The Iptables firewall allows only the specified IP connection to specify the port, access the specified Web site

Source: Internet
Author: User
Tags mail iptables firewall

Need to open port 80, specify IP and LAN

The following three lines mean:

Shut down all 80 ports first.

Open 80 ports of IP segment 192.168.1.0/24 end

Open IP Segment 211.123.16.123/24 80 port IP Segment

# iptables-i input-p TCP--dport 80-j DROP

# iptables-i input-s 192.168.1.0/24-p tcp--dport 80-j ACCEPT

# iptables-i input-s 211.123.16.123/24-p tcp--dport 80-j ACCEPT

These are temporary settings.

1. Backup Iptables First

# cp/etc/sysconfig/iptables/var/tmp

2. Then save the Iptables

# Service Iptables Save

3. Reboot the firewall

#service iptables Restart

The following is the port, and then open some IP first

Iptables-i input-p TCP--dport 9889-j DROP

Iptables-i input-s 192.168.1.0/24-p TCP--dport 9889-j ACCEPT

If you use NAT forwarding, remember to cooperate with the following to be effective

Iptables-i forward-p TCP--dport 80-j DROP

Iptables-i forward-s 192.168.1.0/24-p TCP--dport 80-j ACCEPT

The common iptables rules are as follows:

You can only send and receive mail, everything else is closed

Iptables-i Filter-m mac--mac-source 00:0f:ea:25:51:37-j DROP

Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p UDP--dport 53-j

Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p tcp--dport 25-j ACCEPT

Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p tcp--dport 110-j ACCEPT

IPSEC NAT Policy

Iptables-i pfwanpriv-d 192.168.100.2-j ACCEPT

Iptables-t nat-a prerouting-p tcp--dport 80-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:80

Iptables-t nat-a prerouting-p tcp--dport 1723-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:1723

Iptables-t nat-a prerouting-p UDP--dport 1723-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:1723

Iptables-t nat-a prerouting-p UDP--dport 500-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:500

Iptables-t nat-a prerouting-p UDP--dport 4500-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:4500

NAT for FTP server

Iptables-i pfwanpriv-p TCP--dport 21-d 192.168.100.200-j ACCEPT

Iptables-t nat-a prerouting-p tcp--dport 21-d $INTERNET _addr-j dnat--to-destination 192.168.100.200:21

Only allow access to the specified URL

Iptables-a filter-p UDP--dport 53-j ACCEPT

Iptables-a filter-p TCP--dport 53-j ACCEPT

Iptables-a filter-d www.3322.org-j ACCEPT

Iptables-a filter-d img.cn99.com-j ACCEPT

Iptables-a filter-j DROP

Open some ports for one IP, others are closed

Iptables-a filter-p TCP--dport 80-s 192.168.100.200-d www.pconline.com.cn-j

Iptables-a filter-p TCP--dport 25-s 192.168.100.200-j ACCEPT

Iptables-a filter-p TCP--dport 109-s 192.168.100.200-j ACCEPT

Iptables-a filter-p TCP--dport 110-s 192.168.100.200-j ACCEPT

Iptables-a filter-p TCP--dport 53-j ACCEPT

Iptables-a filter-p UDP--dport 53-j ACCEPT

Iptables-a filter-j DROP

Multiple ports

Iptables-a filter-p tcp-m multiport--destination-port 22,53,80,110-s 192.168.20.3-j REJECT

Continuous port

Iptables-a filter-p tcp-m multiport--source-port 22,53,80,110-s 192.168.20.3-j REJECT iptables-a filter-p TCP--so Urce-port 2:80-s 192.168.20.3-j REJECT

Specify time to surf the internet

Iptables-a filter-s 10.10.10.253-m time--timestart 6:00--timestop 11:00--days mon,tue,wed,thu,fri,sat,sun-j DROP

Iptables-a filter-m time--timestart 12:00--timestop 13:00--days mon,tue,wed,thu,fri,sat,sun-j ACCEPT

Iptables-a filter-m time--timestart 17:30--timestop 8:30--days mon,tue,wed,thu,fri,sat,sun-j ACCEPT

Prohibit multiple port services

Iptables-a filter-m multiport-p TCP--dport 21,23,80-j ACCEPT

To have a WAN port Nat to a PC

Iptables-t nat-a prerouting-i $INTERNET _if-d $INTERNET _addr-j dnat--to-destination 192.168.0.1

The WAN Port 8000 Nat to 192. 168. 100. 200 of 80 ports

Iptables-t nat-a prerouting-p tcp--dport 8000-d $INTERNET _addr-j dnat--to-destination 192.168.100.200:80

Port to which the mail server is to be transferred

Iptables-t nat-a prerouting-p tcp--dport 110-d $INTERNET _addr-j dnat--to-destination 192.168.100.200:110

Iptables-t nat-a prerouting-p tcp--dport 25-d $INTERNET _addr-j dnat--to-destination 192.168.100.200:25

Only Ping 202 is allowed. 96. 134. 133, other services are prohibited

Iptables-a filter-p icmp-s 192.168.100.200-d 202.96.134.133-j ACCEPT

Iptables-a filter-j DROP

Disable BT Configuration

Iptables–a filter–p tcp–dport 6000:20000–j DROP

Disable QQ firewall configuration

Iptables-a filter-p UDP--dport! 53-j DROP

Iptables-a filter-d 218.17.209.0/24-j DROP

Iptables-a filter-d 218.18.95.0/24-j DROP

Iptables-a filter-d 219.133.40.177-j DROP

Based on Mac, can only send and receive mail, others reject

Iptables-i Filter-m mac--mac-source 00:0a:eb:97:79:a1-j DROP

Iptables-i filter-m mac--mac-source 00:0a:eb:97:79:a1-p tcp--dport 25-j ACCEPT

Iptables-i filter-m mac--mac-source 00:0a:eb:97:79:a1-p tcp--dport 110-j ACCEPT

Disable MSN Configuration

Iptables-a filter-p UDP--dport 9-j DROP

Iptables-a filter-p TCP--dport 1863-j DROP

Iptables-a filter-p TCP--dport 80-d 207.68.178.238-j DROP

Iptables-a filter-p TCP--dport 80-d 207.46.110.0/24-j DROP

Only Ping 202 is allowed. 96. 134. 133 Other public network IP are not allowed ping

Iptables-a filter-p icmp-s 192.168.100.200-d 202.96.134.133-j ACCEPT

Iptables-a filter-p icmp-j DROP

To prevent a MAC address from accessing the Internet:

Iptables-i Filter-m mac--mac-source 00:20:18:8f:72:f8-j DROP

To prohibit ping of an IP address:

Iptables–a filter–p icmp–s 192.168.0.1–j DROP

Prohibit an IP address service:

Iptables–a filter-p tcp-s 192.168.0.1--dport 80-j DROP

Iptables–a filter-p udp-s 192.168.0.1--dport 53-j DROP

Only certain services are allowed, others are rejected (2 rules)

Iptables-a filter-p tcp-s 192.168.0.1--dport 1000-j

Iptables-a filter-j DROP

Prohibit a port service for an IP address

Iptables-a filter-p tcp-s 10.10.10.253--dport 80-j

Iptables-a filter-p tcp-s 10.10.10.253--dport 80-j DROP

Prohibit a port service for a MAC address

Iptables-i filter-p tcp-m mac--mac-source 00:20:18:8f:72:f8--dport DROP

To prevent a MAC address from accessing the Internet:

Iptables-i Filter-m mac--mac-source 00:11:22:33:44:55-j DROP

To prohibit ping of an IP address:

Iptables–a filter–p icmp–s 192.168.0.1–j DROP

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.