Linux Some common iptables firewall rules collation Collection

Last Update:2017-01-13 Source: Internet

Author: User

Tags iptables to domain

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Install iptables Firewall

If you do not install iptables you need to install first, CentOS execution:

Yum Install Iptables
Debian/ubuntu Execution:

Apt-get Install Iptables

Clear existing Iptables rule

Iptables-f
Iptables-x
Iptables-z

Open the specified port

#允许本地回环接口 (that is, running native access to this computer)
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# allow established or connected traffic
Iptables-a input-m State--state established,related-j ACCEPT
#允许所有本机向外的访问
Iptables-a output-j ACCEPT
# Allow access to port 22
Iptables-a input-p TCP--dport 22-j ACCEPT
#允许访问80端口
Iptables-a input-p TCP--dport 80-j ACCEPT
#允许FTP服务的21和20端口
Iptables-a input-p TCP--dport 21-j ACCEPT
Iptables-a input-p TCP--dport 20-j ACCEPT
#如果有其他端口的话, the rules are similar, you can modify the above statement slightly
#禁止其他未允许的规则访问
Iptables-a input-j REJECT (Note: If the 22 port does not join the Allow rule, the SSH link will be disconnected directly.) ）
Iptables-a forward-j REJECT

Shielding IP

#如果只是想屏蔽IP的话 "3, open specified port" can be skipped directly.
#屏蔽单个IP的命令是
Iptables-i input-s 123.45.6.7-j DROP
#封整个段即从123.0.0.1 to 123.255.255.254 's orders.
Iptables-i input-s 123.0.0.0/8-j DROP
#封IP段即从123.45.0.1 to 123.45.255.254 's orders.
Iptables-i input-s 124.45.0.0/16-j DROP
#封IP段即从123.45.6.1 to 123.45.6.254 's order is
Iptables-i input-s 123.45.6.0/24-j DROP

#外网 Eth0──ip for automatic acquisition
#内网 Eth1──ip 172.16.0.0/16

#!/bin/sh
#
Modprobe Ipt_masquerade
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
Iptables-f
Iptables-t nat-f
Iptables-x
Iptables-t Nat-x

#INPUT

Iptables-p INPUT DROP
Iptables-a input-m State--state established,related-j ACCEPT

#允许内网samba (a Linux association that can communicate with Windows file sharing, do not need to open), SMTP,POP3, need IMAP and other protocols, please add the corresponding port
Iptables-a input-p tcp-m multiport--dports 110,80,25,445,1863,5222-j
Iptables-a input-p tcp-s 172.16.0.0/16--dport 139-j

#允许dns解析通过, if the intranet set up a DNS server (transponder), that only allow forwarders that IP can be passed, please modify yourself, (S-IP)
Iptables-a input-i eth1-p udp-m multiport--dports 53-j ACCEPT

#允许外网vpn连接 (Enterprise user has VPN, need to open)
#iptables-A input-p TCP--dport 1723-j ACCEPT
#iptables-A input-p gre-j ACCEPT

Iptables-a input-s 172.16.0.0/16-p tcp-m State--state established,related-j ACCEPT

#只允许最多20个初始连接, over the discarded
Iptables-a input-i eth0-p tcp--syn-m connlimit--connlimit-above 20-j DROP

#允许最多20个初始连接, over the discarded
Iptables-a input-s 172.16.0/16-p tcp--syn-m connlimit--connlimit-above 20-j DROP

#禁止icmp通信-ping recommend that you do not open the test
#iptables-A input-p icmp-m limit--limit 3/s-j LOG--log-level INFO--log-prefix "ICMP packet in:"
#iptables-A input-p icmp-j DROP

#内网转发
Iptables-t nat-a postrouting-o eth0-s 192.168.0.0/24-j Masquerade

#防止SYN攻击 Light Weight
Iptables-n Syn-flood
Iptables-a input-p TCP--syn-j Syn-flood
Iptables-i syn-flood-p tcp-m limit--limit 3/s--limit-burst 6-j return
Iptables-a syn-flood-j REJECT

#FORWARD
Iptables-p FORWARD DROP
Iptables-a forward-p tcp-s 172.16.0.0/16-m multiport--dports 80,110,21,25,1723-j ACCEPT
Iptables-a forward-p udp-s 172.16.0/16--dport 53-j

#允许 VPN customers to go VPN network connection extranet (Internet cafes generally do not have to open, enterprises have the need to open VPN)
#iptables-A forward-p gre-s 172.16.0.0/16-j ACCEPT
#iptables-A forward-p icmp-s 172.16.0.0/16-j ACCEPT

#以下是禁QQ的, in the Internet café do not remove the front of the #
#iptables-A forward-m State--state established,related-j ACCEPT
#iptables-i forward-p UDP--dport 53-m string--string "Tencent"-m time--timestart 8:15--timestop 12:30--days Ue,wed,thu,fri,sat-j DROP
#星期一到星期六的8:00-12:30 prohibit QQ communication
#iptables-i forward-p UDP--dport 53-m string--string "TENCENT"-m time--timestart 8:15--timestop 12:30--days Ue,wed,thu,fri,sat-j DROP
#星期一到星期六的8:00-12:30 prohibit QQ communication
#iptables-i forward-p UDP--dport 53-m string--string "Tencent"-m time--timestart 13:30--timestop 20:30--days Mon Tue,wed,thu,fri,sat-j DROP
#iptables-i forward-p UDP--dport 53-m string--string "TENCENT"-m time--timestart 13:30--timestop 20:30--days Mon Tue,wed,thu,fri,sat-j DROP
#星期一到星期六的13:30-20:30 prohibit QQ communication
#iptables-I forward-s 172.16.0.0/16-m string--string "qq.com"-m time--timestart 8:15--timestop 12:30--days , Wed,thu,fri,sat-j DROP
#星期一到星期六的8:00-12:30 ban QQ Web page
#iptables-I forward-s 172.16.0.0/24-m string--string "qq.com"-m time--timestart 13:00--timestop 20:30--days E,wed,thu,fri,sat-j DROP
#星期一到星期六的13:30-20:30 ban QQ Web page

#以下禁止一些多站, can cooperate with the intranet to build the DNS server to provide the wrong IP address to use together
Iptables-i forward-s 172.16.0.0/16-m string--string "xxx.com"-j DROP
Iptables-i forward-s 172.16.0.0/16-m string--string "adult"-j DROP
Iptables-i forward-p tcp--sport 80-m string--string "ad"-j DROP
#以上禁止一些网站, the cost is relatively large.

#以下一段禁止BT, you need a ipp2p module.
Iptables-a forward-m ipp2p--edk--kazaa--bit-j DROP
Iptables-a forward-p tcp-m ipp2p--ares-j DROP
Iptables-a forward-p udp-m ipp2p--kazaa-j DROP
#禁止BT连接

#以下是对并发连接进行控制
#只允许每组ip同时20个80端口转发
Iptables-a forward-p TCP--syn--dport 80-m connlimit--connlimit-above---connlimit-mask 16-j DROP

#以下打开转发 in Redhat, can modify/etc/sysconfig/sysctl file
Sysctl-w net.ipv4.ip_forward=1 &>/dev/null

#以下打开 Syncookie (Lightweight prevention DOS attack)
Sysctl-w Net.ipv4.tcp_syncookies=1 &>/dev/null

#设置默认 TCP connection Dementia is 3,800 seconds long (this option can significantly reduce the number of connections)
Sysctl-w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 &>/dev/null

#设置支持最大连接树为 30W (This is based on your memory and iptables version, each connection requires more than 300 bytes)
Sysctl-w net.ipv4.ip_conntrack_max=300000 &>/dev/null

Viewing iptables rules that have been added

Iptables-l-N
V: Display details, including the number of matching packets per rule and the number of matched bytes
x: On the basis of V, Prohibit automatic unit conversion (K, M) VPS Detectives
N: only display IP address and port number, do not resolve IP to domain name

Delete Iptables rules that have been added

Displays all iptables as ordinal marks, executing:

Iptables-l-N--line-numbers
For example, to delete the rule in input ordinal 8, execute:

Iptables-d INPUT 8

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More