Home > Others

Iptables instance Miscellaneous (port closed or forwarding, IP, Mac)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more > 
#/Sbin/modprobe iptable_filter
#/Sbin/modprobe ip_tables
#/Sbin/modprobe iptable_nat
#/Sbin/iptables-F-T Nat
ADSL dial-up forwarding
/Sbin/iptables-T Nat-A postrouting-s 172.16.0.0/24-O ppp0-J Masquerade
 
Nic forwarding
/Sbin/iptables-T Nat-A postrouting-s 172.16.0.0/24-O eth0-J Masquerade
 
Block tcp udp ports and open specific ports (including VPN forwarding and incoming ports)
/Sbin/iptables-I input-P TCP-s 172.16.0.0/24-M multiport -- dports 8383,139,172, 3-J accept
/Sbin/iptables-A input-p tcp-s 172.16.0.0/24 -- dport 5432-J accept
/Sbin/iptables-A input-p udp-s 172.16.0.0/24-M multiport -- dports 53,111-J accept
/Sbin/iptables-A input-P gre-s 172.16.0.0/24-J accept
#/Sbin/iptables-A input-M state -- State established, related-J accept
/Sbin/iptables-A input-s 172.16.0.0/24-p tcp-M state -- State established, related-J accept

/Sbin/iptables-a forward-p tcp-s 172.16.0.0/24-M multiport -- dports 80,110, 225, 1723,22, 5252,10101, 3306,443,543 8383,-J accept
/Sbin/iptables-a forward-p udp-s 172.16.0.0/24 -- dport 53-J accept
/Sbin/iptables-a forward-p udp-s 172.16.0.0/24 -- dport 8000-J accept
A game Port
#/Sbin/iptables-a forward-p udp-s 172.16.0.0/24 -- dport 7000-J accept
Protocols required for VPN
/Sbin/iptables-a forward-P gre-s 172.16.0.0/24-J accept
Run Ping
/Sbin/iptables-a forward-p icmp-s 172.16.0.0/24-J accept
 
# Add this sentence. Only ICMP response, FTP transmission, and DCC can work normally through the firewall. Most of the other UDP protocols depend on this mechanism. If you do not open the firewall, BT users will not be abnormal, and the btsoftware will not be able to penetrate the firewall. You need to enable it again during ftp. The limit is only to allow TCP packets to penetrate the firewall.
#/Sbin/iptables-a forward-M state -- state new, established, related-J accept

/Sbin/iptables-a forward-s 172.16.0.0/24-p tcp-M state -- state new, established, related-J accept
 
# Block all TCP and UDP ports (other methods should be available)
/Sbin/iptables-a forward-p tcp-s 172.16.0.0/24 -- dport 0: 65535-J Drop
/Sbin/iptables-a forward-p udp-s 172.16.0.0/24 -- dport 0: 65535-J Drop
/Sbin/iptables-A input-p tcp-s 172.16.0.0/24 -- dport 0: 65535-J Drop
/Sbin/iptables-A input-p udp-s 172.16.0.0/24 -- dport 0: 65535-J Drop
 
# My IP address is not restricted by rules
/Sbin/iptables-I input-s 172.16.0.108-J accept
/Sbin/iptables-I forward-s 172.16.0.108-J accept
 
# Iptables-l
Chain input (Policy accept)
Target prot opt source destination
Accept all -- 172.16.0.108 anywhere
Accept TCP -- 172.16.0.0/24 anywhere multiport dports POP3, HTTP, SMTP, ssh, https, ipvs, MySQL, FTP, Microsoft-ds, 10101,5252, webcache, 8383, NetBIOS-SSN, 1723
Accept TCP -- 172.16.0.0/24 anywhere state related, established
Accept TCP -- 172.16.0.0/24 anywhere tcp dpt: ipvs
Accept UDP -- 172.16.0.0/24 anywhere multiport dports domain, SunRPC
Accept gre -- 172.16.0.0/24 anywhere
Drop TCP -- 172.16.0.0/24 anywhere TCP
Drop UDP -- 172.16.0.0/24 anywhere UDP
 
Chain forward (Policy accept)
Target prot opt source destination
Accept all -- anywhere Anywhere state new, related, established
Accept all -- 172.16.0.108 anywhere
Accept TCP -- 172.16.0.0/24 anywhere multiport dports HTTP, POP3, FTP, SMTP, 1723, ssh, 5252,10101, MySQL, https, ipvs, webcache, sieve, 1935,8383
Accept UDP -- 172.16.0.0/24 anywhere udp dpt: domain
Accept UDP -- 172.16.0.0/24 anywhere udp dpt: 8000
Accept UDP -- 172.16.0.0/24 anywhere udp dpt: afs3-fileserver
Accept gre -- 172.16.0.0/24 anywhere
Accept ICMP -- 172.16.0.0/24 anywhere
Drop TCP -- 172.16.0.0/24 anywhere TCP
Drop UDP -- 172.16.0.0/24 anywhere UDP
 
Chain output (Policy accept)
Target prot opt source destination



========================================================== ====================
IP address
/Sbin/iptables-a forward-s 172.16.0. ***-J Drop
Disable IP address Blocking
/Sbin/iptables-D forward-s 172.16.0. ***-J Drop
========================================================== ====================
Route port forwarding. The donkey is a high-ID user, but it does not seem to work after the test.
/Sbin/iptables-T Nat-A prerouting-p udp-m udp -- dport 19145-j dnat -- to-destination 172.16.0.108: 19145
/Sbin/iptables-T Nat-A postrouting-s 172.16.0.0/16-D 172.16.0.108-p udp-m udp -- dport 19145-j snat -- to-source 172.16.0.2
 
/Sbin/iptables-T Nat-A prerouting-p tcp-m tcp -- dport 19145-j dnat -- to-destination 172.16.0.108: 19145
/Sbin/iptables-T Nat-A postrouting-s 172.16.0.0/16-D 172.16.0.108-p tcp-m tcp -- dport 19145-j snat -- to-source 172.16.0.2
 
#/Sbin/iptables-T Nat-A prerouting-p udp-m udp -- dport 4662-j dnat -- to-destination 172.16.0.108: 4662
#/Sbin/iptables-T Nat-A postrouting-s 172.16.0.0/16-D 172.16.0.108-p udp-m udp -- dport 4662-j snat -- to-source 172.16.0.2
 
#/Sbin/iptables-T Nat-A prerouting-p tcp-m tcp -- dport 4662-j dnat -- to-destination 172.16.0.108: 4662
#/Sbin/iptables-T Nat-A postrouting-s 172.16.0.0/16-D 172.16.0.108-p tcp-m tcp -- dport 4662-j snat -- to-source 172.16.0.2
========================================================== ==================================
###### Access through a MAC address
###### Sequence
 
#/Sbin/iptables-a forward-M Mac -- Mac-source 00: 00: BA: A5: 7d: 12-p tcp-M multiport -- dports 80,110, 225, 1723,22, 5252,10101, 3306,443,543 8383,-J accept
 
#/Sbin/iptables-a forward-M Mac -- Mac-source 00: 00: BA: A5: 7d: 12-p udp -- dport 53-J accept
 
#/Sbin/iptables-a forward-p icmp-J accept
 
###### Keep this line at the end. Use iptables-L to view it.
 
#/Sbin/iptables-a forward-M Mac -- Mac-source 00: 00: BA: A5: 7d: 12-J Drop

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
iptables port ip forwarding postgres port forwarding port forwarding ps4 remote desktop port forwarding spectrum port forwarding fwd port forwarding app

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More