RHEL4/5iptables instance (updating)

Source: Internet
Author: User
[Root @ localhost ~] # Catetcaccess #! Binbash # clear policy sudoetcinit. diptablesstop # Open Server Port sudosbiniptables-IINPUT-ptcp -- dport22-jACCEPTsudosbiniptables-IOUTPUT-ptcp -- sport22-jACCEPTsudosbiniptables

[Root @ localhost ~] # Cat/etc/access #! /Bin/bash # Clear sudo/etc/init. d/iptables stop # Open Server Port sudo/sbin/iptables-I input-p tcp -- dport 22-j ACCEPT sudo/sbin/iptables-I OUTPUT-p tcp -- sport 22- j ACCEPT sudo/sbin/iptables

[Root @ localhost ~] # Cat/etc/access
#! /Bin/bash
# Clearing Policy
Sudo/etc/init. d/iptables stop
# Open Server Port
Sudo/sbin/iptables-I INPUT-p tcp -- dport 22-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p tcp -- sport 22-j ACCEPT
Sudo/sbin/iptables-I INPUT-p tcp -- dport 80-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p tcp -- sport 80-j ACCEPT
# Allow external access
Sudo/sbin/iptables-I OUTPUT-p tcp -- dport 80-j ACCEPT
Sudo/sbin/iptables-I INPUT-p tcp -- sport 80-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p tcp -- dport 123-j ACCEPT
Sudo/sbin/iptables-I INPUT-p tcp -- sport 123-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p udp -- dport 123-j ACCEPT
Sudo/sbin/iptables-I INPUT-p udp -- sport 123-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p tcp -- dport 53-j ACCEPT
Sudo/sbin/iptables-I INPUT-p tcp -- sport 53-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p udp -- dport 53-j ACCEPT
Sudo/sbin/iptables-I INPUT-p udp -- sport 53-j ACCEPT
# Allow lo port mutual access
Sudo/sbin/iptables-I input-I lo-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-o lo-j ACCEPT
# Allow icmp Packets
Sudo/sbin/iptables-I INPUT-p icmp-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p icmp-j ACCEPT
# Allow mutual access between LAN (LAN) Segments
Sudo/sbin/iptables-I OUTPUT-p tcp -- sport 0: 65535-d 10.10.1.0/24-j ACCEPT
Sudo/sbin/iptables-I INPUT-p tcp-s 10.10.1.0/24 -- dport 0: 65535-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-p udp -- sport 0: 65535-d 10.10.1.0/24-j ACCEPT
Sudo/sbin/iptables-I INPUT-p udp-s 10.10.1.0/24 -- dport 0: 65535-j ACCEPT
# Change the default policy to DROP (discard all unmatched packages)
Sudo/sbin/iptables-P INPUT DROP
Sudo/sbin/iptables-P OUTPUT DROP
Sudo/sbin/iptables-P FORWARD DROP
######################################## #########
# When it is an OPENVPN server, allow the client to access the outside world through this tunnel (default NAT eth1 port)
Sudo/sbin/iptables-t nat-I POSTROUTING-s 10.8.0.0/24-o eth1-j MASQUERADE
# When using the OPENVPN server, allow the client to access a specific CIDR Block through a NAT Port
Sudo/sbin/iptables-t nat-I POSTROUTING-s 10.8.0.0/24-o eth1-d 10.31.255.0/24-j MASQUERADE
Sudo/sbin/iptables-t nat-I POSTROUTING-s 10.8.0.0/24-o eth0-d 172.17.167.0/24-j MASQUERADE
# Allow mutual access between OPENVPN clients
Sudo/sbin/iptables-a forward-o tun0-d 10.8.0.0/24-j ACCEPT
Sudo/sbin/iptables-a forward-I tun0-s 10.8.0.0/24-j ACCEPT

######################################## #########
# Filter a port that accesses a specific IP address 10.10.1.100 (its own IP address) for a specific network segment
Sudo/sbin/iptables-I INPUT-s 10.10.1.0/24-p tcp-d 10.10.1.100 -- dport 5566-j DROP
# Filter an IP address to access a port of the local IP Address
Sudo/sbin/iptables-I INPUT-m iprange -- src-range 10.10.1.20-10.10.1.22-p tcp-d 10.10.1.100 -- dport 5566-j DROP
######################################## ######### LVS server communication package sudo/sbin/iptables-I input-I eth0-d 224.0.0.18-j ACCEPT
Sudo/sbin/iptables-I OUTPUT-o eth0-d 224.0.0.18-j ACCEPT
######################################## ######### Enable the NAT port ing function for CEN segments. it is to map port 15941 accessing 10.31.20.14 to port 15941 of 10.31.20.41 #10.31.20.41. This host must set the gateway to 10.31.20.14 # enable the forwarding iptables-a forward-o of the 10.31.255.41 IP address on the eth1 Nic. eth1-d 10.31.255.0/24-j ACCEPT
Iptables-a forward-I eth1-s 10.31.255.0/24-j ACCEPT # DNAT from Port 15941 accessing 10.31.20.14 to port 15941 of 10.31.20.41
Iptables-t nat-a prerouting-d 10.31.20.14-p tcp -- dport 15941-j DNAT -- to-destination 10.31.20.41: 15941
######################################## ######### Instructions on DNAT and SNAT of Iptables # Use DNAT to access the local IP address (202.96.209.20, and it must be added to the NIC.) The ing to a specific internal IP address is DMZ.
# Iptables-t nat-a prerouting-d 202.96.209.20.- j DNAT -- to-destination 192.168.0.110 # Then, all the IP addresses in the Intranet segment are added to the NIC through A local IP address 202.96.209.134) forward iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to-source 202.96.209.134

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.