In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)05/31 Report--
This article introduces how rhel iptables can only allow IP access to a certain port and a specific website. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.
1. Back up iptables first
# cp / etc/sysconfig/iptables / var/tmp
Need to open 80 ports, specify IP and LAN
The following three lines mean:
Close all ports 80 first.
Open the 80 ports of the 192.168.1.0 / 24 end of the ip segment
Open 80 ports of ip segment at the end of 211.123.16.123 / 24 of ip segment
# iptables-I INPUT-p tcp-- dport 80-j DROP
# iptables-I INPUT-s 192.168.1.0 24-p tcp-- dport 80-j ACCEPT
# iptables-I INPUT-s 211.123.16.123 max 24-p tcp-- dport 80-j ACCEPT
The above are temporary settings.
two。 Then save the iptables
For more details, please refer to http://www.weiruoyu.cn/?p=530
= the following is reproduced =
Here are the ports. Seal them all and then open some IP.
Iptables-I INPUT-p tcp-- dport 9889-j DROP
Iptables-I INPUT-s 192.168.1.0 INPUT 24-p tcp-- dport 9889-j ACCEPT
If NAT forwarding is used, remember to cooperate with the following to take effect.
Iptables-I FORWARD-p tcp-- dport 80-j DROP
Iptables-I FORWARD-s 192.168.1.0 FORWARD 24-p tcp-- dport 80-j ACCEPT
The common IPTABLES rules are as follows:
Can only send and receive email, everything else is closed.
Iptables-I Filter-m mac--mac-source 00:0F:EA:25:51:37-j DROP
Iptables-I Filter-m mac--mac-source 00:0F:EA:25:51:37-p udp-- dport 53-j ACCEPT
Iptables-I Filter-m mac--mac-source 00:0F:EA:25:51:37-p tcp-- dport 25-j ACCEPT
Iptables-I Filter-m mac--mac-source 00:0F:EA:25:51:37-p tcp-- dport 110j ACCEPT
IPSEC NAT strategy
Iptables-I PFWanPriv-d 192.168.100.2-j ACCEPT
Iptables-t nat-A PREROUTING-p tcp-- dport 80-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2 PREROUTING 80
Iptables-t nat-A PREROUTING-p tcp-- dport 1723-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2 PREROUTING 1723
Iptables-t nat-A PREROUTING-p udp-- dport 1723-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2 PREROUTING 1723
Iptables-t nat-A PREROUTING-p udp-- dport 500-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2
Iptables-t nat-A PREROUTING-p udp-- dport 4500-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2
NAT of the FTP server
Iptables-I PFWanPriv-p tcp-- dport 21-d 192.168.100.200-j ACCEPT
Iptables-t nat-A PREROUTING-p tcp-- dport 21-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.200
Only access to the specified URL is allowed
Iptables-A Filter-p udp-- dport 53-j ACCEPT
Iptables-A Filter-p tcp-- dport 53-j ACCEPT
Iptables-A Filter-d www.3322.org-j ACCEPT
Iptables-A Filter-d img.cn99.com-j ACCEPT
Iptables-A Filter-j DROP
Open some ports of an IP, others are closed
Iptables-A Filter-p tcp-- dport 80-s 192.168.100.200-d www.pconline.com.cn-j ACCEPT
Iptables-A Filter-p tcp-- dport 25-s 192.168.100.200-j ACCEPT
Iptables-A Filter-p tcp-- dport 109-s 192.168.100.200-j ACCEPT
Iptables-A Filter-p tcp-- dport 110-s 192.168.100.200-j ACCEPT
Iptables-A Filter-p tcp-- dport 53-j ACCEPT
Iptables-A Filter-p udp-- dport 53-j ACCEPT
Iptables-A Filter-j DROP
Multiple port
Iptables-A Filter-p tcp-m multiport-- destination-port 22, 53 REJECT 80110-s 192.168.20.3-j REJECT
Continuous port
Iptables-A Filter-p tcp-m multiport-- source-port 22 source-port 22 53Power80110-s 192.168.20.3-j REJECT iptables-A Filter-p tcp-- source-port 2:80-s 192.168.20.3-j REJECT
Specify the time to surf the Internet
Iptables-A Filter-s 10.10.10.253-m time-- timestart 6:00-- timestop 11:00-- days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j DROP
Iptables-A Filter-m time-- timestart 12:00-- timestop 13:00-- days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j ACCEPT
Iptables-A Filter-m time-- timestart 17:30-- timestop 8:30-- days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j ACCEPT
Disable multiple port services
Iptables-A Filter-m multiport-p tcp-- dport 21 women 23 people 80-j ACCEPT
NAT the WAN port to PC
Iptables-t nat-A PREROUTING-I $INTERNET_IF-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.0.1
NAT the WAN port 8000 to 192. one hundred and sixty eight. one hundred. Port 80 of 200
Iptables-t nat-A PREROUTING-p tcp-- dport 8000-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.200
The port to be transferred to the MAIL server
Iptables-t nat-A PREROUTING-p tcp-- dport 110-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.200
Iptables-t nat-A PREROUTING-p tcp-- dport 25-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.200
Only PING 202is allowed. ninety-six. one hundred and thirty four. 133, all other services are prohibited
Iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.133-j ACCEPT
Iptables-A Filter-j DROP
Disable BT configuration
Iptables-A Filter-p tcp-dport 6000 tcp 20000-j DROP
Disable QQ Firewall configuration
Iptables-A Filter-p udp-- dport! 53-j DROP
Iptables-A Filter-d 218.17.209.0 Filter 24-j DROP
Iptables-A Filter-d 218.18.95.0 Filter 24-j DROP
Iptables-A Filter-d 219.133.40.177-j DROP
Based on MAC, you can only send and receive email, and reject everything else.
Iptables-I Filter-m mac--mac-source 00:0A:EB:97:79:A1-j DROP
Iptables-I Filter-m mac--mac-source 00:0A:EB:97:79:A1-p tcp-- dport 25-j ACCEPT
Iptables-I Filter-m mac--mac-source 00:0A:EB:97:79:A1-p tcp-- dport 110j ACCEPT
Disable MSN configuration
Iptables-A Filter-p udp-- dport 9-j DROP
Iptables-A Filter-p tcp-- dport 1863-j DROP
Iptables-A Filter-p tcp-- dport 80-d 207.68.178.238-j DROP
Iptables-A Filter-p tcp-- dport 80-d 207.46.110.0 max 24-j DROP
Only PING 202is allowed. ninety-six. one hundred and thirty four. 133 PING is not allowed in other public network IP
Iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.133-j ACCEPT
Iptables-A Filter-p icmp-j DROP
Disable a MAC address from accessing internet:
Iptables-I Filter-m mac--mac-source 00:20:18:8F:72:F8-j DROP
Disable PING for an IP address:
Iptables-A Filter-p icmp-s 192.168.0.1-j DROP
Disable an IP address service:
Iptables-A Filter-p tcp-s 192.168.0.1-- dport 80-j DROP
Iptables-A Filter-p udp-s 192.168.0.1-- dport 53-j DROP
Only some services are allowed, others are denied (2 rules)
Iptables-A Filter-p tcp-s 192.168.0.1-- dport 1000-j ACCEPT
Iptables-A Filter-j DROP
Disable a port service for a certain IP address
Iptables-A Filter-p tcp-s 10.10.10.253-- dport 80-j ACCEPT
Iptables-A Filter-p tcp-s 10.10.10.253-- dport 80-j DROP
Disable a port service for a certain MAC address
Iptables-I Filter-p tcp-m mac--mac-source 00:20:18:8F:72:F8-- dport 80-j DROP
Disable a MAC address from accessing internet:
Iptables-I Filter-m mac--mac-source 00VOG 11VOV 2233MULTIZOUR 44MAV 55-j DROP
Disable PING for an IP address:
Iptables-A Filter-p icmp-s 192.168.0.1-j DROP
About how rhel iptables allows only limited IP access to a certain port, a specific website is shared here. I hope the above content can be helpful to everyone and learn more knowledge. If you think the article is good, you can share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
