欢迎光临
嗟嗟嗟~じぇじぇじぇ!~(''jjj'')/

常用iptables设置

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.8.0/24 -j SNAT --to-source *.*.*.* #pptp服务器ip
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#Allow DNS
-A OUTPUT -p udp --sport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT

#Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#Allow MySQL
-A INPUT -p tcp --dport 3306 -j ACCEPT

#Allow FTP
-A INPUT -p tcp --dport 21 -j ACCEPT

#Allow Shadowsocks
-A INPUT -p tcp --dport 10000: -j ACCEPT
-A INPUT -p udp --dport 10000: -j ACCEPT

#Allow PPTP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1723 -j ACCEPT
-A FORWARD -s 192.168.8.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356

#连接数限制
#-A OUTPUT -p tcp -–sport 10000: -m connlimit –-connlimit-above 5 -j REJECT –-reject-with tcp-reset
# -A INPUT -p tcp --dport 10000: -m connlimit --connlimit-above 5 -j REJECT --reject-with tcp-reset

#-A INPUT -p tcp --dport 10000: -j LOG --log-prefix "iptables"
#-A INPUT -p tcp --dport 10000: -m connlimit --connlimit-above 5 -j LOG --log-prefix "iptables denied: " --log-level 7

#Allow SSH connections
#
#The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#每分钟限制最大连接数为25,当总连接数超过100时,启动 litmit/minute 限制
-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

#Log iptables denied calls
-A INPUT -m limit --limit 25/minute --limit-burst 100 -j LOG --log-prefix "iptables denied: " --log-level 7

#Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DROP

#屏蔽邮箱端口
-A OUTPUT -p tcp -m multiport --dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j REJECT --reject-with tcp-reset
-A OUTPUT -p tcp -m multiport --dport 993,995,1109,24554,60177,60179 -j REJECT --reject-with tcp-reset
-A OUTPUT -p udp -m multiport --dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j DROP
-A OUTPUT -p udp -m multiport --dport 993,995,1109,24554,60177,60179 -j DROP

COMMIT

 

赞(0)
未经允许不得转载:嗟嗟嗟 » 常用iptables设置
分享到: 更多 (0)

评论 抢沙发

8 + 5 =
  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址