Version 4 (modified by sky, 8 years ago) (diff) |
---|
iptables & Firewall rules
CentOS系统默认路径: /etc/sysconfig/iptables
Debian自定义路径: /etc/iptables.rule (##pre-up iptables-restore </etc/iptables.rule##)
# Generated by iptables-save v1.4.8 on Thu May 8 09:32:08 2014 *filter :INPUT DROP [1515:291592] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3146:251073] -A INPUT -i lo -j ACCEPT -A INPUT -i ppp+ -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 500 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 1701 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 60 --hitcount 6 --name SSH --rsource -j LOG --log-prefix "SH " -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 6 --name SSH --rsource -j DROP -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Thu May 8 09:32:08 2014
iptables -A FORWARD -m state --state UNTRACKED -j ACCEPT iptables -t raw -A PREROUTING -p tcp -m multiport --dport 80,81,82 -j NOTRACK iptables -t raw -A PREROUTING -p tcp -m multiport --sport 80,81,82 -j NOTRACK iptables -A INPUT -m state --state RELATED,ESTABLISHED, UNTRACKED -j ACCEPT iptables -t raw -A PREROUTING -p tcp -m multiport --dports 80,3128 -j NOTRACK iptables -t raw -A PREROUTING -p tcp -m multiport --sports 80,3128 -j NOTRACK iptables -t raw -A OUTPUT -p tcp -m multiport --dports 80,3128 -j NOTRACK iptables -t raw -A OUTPUT -p tcp -m multiport --sports 80,3128 -j NOTRACK
## Random port for Server receiver iptables -t nat -A PREROUTING -d server-ip/32 -p tcp -m multiport --dport 444:1023 -j REDIRECT --to-ports 443 iptables -t nat -A PREROUTING -d server-ip/32 -p udp -m multiport --dport 444:1023 -j REDIRECT --to-ports 443 ## Random port for Client sender iptables -t nat -I OUTPUT 1 -d server-ip/32 -p tcp --dport 443 -j DNAT --to-destination server-ip:444-1023 --random iptables -t nat -I OUTPUT 1 -d server-ip/32 -p udp --dport 443 -j DNAT --to-destination server-ip:444-1023 --random