The iptables firewall only allows an IP address to access a port and a specific website.

Last Update:2013-11-20 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

1. back up iptables # cp/etc/sysconfig/iptables/var/tmp first. Port 80 must be enabled, and the following three lines of IP address and lan must be specified: first, disable all port 80 and enable port 80 at the end of the ip segment 192.168.1.0/24. enable port 80 at the ip segment 211.123.16.123/24 # iptables-I INPUT-p tcp -- dport 80-j DROP # iptables-I input-s 192.168.1.0/24-p tcp -- dport 80-j ACCEPT # iptables-I INPUT-s 211.123.16.123/24-p tcp -- dport 80-j ACCEPT or above is a temporary setting. 2. then save iptables # service iptables save3. restart the firewall # service iptables restart ================== ======================================================= yes port, first, completely seal and then open some IPiptables-I input-p tcp -- dport 9889-j DROP iptables-I INPUT-s 192.168.1.0/24-p tcp -- dport 9889-j ACCEPT if it is used for NAT forwarding, remember to use the following commands to take effect: iptables-I forward-p tcp -- dport 80-j DROP iptables-I FORWARD-s 192.168.1.0/24-p tcp -- dport 80-j ACCEPT IP The TABLES rule is as follows: Only emails can be sent and received, and iptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51 is disabled: 37-j DROPiptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p udp -- dport 53-j ACCEPTiptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p tcp -- dport 25-j ACCEPTiptables-I Filter-m mac -- mac-source 00: 0F: EA: 25: 51: 37-p tcp -- dport 110-j accept ipsec nat policy iptables-I PFWanPriv-d 192.168.100.2-j ACCEP Tiptables-t nat-a prerouting-p tcp -- dport 80-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 80 iptables-t nat-a prerouting-p tcp -- dport 1723-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 1723 iptables-t nat-a prerouting-p udp -- dport 1723-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 1723 iptables-t nat-a prerouting-p udp -- dport 500-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 500 iptables-t nat-a prerouting-p udp -- dport 4500-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.2: 4500 FTP server's NATiptables-I PFWanPriv-p tcp -- dport 21-d 192.168.100.200-j ACCEPTiptables-t nat-A PREROUTING-p tcp -- dport 21-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 21 only access to the specified URL iptables-A Filter-p udp -- dport 53-j ACCEPTiptabl Es-A Filter-p tcp -- dport 53-j ACCEPTiptables-A Filter-d www.3322.org-j ACCEPTiptables-A Filter-d img.cn99.com-j ACCEPTiptables-A Filter-j DROP open an IP some ports, all others close iptables-A Filter-p tcp -- dport 80-s 192.168.100.200-d www.pconline.com.cn-j ACCEPTiptables-A Filter-p tcp -- dport 25-s 192.168.100.200-j ACCEPTiptables-A Filter -p tcp -- dport 109-s 192.168.100.200-j ACCEPTiptables -A Filter-p tcp -- dport 110-s 192.168.100.200-j ACCEPTiptables-A Filter-p tcp -- dport 53-j ACCEPTiptables-A Filter-p udp -- dport 53-j ACCEPTiptables- A Filter-j DROP multiple ports iptables-A Filter-p tcp-m multiport -- destination-port, 80,110-s 192.168.20.3-j REJECT continuous port iptables-A Filter-p tcp-m multiport -- source-port 80,110,-s 192.168.20.3-j REJECT iptables-A Filter-p tcp- -Source-port 2: 80-s 192.168.20.3-j REJECT specified time to access the Internet iptables-A Filter-s 10.10.253-m time -- timestart -- timestop -- days Mon, Tue, Wed, thu, Fri, Sat, Sun-j DROPiptables-A Filter-m time -- timestart 12:00 -- timestop 13:00 -- days Mon, Tue, Wed, Thu, Fri, Sat, sun-j ACCEPTiptables-A Filter-m time -- timestart 17:30 -- timestop 8:30 -- days Mon, Tue, Wed, Thu, Fri, Sat, sun-j ACCEPT: Disable multiple port service iptables- Filter-m multiport-p tcp -- dport 21,23, 80-j ACCEPT: NAT the WAN port to PCiptables-t nat-a prerouting-I $ INTERNET_IF-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.0.1: NAT port 8000 of the WAN port to port 192. 168. 100. Port 80 of 200 iptables-t nat-a prerouting-p tcp -- dport 8000-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: port iptables-t nat-a prerouting-p tcp -- dport 110-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 110 iptables-t nat-a prerouting-p tcp -- dport 25-d $ INTERNET_ADDR-j DNAT -- to-destination 192.168.100.200: 25 only PING 202 is allowed. 96. 134. 133, other services disable iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.20.- j ACCEPTiptables-A Filter-j DROP disable BT configuration iptables-A Filter-p tcp-dport 6000: 20000-j DROP disable QQ firewall configuration iptables-A Filter-p udp -- dport! 53-j DROPiptables-A Filter-d 218.17.209.0/24-j DROPiptables-A Filter-d 218.18.95.0/24-j DROPiptables-A Filter-d 219.133.40.177-j drop mac-based, only emails can be sent and received. All others reject iptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: a1-j DROPiptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: a1-p tcp -- dport 25-j ACCEPTiptables-I Filter-m mac -- mac-source 00: 0A: EB: 97: 79: a1-p tcp -- dport 110-j ACCEPT disable MSN Configuration Set iptables-A Filter-p udp -- dport 9-j DROPiptables-A Filter-p tcp -- dport 1863-j DROPiptables-A Filter-p tcp -- dport 80-d 207.68.178.238-j DROPiptables-A Filter-p tcp -- dport 80-d 207.46.110.0/24-j DROP only allows PING 202. 96. 134. 133 PINGiptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.127- j ACCEPTiptables-A Filter-p icmp-j DROP is not allowed for other public IP addresses to access the internet: iptables-I Filter-m mac -- mac-source 00: 20: 18: 8F: 72: F8-j DROP disable PING from an IP address: iptables-A Filter-p icmp-s 192.168.0.1-j DROP disables an IP address service: iptables-A Filter-p tcp-s 192.168.0.1 -- dport 80-j DROPiptables-A Filter-p udp-s 192.168.0.1 -- dport 53-j DROP only some services are allowed, reject all others (2 Rules) iptables-A Filter-p tcp-s 192.168.0.1 -- dport 1000-j ACCEPTiptables-A Filter-j DROP disable A port service iptables-A Filter-p tcp-s 10.10.10.253 -- dport 80-j ACCEPTiptables-A Filter-p tcp-s 10.10.10.253 -- dport 80-j DROP disable A port service of a mac address iptables-I Filter-p tcp-m mac -- mac -source 00: 20: 18: 8F: 72: F8 -- dport 80-j DROP prohibit a MAC address from accessing the internet: iptables-I Filter-m mac -- mac-source 00: 11: 22: 33: 44: 55-j DROP disable PING of an IP Address: iptables-A Filter-p icmp-s 192.168.0.1-j DROP

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

The iptables firewall only allows an IP address to access a port and a specific website.

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support

The iptables firewall only allows an IP address to access a port and a specific website.

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

Trending Topic

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support