[Root @ localhost ~] # Catetcaccess #! Binbash # clear policy sudoetcinit. diptablesstop # Open Server Port sudosbiniptables-IINPUT-ptcp -- dport22-jACCEPTsudosbiniptables-IOUTPUT-ptcp -- sport22-jACCEPTsudosbiniptables
[Root @ localhost ~] # Cat/etc/access #! /Bin/bash # Clear sudo/etc/init. d/iptables stop # Open Server Port sudo/sbin/iptables-I input-p tcp -- dport 22-j ACCEPT sudo/sbin/iptables-I OUTPUT-p tcp -- sport 22- j ACCEPT sudo/sbin/iptables
[Root @ localhost ~] # Cat/etc/access
#! /Bin/bash
# Clearing Policy
Sudo/etc/init. d/iptables stop
# Open Server Port
Sudo/sbin/iptables-I INPUT-p tcp -- dport 22-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p tcp -- sport 22-j ACCEPT
Sudo/sbin/iptables-I INPUT-p tcp -- dport 80-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p tcp -- sport 80-j ACCEPT
# Allow external access
Sudo/sbin/iptables-I OUTPUT-p tcp -- dport 80-j ACCEPT
Sudo/sbin/iptables-I INPUT-p tcp -- sport 80-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p tcp -- dport 123-j ACCEPT
Sudo/sbin/iptables-I INPUT-p tcp -- sport 123-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p udp -- dport 123-j ACCEPT
Sudo/sbin/iptables-I INPUT-p udp -- sport 123-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p tcp -- dport 53-j ACCEPT
Sudo/sbin/iptables-I INPUT-p tcp -- sport 53-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p udp -- dport 53-j ACCEPT
Sudo/sbin/iptables-I INPUT-p udp -- sport 53-j ACCEPT
# Allow lo port mutual access
Sudo/sbin/iptables-I input-I lo-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-o lo-j ACCEPT
# Allow icmp Packets
Sudo/sbin/iptables-I INPUT-p icmp-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p icmp-j ACCEPT
# Allow mutual access between LAN (LAN) Segments
Sudo/sbin/iptables-I OUTPUT-p tcp -- sport 0: 65535-d 10.10.1.0/24-j ACCEPT
Sudo/sbin/iptables-I INPUT-p tcp-s 10.10.1.0/24 -- dport 0: 65535-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p udp -- sport 0: 65535-d 10.10.1.0/24-j ACCEPT
Sudo/sbin/iptables-I INPUT-p udp-s 10.10.1.0/24 -- dport 0: 65535-j ACCEPT
# Change the default policy to DROP (discard all unmatched packages)
Sudo/sbin/iptables-P INPUT DROP
Sudo/sbin/iptables-P OUTPUT DROP
Sudo/sbin/iptables-P FORWARD DROP
######################################## #########
# When it is an OPENVPN server, allow the client to access the outside world through this tunnel (default NAT eth1 port)
Sudo/sbin/iptables-t nat-I POSTROUTING-s 10.8.0.0/24-o eth1-j MASQUERADE
# When using the OPENVPN server, allow the client to access a specific CIDR Block through a NAT Port
Sudo/sbin/iptables-t nat-I POSTROUTING-s 10.8.0.0/24-o eth1-d 10.31.255.0/24-j MASQUERADE
Sudo/sbin/iptables-t nat-I POSTROUTING-s 10.8.0.0/24-o eth0-d 172.17.167.0/24-j MASQUERADE
# Allow mutual access between OPENVPN clients
Sudo/sbin/iptables-a forward-o tun0-d 10.8.0.0/24-j ACCEPT
Sudo/sbin/iptables-a forward-I tun0-s 10.8.0.0/24-j ACCEPT
######################################## #########
# Filter a port that accesses a specific IP address 10.10.1.100 (its own IP address) for a specific network segment
Sudo/sbin/iptables-I INPUT-s 10.10.1.0/24-p tcp-d 10.10.1.100 -- dport 5566-j DROP
# Filter an IP address to access a port of the local IP Address
Sudo/sbin/iptables-I INPUT-m iprange -- src-range 10.10.1.20-10.10.1.22-p tcp-d 10.10.1.100 -- dport 5566-j DROP
######################################## ######### LVS server communication package sudo/sbin/iptables-I input-I eth0-d 224.0.0.18-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-o eth0-d 224.0.0.18-j ACCEPT
######################################## ######### Enable the NAT port ing function for CEN segments. it is to map port 15941 accessing 10.31.20.14 to port 15941 of 10.31.20.41 #10.31.20.41. This host must set the gateway to 10.31.20.14 # enable the forwarding iptables-a forward-o of the 10.31.255.41 IP address on the eth1 Nic. eth1-d 10.31.255.0/24-j ACCEPT
Iptables-a forward-I eth1-s 10.31.255.0/24-j ACCEPT # DNAT from Port 15941 accessing 10.31.20.14 to port 15941 of 10.31.20.41
Iptables-t nat-a prerouting-d 10.31.20.14-p tcp -- dport 15941-j DNAT -- to-destination 10.31.20.41: 15941
######################################## ######### Instructions on DNAT and SNAT of Iptables # Use DNAT to access the local IP address (202.96.209.20, and it must be added to the NIC.) The ing to a specific internal IP address is DMZ.
# Iptables-t nat-a prerouting-d 202.96.209.20.- j DNAT -- to-destination 192.168.0.110 # Then, all the IP addresses in the Intranet segment are added to the NIC through A local IP address 202.96.209.134) forward iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to-source 202.96.209.134