A practical method of writing iptables script 02/25 Update SLTechnology News&Howtos

A practical method of writing iptables script

2025-02-25 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "a practical method of writing iptables scripts". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

The code is as follows:

#! / bin/sh

Modprobe ipt_MASQUERADE

Modprobe ip_conntrack_ftp

Modprobe ip_nat_ftp

Iptables-F

Iptables-t nat-F

Iptables-X

Iptables-t nat-X

# # input key # #

Iptables-P INPUT DROP

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An INPUT-p tcp-m multiport-- dports 110 80 ACCEPT 80 25-j ACCEPT

Iptables-An INPUT-p tcp-s 192.168.0 ACCEPT 24-- dport 139-j ACCEPT

# allow private network samba,smtp,pop3 to connect

Iptables-An INPUT-I eth2-p udp-m multiport-- dports 53-j ACCEPT

# allow dns connections

Iptables-An INPUT-p tcp-- dport 1723-j ACCEPT

Iptables-An INPUT-p gre-j ACCEPT

# allow public network vpn connection

Iptables-An INPUT-s 192.186.0 ACCEPT 24-p tcp-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An INPUT-I ppp0-p tcp-- syn-m connlimit--connlimit-above 15-j DROP

# to prevent too many DOS connections from coming in, a maximum of 15 initial connections can be allowed, with more than discarded

Iptables-An INPUT-s 192.186.0 DROP 24-p tcp-- syn-m connlimit--connlimit-above 15-j DROP

# to prevent too many DOS connections from coming in, a maximum of 15 initial connections can be allowed, with more than discarded

Iptables-An INPUT-p icmp-m limit-- limit 3max s-j LOG-- log-level INFO-- log-prefix "ICMP packet IN:"

Iptables-An INPUT-p icmp-j DROP

# disable icmp communication-ping is not available

Iptables-t nat-A POSTROUTING-o ppp0-s 192.168.0.0Universe 24-j MASQUERADE

# forwarding via private network

Iptables-N syn-flood

Iptables-An INPUT-p tcp-- syn- j syn-flood

Iptables-I syn-flood-p tcp-m limit--limit 3Universe s-- limit-burst 6-j RETURN

Iptables-A syn-flood-j REJECT

# prevent SYN attacks from being lightweight

# forward chain # #

Iptables-P FORWARD DROP

Iptables-A FORWARD-p tcp-s 192.168.0 pound 24-m multiport-- dports 80, 110, 21, 25, ACCEPT.

Iptables-A FORWARD-p udp-s 192.168.0.0Unique 24-- dport 53-j ACCEPT

Iptables-A FORWARD-p gre-s 192.168.0.0 Universe 24-j ACCEPT

Iptables-A FORWARD-p icmp-s 192.168.0.0 Universe 24-j ACCEPT

# allow vpn customers to connect to the public network via vpn network

Iptables-A FORWARD-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-I FORWARD-p udp-- dport 53-m string-- string "tencent"-m time-- timestart 8:15-timestop 12:30-- days Mon,Tue,Wed,Thu,Fri,Sat-j DROP

# qq communication is prohibited from 8:00 to 12:30 from Monday to Saturday

Iptables-I FORWARD-p udp-- dport 53-m string-- string "TENCENT"-m time-- timestart 8:15-timestop 12:30-- days Mon,Tue,Wed,Thu,Fri,Sat-j DROP

# qq communication is prohibited from 8:00 to 12:30 from Monday to Saturday

Iptables-I FORWARD-p udp-- dport 53-m string-- string "tencent"-m time-- timestart 13:30-timestop 20:30-- days Mon,Tue,Wed,Thu,Fri,Sat-j DROP

Iptables-I FORWARD-p udp-- dport 53-m string-- string "TENCENT"-m time-- timestart 13:30-timestop 20:30-- days Mon,Tue,Wed,Thu,Fri,Sat-j DROP

# QQ communication is prohibited from 13:30 to 20:30 from Monday to Saturday

Iptables-I FORWARD-s 192.168.0 DROP 24-m string-- string "qq.com"-m time-- timestart 8:15-- timestop 12:30-- days Mon,Tue,Wed,Thu,Fri,Sat-j DROP

# disable qq pages at 8:00-12:30 from Monday to Saturday

Iptables-I FORWARD-s 192.168.0 DROP 24-m string-- string "qq.com"-m time-- timestart 13:00-- timestop 20:30-- days Mon,Tue,Wed,Thu,Fri,Sat-j DROP

# disable QQ pages at 13:30-20:30 from Monday to Saturday

Iptables-I FORWARD-s 192.168.0 string 24-m string-- string "ay2000.net"-j DROP

Iptables-I FORWARD-d 192.168.0 string 24-m string-- string "Broadband Cinema"-j DROP

Iptables-I FORWARD-s 192.168.0 DROP 24-m string-- string "porn"-j DROP

Iptables-I FORWARD-p tcp-- sport 80-m string-- string "advertisement"-j DROP

# prohibit ay2000.net, broadband cinema, porn, advertising web links! But Chinese is not very ideal.

Iptables-A FORWARD-m ipp2p-- edk-- kazaa-- bit-j DROP

Iptables-A FORWARD-p tcp-m ipp2p-- ares-j DROP

Iptables-A FORWARD-p udp-m ipp2p-- kazaa-j DROP

# disable BT connection

Iptables-A FORWARD-p tcp-- syn-- dport 80-m connlimit--connlimit-above 15-- connlimit-mask 24

Sysctl-w net.ipv4.ip_forward=1 & > / dev/null

# enable forwarding

Sysctl-w net.ipv4.tcp_syncookies=1 & > / dev/null

# Open syncookie (lightweight prevention of DOS attacks)

Sysctl-w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 & > / dev/null

# set the default TCP connection duration to 3800 seconds (this option can greatly reduce the number of connections)

Sysctl-w net.ipv4.ip_conntrack_max=300000 & > / dev/null

# set the maximum connection tree to 30W (depending on your memory and iptables version, each connection needs more than 300bytes)

Iptables-I INPUT-s 192.168.0.50-j ACCEPT

Iptables-I FORWARD-s 192.168.0.50-j ACCEPT

# 192.168.0.50 is my machine, let it all go!

# # end # #

This is the end of the content of "A practical method for writing iptables scripts". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.