# Iptables-I input-P TCP -- dport 80-J Drop
# Iptables-I input-s 192.168.1.0/24-P TCP -- dport 80-J accept
# Iptables-I input-s 211.123.16.123/24-P TCP -- dport 80-J accept
Iptables-I input-P TCP -- dport 9889-J Drop
Iptables-I input-s 192.168.1.0/24-P TCP -- dport 9889-J accept
If Nat Forwarding is used, remember to use the following to take effect.
Iptables-I forward-P TCP -- dport 80-J Drop
Iptables-I forward-s 192.168.1.0/24-P TCP -- dport 80-J accept
Common iptables rules are as follows:
Only emails can be sent and received. All other emails are disabled.
Iptables-I filter-M Mac -- Mac-source 00: 0f: Ea: 25: 51: 37-J Drop
Iptables-I filter-M Mac -- Mac-source 00: 0f: Ea: 25: 51: 37-P UDP -- dport 53-J accept
Iptables-I filter-M Mac -- Mac-source 00: 0f: Ea: 25: 51: 37-P TCP -- dport 25-J accept
Iptables-I filter-M Mac -- Mac-source 00: 0f: Ea: 25: 51: 37-P TCP -- dport 110-J accept
IPSec Nat Policy
Iptables-I pfwanpriv-D 192.168.100.2-J accept
Iptables-T Nat-A prerouting-p tcp -- dport 80-d $ internet_addr-j dnat -- to-destination 192.168.100.2: 80
Iptables-T Nat-A prerouting-p tcp -- dport 1723-d $ internet_addr-j dnat -- to-destination 192.168.100.2: 1723
Iptables-T Nat-A prerouting-p udp -- dport 1723-d $ internet_addr-j dnat -- to-destination 192.168.100.2: 1723
Iptables-T Nat-A prerouting-p udp -- dport 500-d $ internet_addr-j dnat -- to-destination 192.168.100.2: 500
Iptables-T Nat-A prerouting-p udp -- dport 4500-d $ internet_addr-j dnat -- to-destination 192.168.100.2: 4500
Nat of the FTP server
Iptables-I pfwanpriv-P TCP -- dport 21-D 192.168.100.200-J accept
Iptables-T Nat-A prerouting-p tcp -- dport 21-d $ internet_addr-j dnat -- to-destination 192.168.100.200: 21
Only access to the specified URL is allowed
Iptables-a filter-p udp -- dport 53-J accept
Iptables-a filter-p tcp -- dport 53-J accept
Iptables-a filter-D www.3322.org-J accept
Iptables-a filter-D img.cn99.com-J accept
Iptables-a filter-J Drop
Open some ports of an IP address, and other ports are closed
Iptables-a filter-p tcp -- dport 80-s 192.168.100.200-D www.pconline.com.cn-J accept
Iptables-a filter-p tcp -- dport 25-s 192.168.100.200-J accept
Iptables-a filter-p tcp -- dport 109-s 192.168.100.200-J accept
Iptables-a filter-p tcp -- dport 110-s 192.168.100.200-J accept
Iptables-a filter-p tcp -- dport 53-J accept
Iptables-a filter-p udp -- dport 53-J accept
Iptables-a filter-J Drop
Multiple ports
Iptables-a filter-p tcp-M multiport -- destination-port 22,53, 80,110-s 192.168.20.3-J reject
Continuous Port
Iptables-a filter-p tcp-M multiport -- source-port 22,53, 80,110-s 192.168.20.3-J reject iptables-a filter-p tcp -- source-Port 2: 80-s 192.168.20.3-J reject
Internet access at specified time
Iptables-a filter-s 10.10.10.253-m Time -- timestart 6:00 -- timestop 11:00 -- days Mon, Tue, wed, Thu, Fri, SAT, sun-J Drop
Iptables-a filter-m Time -- timestart 12:00 -- timestop 13:00 -- days Mon, Tue, wed, Thu, Fri, SAT, sun-J accept
Iptables-a filter-m Time -- timestart 17:30 -- timestop 8:30 -- days Mon, Tue, wed, Thu, Fri, SAT, sun-J accept
Disable multiple port services
Iptables-a filter-M multiport-p tcp -- dport 21,23, 80-J accept
Nat Wan port to PC
Iptables-T Nat-A prerouting-I $ internet_if-d $ internet_addr-J DNAT -- to-destination 192.168.0.1
Nat port 8000 of the WAN port to port 192. 168. 100. Port 80 of 200
Iptables-T Nat-A prerouting-p tcp -- dport 8000-d $ internet_addr-j dnat -- to-destination 192.168.100.200: 80
Port to be transferred by the mail server
Iptables-T Nat-A prerouting-p tcp -- dport 110-d $ internet_addr-j dnat -- to-destination 192.168.100.200: 110
Iptables-T Nat-A prerouting-p tcp -- dport 25-d $ internet_addr-j dnat -- to-destination 192.168.100.200: 25
Only Ping 202 is allowed. 96. 134. 133. All other services are prohibited.
Iptables-a filter-p icmp-s 192.168.100.200-D 202.96.134.small-J accept
Iptables-a filter-J Drop
Disable BT Configuration
Iptables-A Filters-p tcp-dport 6000: 20000-J Drop
Disable QQ Firewall Configuration
Iptables-a filter-p udp -- dport! 53-J Drop
Iptables-a filter-D 218.17.209.0/24-J Drop
Iptables-a filter-D 218.18.95.0/24-J Drop
Iptables-a filter-D 219.133.40.177-J Drop
Only emails can be sent and received based on Mac, and other emails are rejected.
Iptables-I filter-M Mac -- Mac-source 00: 0a: EB: 97: 79: A1-J Drop
Iptables-I filter-M Mac -- Mac-source 00: 0a: EB: 97: 79: A1-P TCP -- dport 25-J accept
Iptables-I filter-M Mac -- Mac-source 00: 0a: EB: 97: 79: A1-P TCP -- dport 110-J accept
Disable MSN Configuration
Iptables-a filter-p udp -- dport 9-J Drop
Iptables-a filter-p tcp -- dport 1863-J Drop
Iptables-a filter-p tcp -- dport 80-D 207.68.178.238-J Drop
Iptables-a filter-p tcp -- dport 80-D 207.46.110.0/24-J Drop
Only Ping 202 is allowed. 96. 134. 133 other public IP addresses cannot be pinged.
Iptables-a filter-p icmp-s 192.168.100.200-D 202.96.134.small-J accept
Iptables-a filter-p icmp-J Drop
Prohibit a MAC address from accessing the Internet:
Iptables-I filter-M Mac -- Mac-source 00: 20: 18: 8f: 72: F8-J Drop
Disable ping from an IP address:
Iptables-a filter-p icmp-s 192.168.0.1-J Drop
Disable an IP address service:
Iptables-a filter-p tcp-s 192.168.0.1 -- dport 80-J Drop
Iptables-a filter-p udp-s 192.168.0.1 -- dport 53-J Drop
Only some services are allowed, and others are rejected (2 Rules)
Iptables-a filter-p tcp-s 192.168.0.1 -- dport 1000-J accept
Iptables-a filter-J Drop
Disable a port service of an IP address
Iptables-a filter-p tcp-s 10.10.10.253 -- dport 80-J accept
Iptables-a filter-p tcp-s 10.10.10.253 -- dport 80-J Drop
Disable a port service of a MAC address
Iptables-I filter-P TCP-M Mac -- Mac-source 00: 20: 18: 8f: 72: F8 -- dport 80-J Drop
Prohibit a MAC address from accessing the Internet:
Iptables-I filter-M Mac -- Mac-source 00: 11: 22: 33: 44: 55-J Drop
Disable ping from an IP address:
Iptables-a filter-p icmp-s 192.168.0.1-J Drop