but allow responses to connections or packets related to existing connections
Iptables-a input-p tcp-m State--state new-j DROP
Iptables-a input-p tcp-m State--state established,related-j ACCEPT
Note: "Established" indicates a packet that has already responded to a request or has established a connection, and "related" indicates that it is relevant to an established connection, such as an FTP data connection.

15. Only open the local Web service (80), FTP (20, 21, 20450-20480), release the external host to send the other port of the server reply packet, the other inbound packets are discarded processing.
Iptables-i input-p tcp-m multiport--dport 20,21,80-j ACCEPT
Iptables-i input-p TCP--dport 20450:20480-j ACCEPT
Iptables-i input-p tcp-m State--state established-j ACCEPT
Iptables-p INPUT DROP


iptables Firewall Setup Instance

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.