Install iptables Firewall
If you do not install iptables you need to install first, CentOS execution:
Yum Install Iptables
Debian/ubuntu Execution:
Apt-get Install Iptables
On the VPS on the week nine Iptables set to:
*nat
:P rerouting ACCEPT [7,978:1,018,059]
:P ostrouting ACCEPT [9,376:593,102]
: OUTPUT ACCEPT [9,376:593,102]
-A postrouting-s 192.168.217.0/255.255.255.0-o eth0-j Masquerade
-A postrouting-s 192.168.217.0/255.255.255.0-o eth0-j Masquerade
-A postrouting-s 192.168.217.0/255.255.255.0-o eth0-j Masquerade
-A postrouting-s 192.168.217.0/255.255.255.0-o eth0-j Masquerade
-A postrouting-s 192.168.217.0/255.255.255.0-o eth0-j Masquerade
COMMIT
*filter
: INPUT DROP [449:152,450]
: FORWARD DROP [52:3,156]
: OUTPUT DROP [0:0]
-A input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
-A input-m state--state related,established-j ACCEPT
-A input-p tcp-m tcp--dport 22-j ACCEPT
-A input-p tcp-m tcp--dport 80-j ACCEPT
-A input-p tcp-m tcp--dport 88-j ACCEPT
-A input-p tcp-m tcp--dport 21-j ACCEPT
-A input-p tcp-m tcp--dport 20-j ACCEPT
-A input-p tcp-m tcp--dport 1723-j ACCEPT
-A input-p icmp-m ICMP--icmp-type 8-j ACCEPT
-A input-s 60.195.252.107-i eth0-p udp-m UDP--dport 161-j ACCEPT
-A input-s 60.195.252.110-i eth0-p udp-m UDP--dport 161-j ACCEPT
-A output-j ACCEPT
COMMIT
Only the ports of SSH are open 22,http port 80,ftp 21, 22,UDP 161, and PPTP uses 1723. The LNMPA server may need to be aware of opening Port 88 because the brother's one-click installation package is followed by Apache using port 88. You can also change the port of Nginx to 88. In addition, this setting does not accept Ping's ICMP packets.
Iptables Rule Management
List current iptables rules:
Iptables-l-N--line-numbers
Delete one of the rules (with the corresponding rule and line number), such as:
iptables-d INPUT 6
iptables-d FORWARD 1
The 6th rule in input and the first rule in forward will be deleted respectively.
The preservation and iptables of the rules
When set, execute:
Iptables-save > /etc/iptables.rules
Save the rule in the Iptables.rules file in the/etc directory, and then add the command to boot in the/etc/rc.local file:
Vi/etc/rc.local
Add the following statement above "Exit 0":
Iptables-restore
Clear Iptables Rule
Perform:
Iptables-f
Iptables-x
Iptables-z
Iptables from getting started to mastering
Introduction of experimental environment:
This script environment is eth0 outside net, eth1 intranet;
#!/bin/sh
#外网网卡
ext_if= "Eth0"
fw_ip= "61.137.85.21"
#内网网卡
int_if= "Eth1"
lan_ip= "192.168.0.1"
Lan_ip_range= "192.168.0.0/255.255.255.0"
#加载模块, is generally built inside
#Module loading.
#echo "Modprobe Modules"
#modprode Ip_tables
#modprode ip_nat_ftp
#modprode Ip_conntrack
#modprobe ip_conntrack_ftp
#启用转发 (forward) feature
echo "Enabling IP forwarding ..."
echo "1" >/proc/sys/net/ipv4/ip_forward
#规则初始化, setting defaults to drop
echo "Enabling Iptables rules"
#reset the default policies in the tables
#Iptables Command Arguments
Iptables-f
Iptables-x
Iptables-f-T Mangle
Iptables-x-T Mangle
Iptables-f-T NAT
Iptables-x-T NAT
Iptables-z-T NAT
#set Policies
Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT DROP
###-----------------------------------------------------------------###
#过虑蠕虫病毒
#444/445/69/135/139
###-----------------------------------------------------------------###
Iptables-a forward-p TCP--dport 4444-j DROP
Iptables-a forward-p UDP--dport 4444-j DROP
Iptables-a forward-p TCP--dport 445-j DROP
Iptables-a forward-p UDP--dport 445-j DROP
Iptables-a forward-p TCP--dport 69-j DROP
Iptables-a forward-p UDP--dport 69-j DROP
Iptables-a forward-p TCP--dport 135-j DROP
Iptables-a forward-p UDP--dport 135-j DROP
Iptables-a forward-p TCP--dport 139-j DROP
Iptables-a forward-p UDP--dport 139-j DROP
#允许ping localhost,ping 192.168.0.1/2
#allow Loopback Access
Iptables-a input-p icmp-i lo-j ACCEPT
Iptables-a output-p icmp-o lo-j ACCEPT
#打开内对内连接
#iptables-A input-i lo-j ACCEPT
#允许代理和内网客户机相互传输数据 (including ping)
#allow Ping LAN
Iptables-a input-p all-i $INT _if-s $LAN _ip_range-j ACCEPT
Iptables-a output-p All-o $INT _if-d $LAN _ip_range-j ACCEPT
#允许外网的网卡与内网相互通讯. Accept the data only accept the response packet, otherwise will not be released. There are no restrictions on sending data.
Iptables-a input-p all-i $INT _if-s $LAN _ip_range-j ACCEPT
Iptables-a input-p all-i $INT _if-s $LAN _ip_range-j ACCEPT
#拒绝外部使用内网进行欺骗
#deny Local Cheat
Iptables-a input-i $EXT _if-s 192.168.0.0/16-j DROP
Iptables-a input-i $EXT _if-s 10.0.0.0/8-j DROP
Iptables-a input-i $EXT _if-s 172.16.0.0/12-j DROP
Iptables-a input-i $EXT _if-s 127.0.0.0/8-j DROP
#从LAN进入防火墙主机的dhcp封包, not released, only released when the firewall is DHCP
#deny Dhcp_packets from LAN
Iptables-a input-p udp-i $INT _if--dport--sport DROP
###-----------------------------------------------------------------------------------###
#配置向外方向的TCP规则, where--state established, the new parameter specifies which state to check.
#ESTABLISHED标志匹配属于已有的TCP连接的封包.
#NEW标志指定试图创建一条新的TCP连接的第一个封包, this rule indicates that the new and established
#TCP连接的封包将会通过eth0端口向外发送.
###-----------------------------------------------------------------------------------###
Iptables-a output-o $EXT _if-p tcp-m State--state established,new-j ACCEPT
###----------------------------------------------------------------------------------###
#配置封包从一个端口转发到另一个端口
###----------------------------------------------------------------------------------###
Iptables-a forward-i $INT _if-j ACCEPT
# same to above the same as the rules above
#iptables-A forward-i $EXT _if-m State--state established,related-j ACCEPT
###-------------------------------------------------------------------------------------###
#检查到达外部网络接口的封包状态. Packets that belong to an existing TCP connection are allowed to pass
# packets from WAN to LAN only release response packets
###-------------------------------------------------------------------------------------###
Iptables-a input-i $EXT _if-p tcp-m State--state established,related-j ACCEPT
# Limit the frequency of the filtering rule to three packets per minute (the packet exceeding the upper limit will be paused),
#并将瞬间流量设定为一次最多处理三个封包 (packets exceeding the upper limit will be discarded and not processed)
#这类封包通常是黑客用来进行阻断式攻击
Iptables-a input-m limit--limit 3/minute--limit-burst 3-j LOG--log-level INFO--log-prefix "IPT INPUT packets Died:"
###-------------------------------------------------------------------------###
#不管来自哪里的ip碎片都进行控制, allow 100 fragments per second
###-------------------------------------------------------------------------###
Iptables-a forward-f-M limit--limit 100/s--limit-burst 100-j ACCEPT
###-------------------------------------------------------------------------###
#icmp包通过的控制 to prevent ICMP hacker attacks
###-------------------------------------------------------------------------###
Iptables-a forward-p icmp-m limit--limit 1/s--limit-burst 10-j ACCEPT
###-------------------------------------------------------------------------###
# Prevent DDoS
###-------------------------------------------------------------------------###
#iptables-A forward-p tcp--tcp-flags syn,ack,fin,rst rst-m limit--limit 1/s-j
###-------------------------------------------------------------------------###
# UDP packets are released
# Allow UDP
###-------------------------------------------------------------------------###
Iptables-a forward-p udp-d $LAN _ip_range-i $EXT _if-j ACCEPT
###-------------------------------------------------------------------------###
#根据mac屏蔽主机上网
###-------------------------------------------------------------------------###
#iptables-T nat-i prerouting-m mac--mac-source 4c:00:10:d8:57:f3-j DROP
###-----------------------------------------------------###
# Open Internal host can telnet to external main Telnet port 23
###-----------------------------------------------------###
#没必要打开23端口
#iptables-A output-o $EXT _if-p tcp-s $FW _ip--sport 1024:65535-d any/0--dport 23-j
#iptables-A input-i $EXT _if-p TCP! --syn-s any/0--sport 23-d $FW _ip--dport 1024:65535-j ACCEPT
###-----------------------------------------------------###
# Open Parcel Post forwarding channel open SMTP port 25
###-----------------------------------------------------###
#以下是别人可以送信给你
Iptables-a input-i $EXT _if-p tcp-s any/0--sport 1024:65535-d $FW _ip--dport 25-j ACCEPT
Iptables-a output-o $EXT _if-p TCP! --syn-s $FW _ip--sport 25-d any/0--dport 1024:65535-j ACCEPT
#以下是你可以送信给别人
Iptables-a output-o $EXT _if-p tcp-s $FW _ip--sport 1024:65535-d any/0--dport 25-j ACCEPT
Iptables-a input-i $EXT _if-p TCP! --syn-s any/0--sport 25-d $FW _ip--dport 1024:65525-j ACCEPT
###-----------------------------------------------------###
# open offline download mail channel POP3 Port 110
###-----------------------------------------------------###
Iptables-a output-o $EXT _if-p tcp-s $FW _ip--sport 1024:65535-d any/0--dport 110-j ACCEPT
Iptables-a input-i $EXT _if-p TCP! --syn-s any/0--sport 110-d $FW _ip--dport 1024:65535-j ACCEPT
###-----------------------------------------------------###
# Open browse Web channel HTTP port 80
###-----------------------------------------------------###
Iptables-a output-o $EXT _if-p tcp-s $FW _ip--sport 1024:65535-d any/0--dport 80-j ACCEPT
Iptables-a input-i $EXT _if-p TCP! --syn-s any/0--sport 80-d $FW _ip--dport 1024:65535-j ACCEPT
###-----------------------------------------------------###
# Open Query DNS host DNS port:53 for external networks
###-----------------------------------------------------###
#第一次会用udp封包来查询
Iptables-a output-o $EXT _if-p udp-s $FW _ip--sport 1024:65535-d any/0--dport 53-j ACCEPT
Iptables-a input-i $EXT _if-p udp-s any/0--sport 53-d $FW _ip--dport 1024:65535-j ACCEPT
#若有错误, the TCP packet will be queried instead
Iptables-a output-o $EXT _if-p tcp-s $FW _ip--sport 1024:65535-d any/0--dport 53-j ACCEPT
Iptables-a input-i $EXT _if-p TCP! --syn-s any/0--sport 53-d $FW _ip--dport 1024:65535-j ACCEPT
#开放这台主机上的DNS和外部的DNS主机互动查询: Using UDP
Iptables-a output-o $EXT _if-p udp-s $FW _ip--sport 53-d any/0--dport 53-j ACCEPT
Iptables-a input-i $EXT _if-p udp-s any/0--sport 53-d $FW _ip--dport 53-j ACCEPT
#开放这台主机上的DNS和外部的DNS主机互动查询: Using UDP
Iptables-a output-o ext_if-p tcp-s $FW _ip--sport 53-d any/0--dport 53-j ACCEPT
Iptables-a input-i ext_if-p TCP! --syn-s any/0--sport 53-d $FW _ip--dport 53-j ACCEPT
###------------------------------------------------------------------------###
#开放内部主机可以SSH至外部的主机 SSH port:22
###------------------------------------------------------------------------###
Iptables-a output-o $EXT _if-p tcp-s $FW _ip--sport 1024:65535-d any/0--dport 22-j ACCEPT
Iptables-a input-i $EXT _if-p TCP! --syn-s any/0--sport 22-d $FW _ip--dport 1024:65535-j ACCEPT
#以下是SSH protocol more different places.
Iptables-a output-o $EXT _if-p tcp-s $FW _ip--sport 1020:1023-d any/0--dport 22-j ACCEPT
Iptables-a input-i $EXT _if-p TCP! --syn-s any/0--sport 22-d $FW _ip--dport 1020:1023-j ACCEPT
###------------------------------------------------------------------------###
# # #开放内部网络, can FTP to external host
###------------------------------------------------------------------------###
#以下是打开命令 Channel 21
Iptables-a output-o $EXT _if-p tcp-s $FW _ip--sport 1024:65535-d any/0--dport 21-j ACCEPT
Iptables-a input-i $EXT _if-p TCP! --syn-s any/0--sport 21-d $FW _ip--dport 1024:65535-j ACCEPT
#以下是打开资料 Channel 20
Iptables-a input-i $EXT _if-p tcp-s any/0--sport 20-d $FW _ip--dport 1024:65535-j ACCEPT
Iptables-a output-o $EXT _if-p TCP! --syn-s $FW _ip--sport 1024:65535-d any/0--dport 20-j ACCEPT
#以下是打开 Passive mode FTP data channel
Iptables-a output-o $EXT _if-p tcp-s $FW _ip--sport 1024:65535-d any/0--dport 1024:65535-j ACCEPT
Iptables-a input-i $EXT _if-p TCP! --syn-s any/0--sport 1024:65535-d $FW _ip--dport 1024:65535-j ACCEPT
#-------------------------------------NAT------------------------------------------------
#透明代理设定: Turning www service to squid
Iptables-t nat-a prerouting-i eth1-p tcp-m tcp--dport 80-j REDIRECT--to-ports 3128
###-------------------------------------------------------------------------###
#启动内部对外部转址: Source network address Translation Snat
###-------------------------------------------------------------------------###
Iptables-t nat-a postrouting-o $EXT _if-s $LAN _ip_range-j SNAT--to $FW _ip
###-------------------------------------------------------------------------###
#启动外部对内部转址 (set intranet WWWW server mapping) Dnat
###-------------------------------------------------------------------------###
Iptables-t nat-a prerouting-i $EXT _if-p tcp-d $FW _ip--dport 80-j dnat--to 192.168.0.16:80
The two-wire principle is the same:
If intranet 1[or extranet] is 192.168.1.0/24
Intranet 2[or Extranet] is 192.168.2.0/24
Just change the appropriate part.
#启动内部对外部转址: Source network address Translation Snat
###-------------------------------------------------------------------------###
Iptables-t nat-a postrouting-o $EXT _if-s 192.168.1.0/24-j SNAT--to $FW _ip
Iptables-t nat-a postrouting-o $EXT _if-s 192.168.2.0/24-j SNAT--to $FW _ip
The underlying rules are attached:
*filter
: INPUT ACCEPT [106:85568]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [188:168166]
: Rh-firewall-1-input-[0:0]
#允许本地回环接口 (that is, running native access to this computer)
-A input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
#允许已建立的或相关连的通行 -a input-m state--state established,related-j ACCEPT
#允许所有本机向外的访问
-A output-j ACCEPT
#允许PPTP拨号翻墙
-A Input-p tcp-m TCP--dport 1723-j ACCEPT
#仅特定主机访问Rsync数据同步服务
-A input-s 8.8.8.8/32-p tcp-m TCP--dport 873- J ACCEPT
#仅特定主机访问WDCP管理系统
-a input-s 6.6.6.6/32-p tcp-m tcp--dport 8080-j ACCEPT
#允许访问SSH
-a input-p Tcp-m TCP--dport 1622-j ACCEPT
#允许访问FTP
-a input-p tcp-m tcp--dport 21-j ACCEPT
-A input-p tcp-m TCP --dport 20-j ACCEPT
#允许访问网站服务
-a input-p tcp-m tcp--dport 80-j ACCEPT
#禁止所有未经允许的连接
-a Input-p TCP- J DROP
#注意: If the 22 port does not join the Allow rule, the SSH link will be disconnected directly.
#-a input-j REJECT
#-a forward-j REJECT
COMMIT