*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.8.0/24 -j SNAT --to-source *.*.*.* #pptp服务器ip COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT #Allow DNS -A OUTPUT -p udp --sport 53 -j ACCEPT -A INPUT -p udp --dport 53 -j ACCEPT #Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT #Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT #Allow MySQL -A INPUT -p tcp --dport 3306 -j ACCEPT #Allow FTP -A INPUT -p tcp --dport 21 -j ACCEPT #Allow Shadowsocks -A INPUT -p tcp --dport 10000: -j ACCEPT -A INPUT -p udp --dport 10000: -j ACCEPT #Allow PPTP -A INPUT -p tcp -m state --state NEW -m tcp --dport 1723 -j ACCEPT -A FORWARD -s 192.168.8.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356 #连接数限制 #-A OUTPUT -p tcp -–sport 10000: -m connlimit –-connlimit-above 5 -j REJECT –-reject-with tcp-reset # -A INPUT -p tcp --dport 10000: -m connlimit --connlimit-above 5 -j REJECT --reject-with tcp-reset #-A INPUT -p tcp --dport 10000: -j LOG --log-prefix "iptables" #-A INPUT -p tcp --dport 10000: -m connlimit --connlimit-above 5 -j LOG --log-prefix "iptables denied: " --log-level 7 #Allow SSH connections # #The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT #Allow ping -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #每分钟限制最大连接数为25,当总连接数超过100时,启动 litmit/minute 限制 -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT #Log iptables denied calls -A INPUT -m limit --limit 25/minute --limit-burst 100 -j LOG --log-prefix "iptables denied: " --log-level 7 #Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP #-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j DROP #屏蔽邮箱端口 -A OUTPUT -p tcp -m multiport --dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j REJECT --reject-with tcp-reset -A OUTPUT -p tcp -m multiport --dport 993,995,1109,24554,60177,60179 -j REJECT --reject-with tcp-reset -A OUTPUT -p udp -m multiport --dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j DROP -A OUTPUT -p udp -m multiport --dport 993,995,1109,24554,60177,60179 -j DROP COMMIT