Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to realize that iptables Firewall only allows specified ip connections, designated ports, and access to specified websites

2025-04-07 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to achieve the iptables firewall only allows the designated ip connection to the designated port and access to the designated website". In the operation of the actual case, many people will encounter this dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Need to open 80 ports, specify IP and LAN

The following three lines mean:

Close all ports 80 first.

Open the 80 ports of the 192.168.1.0 / 24 end of the ip segment

Open 80 ports of ip segment at the end of 211.123.16.123 / 24 of ip segment

# iptables-I INPUT-p tcp-- dport 80-j DROP

# iptables-I INPUT-s 192.168.1.0 24-p tcp-- dport 80-j ACCEPT

# iptables-I INPUT-s 211.123.16.123 max 24-p tcp-- dport 80-j ACCEPT

The above are temporary settings.

1. Back up iptables first

# cp / etc/sysconfig/iptables / var/tmp

two。 Then save the iptables

# service iptables save

3. Restart the firewall

# service iptables restart

Here are the ports. Seal them all and then open some IP.

Iptables-I INPUT-p tcp-- dport 9889-j DROP

Iptables-I INPUT-s 192.168.1.0 INPUT 24-p tcp-- dport 9889-j ACCEPT

If NAT forwarding is used, remember to cooperate with the following to take effect.

Iptables-I FORWARD-p tcp-- dport 80-j DROP

Iptables-I FORWARD-s 192.168.1.0 FORWARD 24-p tcp-- dport 80-j ACCEPT

The common IPTABLES rules are as follows:

Can only send and receive email, everything else is closed.

Iptables-I Filter-m mac--mac-source 00:0F:EA:25:51:37-j DROP

Iptables-I Filter-m mac--mac-source 00:0F:EA:25:51:37-p udp-- dport 53-j ACCEPT

Iptables-I Filter-m mac--mac-source 00:0F:EA:25:51:37-p tcp-- dport 25-j ACCEPT

Iptables-I Filter-m mac--mac-source 00:0F:EA:25:51:37-p tcp-- dport 110j ACCEPT

IPSEC NAT strategy

Iptables-I PFWanPriv-d 192.168.100.2-j ACCEPT

Iptables-t nat-A PREROUTING-p tcp-- dport 80-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2 PREROUTING 80

Iptables-t nat-A PREROUTING-p tcp-- dport 1723-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2 PREROUTING 1723

Iptables-t nat-A PREROUTING-p udp-- dport 1723-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2 PREROUTING 1723

Iptables-t nat-A PREROUTING-p udp-- dport 500-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2

Iptables-t nat-A PREROUTING-p udp-- dport 4500-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2

NAT of the FTP server

Iptables-I PFWanPriv-p tcp-- dport 21-d 192.168.100.200-j ACCEPT

Iptables-t nat-A PREROUTING-p tcp-- dport 21-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.200

Only access to the specified URL is allowed

Iptables-A Filter-p udp-- dport 53-j ACCEPT

Iptables-A Filter-p tcp-- dport 53-j ACCEPT

Iptables-A Filter-d www.3322.org-j ACCEPT

Iptables-A Filter-d img.cn99.com-j ACCEPT

Iptables-A Filter-j DROP

Open some ports of an IP, others are closed

Iptables-A Filter-p tcp-- dport 80-s 192.168.100.200-d www.pconline.com.cn-j ACCEPT

Iptables-A Filter-p tcp-- dport 25-s 192.168.100.200-j ACCEPT

Iptables-A Filter-p tcp-- dport 109-s 192.168.100.200-j ACCEPT

Iptables-A Filter-p tcp-- dport 110-s 192.168.100.200-j ACCEPT

Iptables-A Filter-p tcp-- dport 53-j ACCEPT

Iptables-A Filter-p udp-- dport 53-j ACCEPT

Iptables-A Filter-j DROP

Multiple port

Iptables-A Filter-p tcp-m multiport-- destination-port 22, 53 REJECT 80110-s 192.168.20.3-j REJECT

Continuous port

Iptables-A Filter-p tcp-m multiport-- source-port 22 source-port 22 53Power80110-s 192.168.20.3-j REJECT iptables-A Filter-p tcp-- source-port 2:80-s 192.168.20.3-j REJECT

Specify the time to surf the Internet

Iptables-A Filter-s 10.10.10.253-m time-- timestart 6:00-- timestop 11:00-- days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j DROP

Iptables-A Filter-m time-- timestart 12:00-- timestop 13:00-- days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j ACCEPT

Iptables-A Filter-m time-- timestart 17:30-- timestop 8:30-- days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j ACCEPT

Disable multiple port services

Iptables-A Filter-m multiport-p tcp-- dport 21 women 23 people 80-j ACCEPT

NAT the WAN port to PC

Iptables-t nat-A PREROUTING-I $INTERNET_IF-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.0.1

NAT the WAN port 8000 to 192. one hundred and sixty eight. one hundred. Port 80 of 200

Iptables-t nat-A PREROUTING-p tcp-- dport 8000-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.200

The port to be transferred to the MAIL server

Iptables-t nat-A PREROUTING-p tcp-- dport 110-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.200

Iptables-t nat-A PREROUTING-p tcp-- dport 25-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.200

Only PING 202is allowed. ninety-six. one hundred and thirty four. 133, all other services are prohibited

Iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.133-j ACCEPT

Iptables-A Filter-j DROP

Disable BT configuration

Iptables-A Filter-p tcp-dport 6000 tcp 20000-j DROP

Disable QQ Firewall configuration

Iptables-A Filter-p udp-- dport! 53-j DROP

Iptables-A Filter-d 218.17.209.0 Filter 24-j DROP

Iptables-A Filter-d 218.18.95.0 Filter 24-j DROP

Iptables-A Filter-d 219.133.40.177-j DROP

Based on MAC, you can only send and receive email, and reject everything else.

Iptables-I Filter-m mac--mac-source 00:0A:EB:97:79:A1-j DROP

Iptables-I Filter-m mac--mac-source 00:0A:EB:97:79:A1-p tcp-- dport 25-j ACCEPT

Iptables-I Filter-m mac--mac-source 00:0A:EB:97:79:A1-p tcp-- dport 110j ACCEPT

Disable MSN configuration

Iptables-A Filter-p udp-- dport 9-j DROP

Iptables-A Filter-p tcp-- dport 1863-j DROP

Iptables-A Filter-p tcp-- dport 80-d 207.68.178.238-j DROP

Iptables-A Filter-p tcp-- dport 80-d 207.46.110.0 max 24-j DROP

Only PING 202is allowed. ninety-six. one hundred and thirty four. 133 PING is not allowed in other public network IP

Iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.133-j ACCEPT

Iptables-A Filter-p icmp-j DROP

Disable a MAC address from accessing internet:

Iptables-I Filter-m mac--mac-source 00:20:18:8F:72:F8-j DROP

Disable PING for an IP address:

Iptables-A Filter-p icmp-s 192.168.0.1-j DROP

Disable an IP address service:

Iptables-A Filter-p tcp-s 192.168.0.1-- dport 80-j DROP

Iptables-A Filter-p udp-s 192.168.0.1-- dport 53-j DROP

Only some services are allowed, others are denied (2 rules)

Iptables-A Filter-p tcp-s 192.168.0.1-- dport 1000-j ACCEPT

Iptables-A Filter-j DROP

Disable a port service for a certain IP address

Iptables-A Filter-p tcp-s 10.10.10.253-- dport 80-j ACCEPT

Iptables-A Filter-p tcp-s 10.10.10.253-- dport 80-j DROP

Disable a port service for a certain MAC address

Iptables-I Filter-p tcp-m mac--mac-source 00:20:18:8F:72:F8-- dport 80-j DROP

Disable a MAC address from accessing internet:

Iptables-I Filter-m mac--mac-source 00VOG 11VOV 2233MULTIZOUR 44MAV 55-j DROP

Disable PING for an IP address:

Iptables-A Filter-p icmp-s 192.168.0.1-j DROP

This is the end of the content of "how to implement iptables Firewall only allows ip to connect to the specified port and visit the specified website". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report