Port 80 must be enabled, and the IP address and the following three lines in the Lan must be specified: first close all port 80 enable ip segment 192.168.1.0/24 end 80 enable ip segment 211.123.16.123/24 end ip segment 80 Port # iptables-IINPUT-ptcp -- dport80-jDROP # iptables-IINPUT-s192.168.1.0/24-ptc
Port 80 must be enabled to specify the IP address and Lan
The following three rows mean:
Disable all ports 80 first
EnableIp segment192.168.1.0/24-end 80 ports
EnableIp segment211.123.16.123/Port 80 of the 24-end ip segment
#Iptables-I INPUT-p tcp -- dport 80-j DROP
# Iptables-I INPUT-s 192.168.1.0/24-p tcp -- dport 80-jACCEPT
# Iptables-I INPUT-s 211.123.16.123/24-p tcp -- dport 80-jACCEPT
These are temporary settings.
1. back up iptables first
# Cp/etc/sysconfig/iptables/var/tmp
2. save iptables
# Service iptables save
3. restart the firewall
# Service iptables restart
The following are the ports. seal all the IP addresses first.
Iptables-I INPUT-p tcp -- dport 9889-j DROP
Iptables-I INPUT-s 192.168.1.0/24-p tcp -- dport 9889-jACCEPT
If NAT forwarding is used, remember to use the following to take effect.
Iptables-I FORWARD-p tcp -- dport 80-j DROP
Iptables-I FORWARD-s 192.168.1.0/24-p tcp -- dport 80-jACCEPT
Common IPTABLES rules are as follows:
Only emails can be sent and received. All other emails are disabled.
Iptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-jDROP
Iptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p udp -- dport 53-j ACCEPT
Iptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p tcp -- dport 25-j ACCEPT
Iptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p tcp -- dport 110-j ACCEPT
Ipsec nat policy
Iptables-I PFWanPriv-d 192.168.100.2-j ACCEPT
Iptables-t nat-a prerouting-p tcp -- dport 80-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 80
Iptables-t nat-a prerouting-p tcp -- dport 1723-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 1723
Iptables-t nat-a prerouting-p udp -- dport 1723-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 1723
Iptables-t nat-a prerouting-p udp -- dport 500-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 500
Iptables-t nat-a prerouting-p udp -- dport 4500-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 4500
NAT of the FTP server
Iptables-I PFWanPriv-p tcp -- dport 21-d 192.168.100.200-jACCEPT
Iptables-t nat-a prerouting-p tcp -- dport 21-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 21
Only access to the specified URL is allowed
Iptables-A Filter-p udp -- dport53-j ACCEPT
Iptables-A Filter-p tcp -- dport 53-j ACCEPT
Iptables-A Filter-d www.3322.org-j ACCEPT
Iptables-A Filter-d img.cn99.com-j ACCEPT
Iptables-A Filter-j DROP
Open some ports of an IP address, and other ports are closed
Iptables-A Filter-p tcp -- dport 80-s 192.168.100.200-d www.pconline.com.cn-j ACCEPT
Iptables-A Filter-p tcp -- dport 25-s 192.168.100.200-jACCEPT
Iptables-A Filter-p tcp -- dport 109-s 192.168.100.200-jACCEPT
Iptables-A Filter-p tcp -- dport 110-s 192.168.100.200-jACCEPT
Iptables-A Filter-p tcp -- dport 53-j ACCEPT
Iptables-A Filter-p udp -- dport 53-j ACCEPT
Iptables-A Filter-j DROP
Multiple ports
Iptables-A Filter-p tcp-m multiport -- destination-port 22,53, 80,110-s 192.168.20.3-j REJECT
Continuous Port
Iptables-A Filter-p tcp-m multiport -- source-port 22,53, 80,110-s 192.168.20.3-j REJECT iptables-A Filter-p tcp -- source-port2: 80-s 192.168.20.3-j REJECT
Internet access at specified time
Iptables-A Filter-s 10.10.10.253-m time -- timestart 6:00 -- timestop 11:00 -- days Mon, Tue, Wed, Thu, Fri, Sat, Sun-j DROP
Iptables-A Filter-m time -- timestart 12:00 -- timestop 13:00 -- days Mon, Tue, Wed, Thu, Fri, Sat, Sun-j ACCEPT
Iptables-A Filter-m time -- timestart 17:30 -- timestop 8:30 -- daysMon, Tue, Wed, Thu, Fri, Sat, Sun-j ACCEPT
Disable multiple port services
Iptables-A Filter-m multiport-p tcp -- dport 21,23, 80-jACCEPT
Nat wan port to PC
Iptables-t nat-a prerouting-I $ INTERNET_IF-d $ INTERNET_ADDR-j DNAT -- to-destination192.168.0.1
NAT port 8000 of the WAN port to port 192. 168. 100. Port 80 of 200
Iptables-t nat-APREROUTING-p tcp -- dport 8000-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 80
Port to be transferred by the MAIL server
Iptables-t nat-a prerouting-p tcp -- dport 110-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 110
Iptables-t nat-a prerouting-p tcp -- dport 25-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 25
Only PING 202 is allowed. 96. 134. 133. All other services are prohibited.
Iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.small-jACCEPT
Iptables-A Filter-j DROP
Disable BT configuration
Iptables? A Filter? P tcp? Dport6000: 20000? J DROP
Disable QQ firewall configuration
Iptables-A Filter-p udp -- dport! 53-j DROP
Iptables-A Filter-d 218.17.209.0/24-j DROP
Iptables-A Filter-d 218.18.95.0/24-j DROP
Iptables-A Filter-d 219.133.40.177-j DROP
Only emails can be sent and received based on MAC, and other emails are rejected.
Iptables-I Filter-mmac -- mac-source 00: 0A: EB: 97: 79: A1-j DROP
Iptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: A1-p tcp -- dport 25-j ACCEPT
Iptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: A1-p tcp -- dport 110-j ACCEPT
Disable MSN configuration
Iptables-A Filter-p udp -- dport 9-j DROP
Iptables-A Filter-p tcp -- dport 1863-j DROP
Iptables-A Filter-p tcp -- dport 80-d 207.68.178.238-j DROP
Iptables-A Filter-p tcp -- dport 80-d 207.46.110.0/24-j DROP
Only PING 202 is allowed. 96. 134. 133 other public IP addresses cannot be pinged.
Iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.small-jACCEPT
Iptables-A Filter-p icmp-j DROP
Prohibit a MAC address from accessing the internet:
Iptables-I Filter-m mac -- mac-source 00: 20: 18: 8F: 72: F8-jDROP
Disable PING from an IP address:
Iptables? A Filter? P icmp? S 192.168.0.1? J DROP
Disable an IP address service:
Iptables? A Filter-p tcp-s192.168.0.1 -- dport 80-j DROP
Iptables? A Filter-p udp-s 192.168.0.1 -- dport 53-j DROP
Only some services are allowed, and others are rejected (2 rules)
Iptables-A Filter-ptcp-s 192.168.0.1 -- dport 1000-j ACCEPT
Iptables-A Filter-j DROP
Disable a port service of an IP address
Iptables-A Filter-p tcp-s 10.10.10.253 -- dport 80-j ACCEPT
Iptables-A Filter-p tcp-s 10.10.10.253 -- dport 80-j DROP
Disable a port service of a MAC address
Iptables-I Filter-p tcp-m mac -- mac-source 00: 20: 18: 8F: 72: F8 -- dport 80-j DROP
Prohibit a MAC address from accessing the internet:
Iptables-I Filter-m mac -- mac-source 00: 11: 22: 33: 44: 55-jDROP
Disable PING from an IP address:
Iptables? A Filter? P icmp? S 192.168.0.1? J DROP