In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-07 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
This article introduces the relevant knowledge of "how to achieve the iptables firewall only allows the designated ip connection to the designated port and access to the designated website". In the operation of the actual case, many people will encounter this dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!
Need to open 80 ports, specify IP and LAN
The following three lines mean:
Close all ports 80 first.
Open the 80 ports of the 192.168.1.0 / 24 end of the ip segment
Open 80 ports of ip segment at the end of 211.123.16.123 / 24 of ip segment
# iptables-I INPUT-p tcp-- dport 80-j DROP
# iptables-I INPUT-s 192.168.1.0 24-p tcp-- dport 80-j ACCEPT
# iptables-I INPUT-s 211.123.16.123 max 24-p tcp-- dport 80-j ACCEPT
The above are temporary settings.
1. Back up iptables first
# cp / etc/sysconfig/iptables / var/tmp
two。 Then save the iptables
# service iptables save
3. Restart the firewall
# service iptables restart
Here are the ports. Seal them all and then open some IP.
Iptables-I INPUT-p tcp-- dport 9889-j DROP
Iptables-I INPUT-s 192.168.1.0 INPUT 24-p tcp-- dport 9889-j ACCEPT
If NAT forwarding is used, remember to cooperate with the following to take effect.
Iptables-I FORWARD-p tcp-- dport 80-j DROP
Iptables-I FORWARD-s 192.168.1.0 FORWARD 24-p tcp-- dport 80-j ACCEPT
The common IPTABLES rules are as follows:
Can only send and receive email, everything else is closed.
Iptables-I Filter-m mac--mac-source 00:0F:EA:25:51:37-j DROP
Iptables-I Filter-m mac--mac-source 00:0F:EA:25:51:37-p udp-- dport 53-j ACCEPT
Iptables-I Filter-m mac--mac-source 00:0F:EA:25:51:37-p tcp-- dport 25-j ACCEPT
Iptables-I Filter-m mac--mac-source 00:0F:EA:25:51:37-p tcp-- dport 110j ACCEPT
IPSEC NAT strategy
Iptables-I PFWanPriv-d 192.168.100.2-j ACCEPT
Iptables-t nat-A PREROUTING-p tcp-- dport 80-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2 PREROUTING 80
Iptables-t nat-A PREROUTING-p tcp-- dport 1723-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2 PREROUTING 1723
Iptables-t nat-A PREROUTING-p udp-- dport 1723-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2 PREROUTING 1723
Iptables-t nat-A PREROUTING-p udp-- dport 500-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2
Iptables-t nat-A PREROUTING-p udp-- dport 4500-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.2
NAT of the FTP server
Iptables-I PFWanPriv-p tcp-- dport 21-d 192.168.100.200-j ACCEPT
Iptables-t nat-A PREROUTING-p tcp-- dport 21-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.200
Only access to the specified URL is allowed
Iptables-A Filter-p udp-- dport 53-j ACCEPT
Iptables-A Filter-p tcp-- dport 53-j ACCEPT
Iptables-A Filter-d www.3322.org-j ACCEPT
Iptables-A Filter-d img.cn99.com-j ACCEPT
Iptables-A Filter-j DROP
Open some ports of an IP, others are closed
Iptables-A Filter-p tcp-- dport 80-s 192.168.100.200-d www.pconline.com.cn-j ACCEPT
Iptables-A Filter-p tcp-- dport 25-s 192.168.100.200-j ACCEPT
Iptables-A Filter-p tcp-- dport 109-s 192.168.100.200-j ACCEPT
Iptables-A Filter-p tcp-- dport 110-s 192.168.100.200-j ACCEPT
Iptables-A Filter-p tcp-- dport 53-j ACCEPT
Iptables-A Filter-p udp-- dport 53-j ACCEPT
Iptables-A Filter-j DROP
Multiple port
Iptables-A Filter-p tcp-m multiport-- destination-port 22, 53 REJECT 80110-s 192.168.20.3-j REJECT
Continuous port
Iptables-A Filter-p tcp-m multiport-- source-port 22 source-port 22 53Power80110-s 192.168.20.3-j REJECT iptables-A Filter-p tcp-- source-port 2:80-s 192.168.20.3-j REJECT
Specify the time to surf the Internet
Iptables-A Filter-s 10.10.10.253-m time-- timestart 6:00-- timestop 11:00-- days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j DROP
Iptables-A Filter-m time-- timestart 12:00-- timestop 13:00-- days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j ACCEPT
Iptables-A Filter-m time-- timestart 17:30-- timestop 8:30-- days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j ACCEPT
Disable multiple port services
Iptables-A Filter-m multiport-p tcp-- dport 21 women 23 people 80-j ACCEPT
NAT the WAN port to PC
Iptables-t nat-A PREROUTING-I $INTERNET_IF-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.0.1
NAT the WAN port 8000 to 192. one hundred and sixty eight. one hundred. Port 80 of 200
Iptables-t nat-A PREROUTING-p tcp-- dport 8000-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.200
The port to be transferred to the MAIL server
Iptables-t nat-A PREROUTING-p tcp-- dport 110-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.200
Iptables-t nat-A PREROUTING-p tcp-- dport 25-d $INTERNET_ADDR-j DNAT-- to-destination 192.168.100.200
Only PING 202is allowed. ninety-six. one hundred and thirty four. 133, all other services are prohibited
Iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.133-j ACCEPT
Iptables-A Filter-j DROP
Disable BT configuration
Iptables-A Filter-p tcp-dport 6000 tcp 20000-j DROP
Disable QQ Firewall configuration
Iptables-A Filter-p udp-- dport! 53-j DROP
Iptables-A Filter-d 218.17.209.0 Filter 24-j DROP
Iptables-A Filter-d 218.18.95.0 Filter 24-j DROP
Iptables-A Filter-d 219.133.40.177-j DROP
Based on MAC, you can only send and receive email, and reject everything else.
Iptables-I Filter-m mac--mac-source 00:0A:EB:97:79:A1-j DROP
Iptables-I Filter-m mac--mac-source 00:0A:EB:97:79:A1-p tcp-- dport 25-j ACCEPT
Iptables-I Filter-m mac--mac-source 00:0A:EB:97:79:A1-p tcp-- dport 110j ACCEPT
Disable MSN configuration
Iptables-A Filter-p udp-- dport 9-j DROP
Iptables-A Filter-p tcp-- dport 1863-j DROP
Iptables-A Filter-p tcp-- dport 80-d 207.68.178.238-j DROP
Iptables-A Filter-p tcp-- dport 80-d 207.46.110.0 max 24-j DROP
Only PING 202is allowed. ninety-six. one hundred and thirty four. 133 PING is not allowed in other public network IP
Iptables-A Filter-p icmp-s 192.168.100.200-d 202.96.134.133-j ACCEPT
Iptables-A Filter-p icmp-j DROP
Disable a MAC address from accessing internet:
Iptables-I Filter-m mac--mac-source 00:20:18:8F:72:F8-j DROP
Disable PING for an IP address:
Iptables-A Filter-p icmp-s 192.168.0.1-j DROP
Disable an IP address service:
Iptables-A Filter-p tcp-s 192.168.0.1-- dport 80-j DROP
Iptables-A Filter-p udp-s 192.168.0.1-- dport 53-j DROP
Only some services are allowed, others are denied (2 rules)
Iptables-A Filter-p tcp-s 192.168.0.1-- dport 1000-j ACCEPT
Iptables-A Filter-j DROP
Disable a port service for a certain IP address
Iptables-A Filter-p tcp-s 10.10.10.253-- dport 80-j ACCEPT
Iptables-A Filter-p tcp-s 10.10.10.253-- dport 80-j DROP
Disable a port service for a certain MAC address
Iptables-I Filter-p tcp-m mac--mac-source 00:20:18:8F:72:F8-- dport 80-j DROP
Disable a MAC address from accessing internet:
Iptables-I Filter-m mac--mac-source 00VOG 11VOV 2233MULTIZOUR 44MAV 55-j DROP
Disable PING for an IP address:
Iptables-A Filter-p icmp-s 192.168.0.1-j DROP
This is the end of the content of "how to implement iptables Firewall only allows ip to connect to the specified port and visit the specified website". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.