Linux的iptables常用配置範例（1）

以下是來自 http://wiki.ubuntu.org.cn/IptablesHowTo 上的配置說明

可以通過/sbin/iptables -F清除所有規則來暫時停止防火牆： (警告：這隻適合在沒有配置防火牆的環境中，如果已經配置過默認規則爲deny的環境，此步驟將使系統的所有網絡訪問中斷)

如果想清空的話，先執行
/sbin/iptables -P INPUT ACCEPT
然後執行
/sbin/iptables -F
通過iptables -L 看到如下信息
Chain INPUT (policy DROP 0 packets, 0 bytes)  （注意 是DROP）
執行/sbin/iptables -F就肯定立馬斷開連接
當執行了
/sbin/iptables -P INPUT ACCEPT
再次通過iptables -L看信息的話就是
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
所以現在是可以安全使用
/sbin/iptables -F了

——————————————————————

常用的IPTABLES規則如下：
只能收發郵件，別的都關閉
iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -j DROP
iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -p udp --dport 53 -j ACCEPT
iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -p tcp --dport 25 -j ACCEPT
iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -p tcp --dport 110 -j ACCEPT

IPSEC NAT 策略
iptables -I PFWanPriv -d 192.168.100.2 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:80
iptables -t nat -A PREROUTING -p tcp --dport 1723 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:1723
iptables -t nat -A PREROUTING -p udp --dport 1723 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:1723
iptables -t nat -A PREROUTING -p udp --dport 500 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:500
iptables -t nat -A PREROUTING -p udp --dport 4500 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:4500

FTP服務器的NAT
iptables -I PFWanPriv -p tcp --dport 21 -d 192.168.100.200 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 21 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:21

只允許訪問指定網址
iptables -A Filter -p udp --dport 53 -j ACCEPT
iptables -A Filter -p tcp --dport 53 -j ACCEPT
iptables -A Filter -d www.3322.org -j ACCEPT
iptables -A Filter -d img.cn99.com -j ACCEPT
iptables -A Filter -j DROP

開放一個IP的一些端口，其它都封閉
iptables -A Filter -p tcp --dport 80 -s 192.168.100.200 -d www.pconline.com.cn -j ACCEPT
iptables -A Filter -p tcp --dport 25 -s 192.168.100.200 -j ACCEPT
iptables -A Filter -p tcp --dport 109 -s 192.168.100.200 -j ACCEPT
iptables -A Filter -p tcp --dport 110 -s 192.168.100.200 -j ACCEPT
iptables -A Filter -p tcp --dport 53 -j ACCEPT
iptables -A Filter -p udp --dport 53 -j ACCEPT
iptables -A Filter -j DROP

多個端口
iptables -A Filter -p tcp -m multiport –destination-port 22,53,80,110 -s 192.168.20.3 -j REJECT

連續端口
iptables -A Filter -p tcp -m multiport –source-port 22,53,80,110 -s 192.168.20.3 -j REJECT iptables -A Filter -p tcp –source-port 2:80 -s 192.168.20.3 -j REJECT

指定時間上網
iptables -A Filter -s 10.10.10.253 -m time –timestart 6:00 –timestop 11:00 –days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
iptables -A Filter -m time –timestart 12:00 –timestop 13:00 –days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j ACCEPT
iptables -A Filter -m time –timestart 17:30 –timestop 8:30 –days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j ACCEPT
禁止多個端口服務
iptables -A Filter -m multiport -p tcp --dport 21,23,80 -j ACCEPT

將WAN 口NAT到PC
iptables -t nat -A PREROUTING -i $INTERNET_IF -d $INTERNET_ADDR -j DNAT –to-destination 192.168.0.1

將WAN口8000端口NAT到192。168。100。200的80端口
iptables -t nat -A PREROUTING -p tcp --dport 8000 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:80

MAIL服務器要轉的端口
iptables -t nat -A PREROUTING -p tcp --dport 110 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:110
iptables -t nat -A PREROUTING -p tcp --dport 25 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:25

只允許PING 202。96。134。133,別的服務都禁止
iptables -A Filter -p icmp -s 192.168.100.200 -d 202.96.134.133 -j ACCEPT
iptables -A Filter -j DROP
禁用BT配置
iptables –A Filter –p tcp --dport 6000:20000 –j DROP
禁用QQ防火牆配置
iptables -A Filter -p udp --dport ! 53 -j DROP
iptables -A Filter -d 218.17.209.0/24 -j DROP
iptables -A Filter -d 218.18.95.0/24 -j DROP
iptables -A Filter -d 219.133.40.177 -j DROP
基於MAC，只能收發郵件，其它都拒絕
iptables -I Filter -m mac –mac-source 00:0A:EB:97:79:A1 -j DROP
iptables -I Filter -m mac –mac-source 00:0A:EB:97:79:A1 -p tcp --dport 25 -j ACCEPT
iptables -I Filter -m mac –mac-source 00:0A:EB:97:79:A1 -p tcp --dport 110 -j ACCEPT
禁用MSN配置
iptables -A Filter -p udp --dport 9 -j DROP
iptables -A Filter -p tcp --dport 1863 -j DROP
iptables -A Filter -p tcp --dport 80 -d 207.68.178.238 -j DROP
iptables -A Filter -p tcp --dport 80 -d 207.46.110.0/24 -j DROP
只允許PING 202。96。134。133 其它公網IP都不許PING
iptables -A Filter -p icmp -s 192.168.100.200 -d 202.96.134.133 -j ACCEPT
iptables -A Filter -p icmp -j DROP
禁止某個MAC地址訪問internet:
iptables -I Filter -m mac –mac-source 00:20:18:8F:72:F8 -j DROP
禁止某個IP地址的PING:
iptables –A Filter –p icmp –s 192.168.0.1 –j DROP
禁止某個IP地址服務：
iptables –A Filter -p tcp -s 192.168.0.1 --dport 80 -j DROP
iptables –A Filter -p udp -s 192.168.0.1 --dport 53 -j DROP
只允許某些服務，其他都拒絕(2條規則)
iptables -A Filter -p tcp -s 192.168.0.1 --dport 1000 -j ACCEPT
iptables -A Filter -j DROP
禁止某個IP地址的某個端口服務
iptables -A Filter -p tcp -s 10.10.10.253 --dport 80 -j ACCEPT
iptables -A Filter -p tcp -s 10.10.10.253 --dport 80 -j DROP
禁止某個MAC地址的某個端口服務
iptables -I Filter -p tcp -m mac –mac-source 00:20:18:8F:72:F8 --dport 80 -j DROP
禁止某個MAC地址訪問internet:
iptables -I Filter -m mac –mac-source 00:11:22:33:44:55 -j DROP
禁止某個IP地址的PING:
iptables –A Filter –p icmp –s 192.168.0.1 –j DROP
————————————————————————————————

IPFW 或 Netfilter 的封包流向，local process 不會經過 FORWARD Chain，
因此 lo 只在 INPUT 及 OUTPUT 二個 chain 作用。
樣例1：

#!/bin/sh
#
# 靜態安全防火牆腳本
#
# created by yejr,2007-03-20
#
#
#定義信任IP列表
#內部ip子網
MY_IP_LIST_1=192.168.8.0/24
#外部ip子網
MY_IP_LIST_2=1.2.3.0/24
#所有
ALL_IP=0/0
#北京ADSL動態IP列表
BJADSL_IP_LIST=221.218.0.0/16
#定義端口列表
#涉及ftp端口
FTP_PORT_1=20
FTP_PORT_RANGE=”1023:65535″
FTP_PORT_2=21
#dns端口
DNS_PORT=53
#httpd端口
HTTP_PORT=80
#ssh 端口
SSH_PORT=4321
IPT=”/sbin/iptables”
# 內網
LC_IFACE=”eth1″
LC_ADDR=”192.168.8.2″
# 公網
INET_IFACE=”eth0″
INET_ADDR=”1.2.3.4″
# 本機
LO_IFACE=”lo”
LO_ADDR=127.0.0.1
# 定義接受請求速率限制
MAX_NUM_PACKS=1024
# 核心模塊
/sbin/modprobe ip_tables
# ftp模塊
/sbin/modprobe ip_nat_ftp
# 限速模塊
/sbin/modprobe ip_conntrack
# 重新設置防火牆到默認狀態
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
#$IPT -P OUTPUT ACCEPT
$IPT -F
$IPT -X
# 先拒絕所有請求
$IPT -P INPUT DROP
#$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
##########################################
# 設定一些內核參數
##########################################
#啓動 SYN 泛洪保護
echo ”1″ > /proc/sys/net/ipv4/tcp_syncookies
#啓用反向路徑源認證,防止欺騙
echo ”1″ > /proc/sys/net/ipv4/conf/all/rp_filter
#關閉 icom echo 廣播包請求
echo ”1″ > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#拒絕源路由包
echo ”0″ > /proc/sys/net/ipv4/conf/all/accept_source_route
#僅僅接收發給默認網關列表中網關的ICMP重定向消息
echo ”1″ > /proc/sys/net/ipv4/conf/all/secure_redirects
#記錄來自非法ip的請求
echo ”1″ > /proc/sys/net/ipv4/conf/all/log_martians
##########################################
# 建立規則
##########################################
# 無效請求包規則
$IPT -N bad_packets
# 另一個惡意 TCP 包規則
$IPT -N bad_tcp_packets
# ICMP規則(進/出)
$IPT -N icmp_packets
# 來自公網的UDP請求規則
$IPT -N inet_udp_inbound
# 從本機發往公網的UDP請求規則,默認全部允許
$IPT -N udp_outbound
# 來自公網的 TCP 請求規則
$IPT -N inet_tcp_inbound
# 從本機發往公網的 TCP 請求規則,默認全部允許
$IPT -N tcp_outbound
##########################################
# 惡意請求規則
##########################################
# 立刻斷掉非法的包並且記錄
$IPT -A bad_packets -p ALL -m state --state INVALID
-j LOG –log-prefix ”IPTABLES_INVALID_PACKET:”
$IPT -A bad_packets -p ALL -m state --state INVALID
-j DROP
# 再次檢查 TCP 包是否還有問題
$IPT -A bad_packets -p tcp -j bad_tcp_packets
# 都正確了,返回
$IPT -A bad_packets -p ALL -j RETURN
##########################################
# 惡意 TCP 請求
##########################################
#
# 所有的 TCP 請求都必須經過以下規則過濾. 任何新請求都
# 必須以一個 sync 包開始.
# 如果不是這樣的話,很可能表示這是一個掃描動作,這些有
# NEW 狀態的包會被丟棄
#
$IPT -A bad_tcp_packets -p tcp ! –syn -m state --state
NEW -j LOG –log-prefix ”IPTABLES_NEW_NOT_SYN:”
$IPT -A bad_tcp_packets -p tcp ! –syn -m state --state
NEW -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j
LOG –log-prefix ”IPTABLES_STEALTH_SCAN:”
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j
LOG –log-prefix ”IPTABLES_STEALTH_SCAN:”
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH
-j LOG –log-prefix ”IPTABLES_STEALTH_SCAN:”
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH
-j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG
-j LOG –log-prefix ”IPTABLES_STEALTH SCAN:”
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL
SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags
SYN,RST SYN,RST -j LOG –log-prefix
“IPTABLES_STEALTH SCAN:”
$IPT -A bad_tcp_packets -p tcp –tcp-flags
SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags
SYN,FIN SYN,FIN -j LOG –log-prefix
“IPTABLES_STEALTH SCAN:”
$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# 都沒問題了,返回
$IPT -A bad_tcp_packets -p tcp -j RETURN
##########################################
# ICMP 包規則
##########################################
#
# ICMP 包必須封裝在一個2層的幀中,因此它們不會有碎片.
# 帶有碎片的 ICMP 包通常被
# 標記爲惡意攻擊
#
$IPT -A icmp_packets –fragment -p ICMP -j LOG
–log-prefix ”IPTABLES_ICMP Fragment:”
$IPT -A icmp_packets –fragment -p ICMP -j DROP
#
# 默認地,所有丟棄的 ICMP 包都不記錄日誌. ”衝擊波”
# 以及 ”蠕蟲” 會導致系統發起大量
# ping 請求. 如果想要記錄 icmp log 就不要把本行註釋掉
#
# 允許自有服務器ip及北京地區adsl ip進行 PING
$IPT -A icmp_packets -p ICMP -s $MY_IP_LIST_2 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s $BJADSL_IP_LIST -j ACCEPT
# 拒掉其他 PING
$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j DROP
# 接受超時 icmp 包
$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT
##########################################
# TCP & UDP 包規則
##########################################
##########################################
# 來自公網的 UDP 請求
##########################################
#$IPT -A inet_udp_inbound -p UDP
-s $MY_IP_LIST_2 --dport $DNS_PORT -j ACCEPT
# 都沒問題了,返回
$IPT -A inet_udp_inbound -p UDP -j RETURN
##########################################
# 發往公網的 UDP 請求
##########################################
# 都沒問題了,返回
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
##########################################
# 來自公網的 TCP 請求
##########################################
# sshd 只對 北京ADSL IP段開放
$IPT -A inet_tcp_inbound -p TCP
-s $BJADSL_IP_LIST --dport $SSH_PORT -j ACCEPT
# 允許自有服務器 IP 的 FTP 端口請求
# FTP Data fix
$IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2
–sport $FTP_PORT_1 --dport $FTP_PORT_RANGE ! –syn
-m state --state RELATED -j ACCEPT
$IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2
-m state --state ESTABLISHED -j ACCEPT
$IPT -A inet_tcp_inbound -p UDP -s $MY_IP_LIST_2
--dport $FTP_PORT_RANGE -j ACCEPT
$IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2
--dport $FTP_PORT_1 ! –syn -j ACCEPT
$IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2
--dport $FTP_PORT_2 -j ACCEPT
#允許所有ip訪問 http 服務
$IPT -A inet_tcp_inbound -p TCP -s $ALL_IP
--dport $HTTP_PORT -j ACCEPT
# 都沒問題了,返回
$IPT -A inet_tcp_inbound -p TCP -j RETURN
##########################################
# 發往公網的 TCP 請求
##########################################
# 都沒問題了,返回
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
##########################################
# 其他收到的請求
##########################################
# 允許本機及本子網間的任何通信
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -d $LC_ADDR -j ACCEPT
# 來自信任ip的任何請求都接受
$IPT -A INPUT -p ALL -s $MY_IP_LIST_1 -j ACCEPT
$IPT -A INPUT -p ALL -s $MY_IP_LIST_2 -j ACCEPT
# 丟棄任何錯誤包
$IPT -A INPUT -p ALL -j bad_packets
# 拒掉 DOCSIS 請求
$IPT -A INPUT -p ALL -d 224.0.0.1 -j REJECT
# 接受 Established 連接
$IPT -A INPUT -p ALL -i $INET_IFACE -m state
--state ESTABLISHED,RELATED -j ACCEPT
# 定義上面的幾條路由規則
$IPT -A INPUT -p TCP -d $INET_ADDR -j inet_tcp_inbound
$IPT -A INPUT -p UDP -d $INET_ADDR -j inet_udp_inbound
$IPT -A INPUT -p ICMP -d $INET_ADDR -j icmp_packets
# 丟棄且不記錄廣播包
$IPT -A INPUT -m pkttype –pkt-type broadcast -j REJECT
# 記錄其他未匹配到的包
$IPT -A INPUT -m limit –limit $MAX_NUM_PACKS/minute
–limit-burst $MAX_NUM_PACKS -j LOG –log-prefix
“IPTABLES_MISS_MATCH_INPUT:”
##########################################
# 其他發出的請求
##########################################
# 無論如何都丟棄錯誤的 ICMP 包,防止溢出
$IPT -A OUTPUT -m state -p icmp --state INVALID
-j REJECT
# 允許對外的任何請求
$IPT -A OUTPUT -p ALL -s $ALL_IP -j ACCEPT
# 記錄其他未匹配到的包
$IPT -A OUTPUT -m limit –limit $MAX_NUM_PACKS/minute
–limit-burst $MAX_NUM_PACKS -j LOG –log-prefix
“IPTABLES_MISS_MATCH_OUTPUT: ”
——————————————
我的樣例：
——————————————

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.6.x and iptables
#
# Copyright (C) 2006  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#
###########################################################################
#
# 1. Configuration options.
#
#
# 1.1 Internet Configuration.
#
INET_IP=”1.2.3.4″
INET_IP_1=”1.2.3.5″
INET_IFACE=”eth0″
INET_BROADCAST=”1.2.3.127″
#
# 1.1.1 DHCP
#
#
# 1.1.2 PPPoE
# 1.2 Local Area Network configuration.
#
# your LAN’s IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#
LAN_IP=”192.168.0.33″
LAN_IP_RANGE=”192.168.0.0/24″
LAN_IFACE=”eth1″
#
# 1.3 DMZ Configuration.
#
#
# 1.4 Localhost Configuration.
#
LO_IFACE=”lo”
LO_IP=”127.0.0.1″
#
# 1.5 IPTables Configuration.
#
IPTABLES=”/sbin/iptables”
#
# 1.6 Other Configuration.
#
###########################################################################
#
# 2. Module loading.
#
#
# Needed to initially load modules
/sbin/depmod -a
#
# 2.1 Required modules
#
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#
# 2.2 Non-Required modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
###########################################################################
#
# 3. /proc set up.
#
#
# 3.1 Required proc configuration
#
#echo ”1″ > /proc/sys/net/ipv4/ip_forward
echo ”1″ > /proc/sys/net/ipv4/tcp_syncookies
echo ”1″ > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# 3.2 Non-Required proc configuration
#
#echo ”1″ > /proc/sys/net/ipv4/conf/all/rp_filter
#echo ”1″ > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo ”1″ > /proc/sys/net/ipv4/ip_dynaddr
#echo ”1″ > /proc/sys/net/ipv4/tcp_syncookies
#啓用反向路徑源認證,防止欺騙
#echo ”1″ > /proc/sys/net/ipv4/conf/all/rp_filter
#關閉 icom echo 廣播包請求
#echo ”1″ > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#拒絕源路由包
#echo ”0″ > /proc/sys/net/ipv4/conf/all/accept_source_route
#僅僅接收發給默認網關列表中網關的ICMP重定向消息
#echo ”1″ > /proc/sys/net/ipv4/conf/all/secure_redirects
#記錄來自非法ip的請求
#echo ”1″ > /proc/sys/net/ipv4/conf/all/log_martians
###########################################################################
#
# 4. rules set up.
#
######
# 4.1 Filter table
#
#
# 4.1.1 Set policies
#
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
$IPTABLES -F -t nat
$IPTABLES -t nat -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# 4.1.2 Create userspecified chains
#
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
#
# 4.1.3 Create content in userspecified chains
#
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT –reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state --state NEW -j LOG –log-prefix ”New not syn:”
#$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state --state NEW -j DROP
#$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG –log-prefix ”IPTABLES_INVALID_PACKET:”
#$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP –syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# TCP rules
#
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 30000 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 10050 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 10051 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d $INET_IP_1 --dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d $INET_IP_1 --dport 110 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2009 -j allowed
#
# UDP ports
#
#$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 123 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 2074 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 4000 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST –destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 –destination-port 67:68 -j DROP
#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT
#
# 4.1.4 INPUT chain
#
#
# Bad TCP packets we don’t want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
#$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 –sport 68 -j ACCEPT
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP_1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP_1 -j ACCEPT
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
# Log weird packets that don’t match the above.
#
$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix ”IPT INPUT packet died: ”
#
# 4.1.5 FORWARD chain
#
#
# Bad TCP packets we don’t want
#
#$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward
#
#$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
#$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don’t match the above.
#$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix ”IPT FORWARD packet died: ”
#
# 4.1.6 OUTPUT chain
#
#
# Bad TCP packets we don’t want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP’s to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP_1 -j ACCEPT
#
# Log weird packets that don’t match the above.
#
#$IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix ”IPT OUTPUT packet died: ”
######
# 4.2 nat table
#
#
# 4.2.1 Set policies
#
#
# 4.2.2 Create user specified chains
#
#
# 4.2.3 Create content in user specified chains
#
#
# 4.2.4 PREROUTING chain
#
#
# 4.2.5 POSTROUTING chain
#
#
# Enable simple IP Forwarding and Network Address Translation
#
#$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP
#
# 4.2.6 OUTPUT chain
#
######
# 4.3 mangle table
#
#
# 4.3.1 Set policies
#
#
# 4.3.2 Create user specified chains
#
#
# 4.3.3 Create content in user specified chains
#
#
# 4.3.4 PREROUTING chain
#
#
# 4.3.5 INPUT chain
#
#
# 4.3.6 FORWARD chain
#
#
# 4.3.7 OUTPUT chain
#
#
# 4.3.8 POSTROUTING chain
#
------------------------------------


永久鏈接 : http://www.ha97.com/3928.html