Need to open port 80, specify IP and LAN
The following three lines mean:
Shut down all 80 ports first.
Open 80 ports of IP segment 192.168.1.0/24 end
Open IP Segment 211.123.16.123/24 80 port IP Segment
# iptables-i input-p TCP--dport 80-j DROP
# iptables-i input-s 192.168.1.0/24-p tcp--dport 80-j ACCEPT
# iptables-i input-s 211.123.16.123/24-p tcp--dport 80-j ACCEPT
These are temporary settings.
1. Backup Iptables First
# cp/etc/sysconfig/iptables/var/tmp
2. Then save the Iptables
# Service Iptables Save
3. Reboot the firewall
#service iptables Restart
The following is the port, and then open some IP first
Iptables-i input-p TCP--dport 9889-j DROP
Iptables-i input-s 192.168.1.0/24-p TCP--dport 9889-j ACCEPT
If you use NAT forwarding, remember to cooperate with the following to be effective
Iptables-i forward-p TCP--dport 80-j DROP
Iptables-i forward-s 192.168.1.0/24-p TCP--dport 80-j ACCEPT
The common iptables rules are as follows:
You can only send and receive mail, everything else is closed
Iptables-i Filter-m mac--mac-source 00:0f:ea:25:51:37-j DROP
Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p UDP--dport 53-j
Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p tcp--dport 25-j ACCEPT
Iptables-i filter-m mac--mac-source 00:0f:ea:25:51:37-p tcp--dport 110-j ACCEPT
IPSEC NAT Policy
Iptables-i pfwanpriv-d 192.168.100.2-j ACCEPT
Iptables-t nat-a prerouting-p tcp--dport 80-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:80
Iptables-t nat-a prerouting-p tcp--dport 1723-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:1723
Iptables-t nat-a prerouting-p UDP--dport 1723-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:1723
Iptables-t nat-a prerouting-p UDP--dport 500-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:500
Iptables-t nat-a prerouting-p UDP--dport 4500-d $INTERNET _addr-j dnat--to-destination 192.168.100.2:4500
NAT for FTP server
Iptables-i pfwanpriv-p TCP--dport 21-d 192.168.100.200-j ACCEPT
Iptables-t nat-a prerouting-p tcp--dport 21-d $INTERNET _addr-j dnat--to-destination 192.168.100.200:21
Only allow access to the specified URL
Iptables-a filter-p UDP--dport 53-j ACCEPT
Iptables-a filter-p TCP--dport 53-j ACCEPT
Iptables-a filter-d www.3322.org-j ACCEPT
Iptables-a filter-d img.cn99.com-j ACCEPT
Iptables-a filter-j DROP
Open some ports for one IP, others are closed
Iptables-a filter-p TCP--dport 80-s 192.168.100.200-d www.pconline.com.cn-j
Iptables-a filter-p TCP--dport 25-s 192.168.100.200-j ACCEPT
Iptables-a filter-p TCP--dport 109-s 192.168.100.200-j ACCEPT
Iptables-a filter-p TCP--dport 110-s 192.168.100.200-j ACCEPT
Iptables-a filter-p TCP--dport 53-j ACCEPT
Iptables-a filter-p UDP--dport 53-j ACCEPT
Iptables-a filter-j DROP
Multiple ports
Iptables-a filter-p tcp-m multiport--destination-port 22,53,80,110-s 192.168.20.3-j REJECT
Continuous port
Iptables-a filter-p tcp-m multiport--source-port 22,53,80,110-s 192.168.20.3-j REJECT iptables-a filter-p TCP--so Urce-port 2:80-s 192.168.20.3-j REJECT
Specify time to surf the internet
Iptables-a filter-s 10.10.10.253-m time--timestart 6:00--timestop 11:00--days mon,tue,wed,thu,fri,sat,sun-j DROP
Iptables-a filter-m time--timestart 12:00--timestop 13:00--days mon,tue,wed,thu,fri,sat,sun-j ACCEPT
Iptables-a filter-m time--timestart 17:30--timestop 8:30--days mon,tue,wed,thu,fri,sat,sun-j ACCEPT
Prohibit multiple port services
Iptables-a filter-m multiport-p TCP--dport 21,23,80-j ACCEPT
To have a WAN port Nat to a PC
Iptables-t nat-a prerouting-i $INTERNET _if-d $INTERNET _addr-j dnat--to-destination 192.168.0.1
The WAN Port 8000 Nat to 192. 168. 100. 200 of 80 ports
Iptables-t nat-a prerouting-p tcp--dport 8000-d $INTERNET _addr-j dnat--to-destination 192.168.100.200:80
Port to which the mail server is to be transferred
Iptables-t nat-a prerouting-p tcp--dport 110-d $INTERNET _addr-j dnat--to-destination 192.168.100.200:110
Iptables-t nat-a prerouting-p tcp--dport 25-d $INTERNET _addr-j dnat--to-destination 192.168.100.200:25
Only Ping 202 is allowed. 96. 134. 133, other services are prohibited
Iptables-a filter-p icmp-s 192.168.100.200-d 202.96.134.133-j ACCEPT
Iptables-a filter-j DROP
Disable BT Configuration
Iptables–a filter–p tcp–dport 6000:20000–j DROP
Disable QQ firewall configuration
Iptables-a filter-p UDP--dport! 53-j DROP
Iptables-a filter-d 218.17.209.0/24-j DROP
Iptables-a filter-d 218.18.95.0/24-j DROP
Iptables-a filter-d 219.133.40.177-j DROP
Based on Mac, can only send and receive mail, others reject
Iptables-i Filter-m mac--mac-source 00:0a:eb:97:79:a1-j DROP
Iptables-i filter-m mac--mac-source 00:0a:eb:97:79:a1-p tcp--dport 25-j ACCEPT
Iptables-i filter-m mac--mac-source 00:0a:eb:97:79:a1-p tcp--dport 110-j ACCEPT
Disable MSN Configuration
Iptables-a filter-p UDP--dport 9-j DROP
Iptables-a filter-p TCP--dport 1863-j DROP
Iptables-a filter-p TCP--dport 80-d 207.68.178.238-j DROP
Iptables-a filter-p TCP--dport 80-d 207.46.110.0/24-j DROP
Only Ping 202 is allowed. 96. 134. 133 Other public network IP are not allowed ping
Iptables-a filter-p icmp-s 192.168.100.200-d 202.96.134.133-j ACCEPT
Iptables-a filter-p icmp-j DROP
To prevent a MAC address from accessing the Internet:
Iptables-i Filter-m mac--mac-source 00:20:18:8f:72:f8-j DROP
To prohibit ping of an IP address:
Iptables–a filter–p icmp–s 192.168.0.1–j DROP
Prohibit an IP address service:
Iptables–a filter-p tcp-s 192.168.0.1--dport 80-j DROP
Iptables–a filter-p udp-s 192.168.0.1--dport 53-j DROP
Only certain services are allowed, others are rejected (2 rules)
Iptables-a filter-p tcp-s 192.168.0.1--dport 1000-j
Iptables-a filter-j DROP
Prohibit a port service for an IP address
Iptables-a filter-p tcp-s 10.10.10.253--dport 80-j
Iptables-a filter-p tcp-s 10.10.10.253--dport 80-j DROP
Prohibit a port service for a MAC address
Iptables-i filter-p tcp-m mac--mac-source 00:20:18:8f:72:f8--dport DROP
To prevent a MAC address from accessing the Internet:
Iptables-i Filter-m mac--mac-source 00:11:22:33:44:55-j DROP
To prohibit ping of an IP address:
Iptables–a filter–p icmp–s 192.168.0.1–j DROP