Shulou(Shulou.com)05/31 Report--

This article introduces you how to carry out Iptables script analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Environment: redhat9 loads modules such as string time, and the loading method refers to http://bbs.chinaunix.net/forum/viewtopic.php?t=525493

Etho connects to the public network ── ppp0

Eth2 connects to the intranet ── 192.168.0.

#! / bin/sh

#

Modprobe ipt_MASQUERADE

Modprobe ip_conntrack_ftp

Modprobe ip_nat_ftp

Iptables-F

Iptables-t nat-F

Iptables-X

Iptables-t nat-X

# # input key # #

Iptables-P INPUT DROP

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An INPUT-p tcp-m multiport-- dports 110 80 ACCEPT 80 25-j ACCEPT

Iptables-An INPUT-p tcp-s 192.168.0 ACCEPT 24-- dport 139-j ACCEPT

# allow private network samba,smtp,pop3 to connect

Iptables-An INPUT-I eth2-p udp-m multiport-- dports 53-j ACCEPT

# allow dns connections

Iptables-An INPUT-p tcp-- dport 1723-j ACCEPT

Iptables-An INPUT-p gre-j ACCEPT

# allow public network vpn connection

Iptables-An INPUT-s 192.186.0 ACCEPT 24-p tcp-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An INPUT-I ppp0-p tcp-- syn-m connlimit--connlimit-above 15-j DROP

# to prevent too many DOS connections from coming in, a maximum of 15 initial connections can be allowed, with more than discarded

Iptables-An INPUT-s 192.186.0 DROP 24-p tcp-- syn-m connlimit--connlimit-above 15-j DROP

# to prevent too many DOS connections from coming in, a maximum of 15 initial connections can be allowed, with more than discarded

Iptables-An INPUT-p icmp-m limit-- limit 3max s-j LOG-- log-level INFO-- log-prefix "ICMP packet IN:"

Iptables-An INPUT-p icmp-j DROP

# disable icmp communication-ping is not available

Iptables-t nat-A POSTROUTING-o ppp0-s 192.168.0.0Universe 24-j MASQUERADE

# forwarding via private network

Iptables-N syn-flood

Iptables-An INPUT-p tcp-- syn- j syn-flood

Iptables-I syn-flood-p tcp-m limit--limit 3Universe s-- limit-burst 6-j RETURN

Iptables-A syn-flood-j REJECT

# prevent SYN attacks from being lightweight

# forward chain # #

Iptables-P FORWARD DROP

Iptables-A FORWARD-p tcp-s 192.168.0 pound 24-m multiport-- dports 80, 110, 21, 25, ACCEPT.

Iptables-A FORWARD-p udp-s 192.168.0.0Unique 24-- dport 53-j ACCEPT

Iptables-A FORWARD-p gre-s 192.168.0.0 Universe 24-j ACCEPT

Iptables-A FORWARD-p icmp-s 192.168.0.0 Universe 24-j ACCEPT

# allow vpn customers to connect to the public network via vpn network

Iptables-A FORWARD-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-I FORWARD-p udp-- dport 53-m string-- string "tencent"-m time-- timestart 8:15-timestop 12:30-- days Mon,Tue,Wed,Thu,Fri,Sat-j DROP

# qq communication is prohibited from 8:00 to 12:30 from Monday to Saturday

Iptables-I FORWARD-p udp-- dport 53-m string-- string "TENCENT"-m time-- timestart 8:15-timestop 12:30-- days Mon,Tue,Wed,Thu,Fri,Sat-j DROP

# qq communication is prohibited from 8:00 to 12:30 from Monday to Saturday

Iptables-I FORWARD-p udp-- dport 53-m string-- string "tencent"-m time-- timestart 13:30-timestop 20:30-- days Mon,Tue,Wed,Thu,Fri,Sat-j DROP

Iptables-I FORWARD-p udp-- dport 53-m string-- string "TENCENT"-m time-- timestart 13:30-timestop 20:30-- days Mon,Tue,Wed,Thu,Fri,Sat-j DROP

# QQ communication is prohibited from 13:30 to 20:30 from Monday to Saturday

Iptables-I FORWARD-s 192.168.0 DROP 24-m string-- string "qq.com"-m time-- timestart 8:15-- timestop 12:30-- days Mon,Tue,Wed,Thu,Fri,Sat-j DROP

# disable qq pages at 8:00-12:30 from Monday to Saturday

Iptables-I FORWARD-s 192.168.0 DROP 24-m string-- string "qq.com"-m time-- timestart 13:00-- timestop 20:30-- days Mon,Tue,Wed,Thu,Fri,Sat-j DROP

# disable QQ pages at 13:30-20:30 from Monday to Saturday

Iptables-I FORWARD-s 192.168.0 string 24-m string-- string "ay2000.net"-j DROP

Iptables-I FORWARD-d 192.168.0 string 24-m string-- string "Broadband Cinema"-j DROP

Iptables-I FORWARD-s 192.168.0 DROP 24-m string-- string "porn"-j DROP

Iptables-I FORWARD-p tcp-- sport 80-m string-- string "advertisement"-j DROP

# prohibit ay2000.net, broadband cinema, porn, advertising web links! But Chinese is not very ideal.

Iptables-A FORWARD-m ipp2p-- edk-- kazaa-- bit-j DROP

Iptables-A FORWARD-p tcp-m ipp2p-- ares-j DROP

Iptables-A FORWARD-p udp-m ipp2p-- kazaa-j DROP

# disable BT connection

Iptables-A FORWARD-p tcp-- syn-- dport 80-m connlimit--connlimit-above 15-- connlimit-mask 24-j DROP

# only 15 ports 80 per group ip are allowed to forward at the same time

#

Sysctl-w net.ipv4.ip_forward=1 & >; / dev/null

# enable forwarding

#

Sysctl-w net.ipv4.tcp_syncookies=1 & >; / dev/null

# Open syncookie (lightweight prevention of DOS attacks)

Sysctl-w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 & >; / dev/null

# set the default TCP connection duration to 3800 seconds (this option can greatly reduce the number of connections)

Sysctl-w net.ipv4.ip_conntrack_max=300000 & >; / dev/null

# set the maximum connection tree to 30W (depending on your memory and iptables version, each connection needs more than 300bytes)

#

Iptables-I INPUT-s 192.168.0.50-j ACCEPT

Iptables-I FORWARD-s 192.168.0.50-j ACCEPT

# 192.168.0.50 is my machine, let it all go!

This is the end of the script analysis on how to carry out Iptables. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.