Share a useful iptables script (various filtering notation references)

Share a useful iptables script (various filtering notation references) _linux shell

Last Update:2017-01-18 Source: Internet

Author: User

Tags iptables

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

This iptables script is good, very practical, according to the actual application can be changed to use their own. Share it for everyone to refer to. The original author anon. The source code is as follows:

Copy Code code as follows:

#!/bin/sh
#
Modprobe Ipt_masquerade
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
Iptables-f
Iptables-t nat-f
Iptables-x
Iptables-t Nat-x
########################## #INPUT键 ###################################
Iptables-p INPUT DROP
Iptables-a input-m State--state established,related-j ACCEPT
Iptables-a input-p tcp-m multiport--dports 110,80,25-j
Iptables-a input-p tcp-s 192.168.0.0/24--dport 139-j
#允许内网samba, SMTP,POP3, connecting
Iptables-a input-i eth1-p udp-m multiport--dports 53-j ACCEPT
#允许dns连接
Iptables-a input-p TCP--dport 1723-j ACCEPT
Iptables-a input-p gre-j ACCEPT
#允许外网vpn连接
Iptables-a input-s 192.186.0.0/24-p tcp-m State--state established,related-j ACCEPT
Iptables-a input-i ppp0-p tcp--syn-m connlimit--connlimit-above 15-j DROP
#为了防止DOS太多连接进来, you can allow up to 15 initial connections, over discarded
Iptables-a input-s 192.186.0.0/24-p tcp--syn-m connlimit--connlimit-above 15-j DROP
#为了防止DOS太多连接进来, you can allow up to 15 initial connections, over discarded
Iptables-a input-p icmp-m limit--limit 3/s-j LOG--log-level INFO--log-prefix "ICMP packet in:"
Iptables-a input-p icmp-j DROP
#禁止icmp通信-ping.
Iptables-t nat-a postrouting-o ppp0-s 192.168.0.0/24-j Masquerade
#内网转发
Iptables-n Syn-flood
Iptables-a input-p TCP--syn-j Syn-flood
Iptables-i syn-flood-p tcp-m limit--limit 3/s--limit-burst 6-j return
Iptables-a syn-flood-j REJECT
#防止SYN攻击 Light Weight
###################### #FORWARD链 ###########################
Iptables-p FORWARD DROP
Iptables-a forward-p tcp-s 192.168.0.0/24-m multiport--dports 80,110,21,25,1723-j ACCEPT
Iptables-a forward-p udp-s 192.168.0.0/24--dport 53-j
Iptables-a forward-p gre-s 192.168.0.0/24-j ACCEPT
Iptables-a forward-p icmp-s 192.168.0.0/24-j ACCEPT
#允许 VPN clients to go VPN network connection extranet
Iptables-a forward-m State--state established,related-j ACCEPT
Iptables-i forward-p UDP--dport 53-m string--string "Tencent"-m time--timestart 8:15--timestop 12:30--days mon,tu E,wed,thu,fri,sat-j DROP
#星期一到星期六的8:00-12:30 prohibit QQ communication
Iptables-i forward-p UDP--dport 53-m string--string "TENCENT"-m time--timestart 8:15--timestop 12:30--days mon,tu E,wed,thu,fri,sat-j DROP
#星期一到星期六的8:00-12:30 prohibit QQ communication
Iptables-i forward-p UDP--dport 53-m string--string "Tencent"-m time--timestart 13:30--timestop 20:30--days Mon,T Ue,wed,thu,fri,sat-j DROP
Iptables-i forward-p UDP--dport 53-m string--string "TENCENT"-m time--timestart 13:30--timestop 20:30--days Mon,T Ue,wed,thu,fri,sat-j DROP
#星期一到星期六的13:30-20:30 prohibit QQ communication
Iptables-i forward-s 192.168.0.0/24-m string--string "qq.com"-m time--timestart 8:15--timestop 12:30--days Mon,Tue , Wed,thu,fri,sat-j DROP
#星期一到星期六的8:00-12:30 ban QQ Web page
Iptables-i forward-s 192.168.0.0/24-m string--string "qq.com"-m time--timestart 13:00--timestop 20:30--days Mon,Tu E,wed,thu,fri,sat-j DROP
#星期一到星期六的13:30-20:30 ban QQ Web page
Iptables-i forward-s 192.168.0.0/24-m string--string "Ay2000.net"-j DROP
Iptables-i forward-d 192.168.0.0/24-m string--string "Broadband Cinema"-j DROP
Iptables-i forward-s 192.168.0.0/24-m string--string "erotic"-j DROP
Iptables-i forward-p tcp--sport 80-m string--string "ad"-j DROP
#禁止ay2000. NET, broadband cinema, pornography, advertising web links! But Chinese is not very ideal
Iptables-a forward-m ipp2p--edk--kazaa--bit-j DROP
Iptables-a forward-p tcp-m ipp2p--ares-j DROP
Iptables-a forward-p udp-m ipp2p--kazaa-j DROP
#禁止BT连接
Iptables-a forward-p TCP--syn--dport 80-m connlimit--connlimit-above--connlimit-mask 24
#######################################################################
Sysctl-w net.ipv4.ip_forward=1 &>/dev/null
#打开转发
#######################################################################
Sysctl-w Net.ipv4.tcp_syncookies=1 &>/dev/null
#打开 Syncookie (Lightweight prevention DOS attack)
Sysctl-w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 &>/dev/null
#设置默认 TCP connection Dementia is 3,800 seconds long (this option can significantly reduce the number of connections)
Sysctl-w net.ipv4.ip_conntrack_max=300000 &>/dev/null
#设置支持最大连接树为 30W (This is based on your memory and iptables version, each connection requires more than 300 bytes)
#######################################################################
Iptables-i input-s 192.168.0.50-j ACCEPT
Iptables-i forward-s 192.168.0.50-j ACCEPT
#192.168.0.50 is my machine, all release!
########################### #完 #########################################

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More