wiki:iptables

Version 4 (modified by sky, 8 years ago) (diff)

--

iptables & Firewall rules

CentOS系统默认路径: /etc/sysconfig/iptables

Debian自定义路径: /etc/iptables.rule (##pre-up iptables-restore </etc/iptables.rule##)

# Generated by iptables-save v1.4.8 on Thu May  8 09:32:08 2014
*filter
:INPUT DROP [1515:291592]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3146:251073]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ppp+ -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 60 --hitcount 6 --name SSH --rsource -j LOG --log-prefix "SH "
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 6 --name SSH --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu May  8 09:32:08 2014
iptables -A FORWARD -m state --state UNTRACKED -j ACCEPT
iptables -t raw -A PREROUTING -p tcp -m multiport --dport 80,81,82 -j NOTRACK
iptables -t raw -A PREROUTING -p tcp -m multiport --sport 80,81,82 -j NOTRACK

iptables -A INPUT -m state --state RELATED,ESTABLISHED, UNTRACKED -j ACCEPT
iptables -t raw -A PREROUTING -p tcp -m multiport --dports 80,3128 -j NOTRACK
iptables -t raw -A PREROUTING -p tcp -m multiport --sports 80,3128 -j NOTRACK
iptables -t raw -A OUTPUT -p tcp -m multiport --dports 80,3128 -j NOTRACK
iptables -t raw -A OUTPUT -p tcp -m multiport --sports 80,3128 -j NOTRACK
## Random port for Server receiver
iptables -t nat -A PREROUTING -d server-ip/32 -p tcp -m multiport --dport 444:1023 -j REDIRECT --to-ports 443
iptables -t nat -A PREROUTING -d server-ip/32 -p udp -m multiport --dport 444:1023 -j REDIRECT --to-ports 443

## Random port for Client sender
iptables -t nat -I OUTPUT 1 -d server-ip/32 -p tcp --dport 443 -j DNAT --to-destination server-ip:444-1023 --random
iptables -t nat -I OUTPUT 1 -d server-ip/32 -p udp --dport 443 -j DNAT --to-destination server-ip:444-1023 --random