标签归档:iptables

linux做路由器下用iptables封qq

发表评论

iptables -A FORWARD -p tcp –dport 8000 -j DROP
iptables -A FORWARD -p udp –dport 8000 -j DROP
iptables -A FORWARD -d tcpconn.tencent.com -j DROP
iptables -A FORWARD -d tcpconn4.tencent.com -j DROP
iptables -A FORWARD -d 218.17.209.23 -j DROP
iptables -A FORWARD -d tcpconn6.tencent.com -j DROP
iptables -A FORWARD -d tcpconn5.tencent.com -j DROP
iptables -A FORWARD -d tcpconn2.tencent.com  -j DROP
iptables -A FORWARD -d tcpconn3.tencent.com -j DROP
iptables -A FORWARD -d  http.tencent.com -j DROP
iptables -A FORWARD -d 218.17.209.42 -j DROP
iptables -A FORWARD -d http.tencent.com -j DROP
iptables -A FORWARD -d 218.17.209.42 -j DROP

iptables 实例杂锦

发表评论

#/sbin/modprobe iptable_filter
#/sbin/modprobe ip_tables
#/sbin/modprobe iptable_nat
#/sbin/iptables -F -t nat
adsl拨号的转发
/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o ppp0 -j MASQUERADE

网卡转发
/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE

封堵 tcp udp 端口, 并打开特定的端口(包括vpn转发,进入的端口)
/sbin/iptables -I INPUT -p tcp -s 172.16.0.0/24 -m multiport –dports 110,80,25,22,443,5432,3306,21,445,10101,5252,8080,8383,139,1723 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 172.16.0.0/24 –dport 5432 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 172.16.0.0/24 -m multiport –dports 53,111 -j ACCEPT
/sbin/iptables -A INPUT -p gre -s 172.16.0.0/24 -j ACCEPT
#/sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -s 172.16.0.0/24 -p tcp -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -s 172.16.0.0/24 -m multiport –dports 80,110,21,25,1723,22,5252,10101,3306,443,5432,8080,2000,1935,8383 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -s 172.16.0.0/24 –dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -s 172.16.0.0/24 –dport 8000 -j ACCEPT
某游戏端口
#/sbin/iptables -A FORWARD -p udp -s 172.16.0.0/24 –dport 7000 -j ACCEPT
vpn 所需协议
/sbin/iptables -A FORWARD -p gre -s 172.16.0.0/24 -j ACCEPT
运行ping
/sbin/iptables -A FORWARD -p icmp -s 172.16.0.0/24 -j ACCEPT

#加这一句, ICMP应答、FTP传输、DCC等才能穿过防火墙正常工作。大部分还有一些UDP协议都依赖这个机制。不打开, bt们就不能变态了,bt软件不能穿透防火墙了, 需要进行ftp时候再打开, 限制只让 tcp 的包穿透防火墙
#/sbin/iptables -A FORWARD -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -s 172.16.0.0/24 -p tcp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

#封住 tcp, udp 所有端口 (应该有其他方法)
/sbin/iptables -A FORWARD -p tcp -s 172.16.0.0/24 –dport 0:65535 -j DROP
/sbin/iptables -A FORWARD -p udp -s 172.16.0.0/24 –dport 0:65535 -j DROP
/sbin/iptables -A INPUT -p tcp -s 172.16.0.0/24 –dport 0:65535 -j DROP
/sbin/iptables -A INPUT -p udp -s 172.16.0.0/24 –dport 0:65535 -j DROP

#我的ip, 不受规则限制
/sbin/iptables -I INPUT -s 172.16.0.108 -j ACCEPT
/sbin/iptables -I FORWARD -s 172.16.0.108 -j ACCEPT

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  —  172.16.0.108         anywhere
ACCEPT     tcp  —  172.16.0.0/24        anywhere            multiport dports pop3,http,smtp,ssh,https,postgres,mysql,ftp,microsoft-ds,10101,5252,webcache,8383,netbios-ssn,1723
ACCEPT     tcp  —  172.16.0.0/24        anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  —  172.16.0.0/24        anywhere            tcp dpt:postgres
ACCEPT     udp  —  172.16.0.0/24        anywhere            multiport dports domain,sunrpc
ACCEPT     gre  —  172.16.0.0/24        anywhere
DROP       tcp  —  172.16.0.0/24        anywhere            tcp
DROP       udp  —  172.16.0.0/24        anywhere            udp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  —  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     all  —  172.16.0.108         anywhere
ACCEPT     tcp  —  172.16.0.0/24        anywhere            multiport dports http,pop3,ftp,smtp,1723,ssh,5252,10101,mysql,https,postgres,webcache,sieve,1935,8383
ACCEPT     udp  —  172.16.0.0/24        anywhere            udp dpt:domain
ACCEPT     udp  —  172.16.0.0/24        anywhere            udp dpt:8000
ACCEPT     udp  —  172.16.0.0/24        anywhere            udp dpt:afs3-fileserver
ACCEPT     gre  —  172.16.0.0/24        anywhere
ACCEPT     icmp —  172.16.0.0/24        anywhere
DROP       tcp  —  172.16.0.0/24        anywhere            tcp
DROP       udp  —  172.16.0.0/24        anywhere            udp

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
=======================================================
封ip
/sbin/iptables -A FORWARD -s 172.16.0.*** -j DROP
取消ip封闭
/sbin/iptables -D FORWARD -s 172.16.0.*** -j DROP
=======================================================
路由端口转发, 电驴为高id用户, 但是试过后,好像不行
/sbin/iptables -t nat -A PREROUTING -p udp -m udp –dport 19145 -j DNAT –to-destination 172.16.0.108:19145
/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -d 172.16.0.108 -p udp -m udp –dport 19145 -j SNAT –to-source 172.16.0.2

/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp –dport 19145 -j DNAT –to-destination 172.16.0.108:19145
/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -d 172.16.0.108 -p tcp -m tcp –dport 19145 -j SNAT –to-source 172.16.0.2

#/sbin/iptables -t nat -A PREROUTING -p udp -m udp –dport 4662 -j DNAT –to-destination 172.16.0.108:4662
#/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -d 172.16.0.108 -p udp -m udp –dport 4662 -j SNAT –to-source 172.16.0.2

#/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp –dport 4662 -j DNAT –to-destination 172.16.0.108:4662
#/sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -d 172.16.0.108 -p tcp -m tcp –dport 4662 -j SNAT –to-source 172.16.0.2
=============================================================
###### 用mac地址封闭上网
######注意顺序问题

#/sbin/iptables -A FORWARD -m mac –mac-source 00:00:BA:A5:7D:12 -p tcp -m multiport –dports 80,110,21,25,1723,22,5252,10101,3306,443,5432,8080,2000,1935,8383 -j  ACCEPT

#/sbin/iptables -A FORWARD -m mac –mac-source 00:00:BA:A5:7D:12 -p udp –dport 53 -j ACCEPT

#/sbin/iptables -A FORWARD -p icmp -j ACCEPT

######这一行保持在最后. 用iptables -L 查看

#/sbin/iptables -A FORWARD -m mac –mac-source 00:00:BA:A5:7D:12 -j DROP

vpn穿透

发表评论

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE

iptables -A INPUT -p gre -j ACCEPT
iptables -A FORWARD -p gre -j ACCEPT

//=====================================================

#!/bin/sh

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
depmod="/sbin/depmod"

EXTIF="eth1"
INTIF="eth2"

load () {

    $depmod -a

    $modprobe ip_tables
    $modprobe ip_conntrack
    $modprobe ip_conntrack_ftp
    $modprobe ip_conntrack_irc
    $modprobe iptable_nat
    $modprobe ip_nat_ftp
    $modprobe ip_conntrack_pptp
    $modprobe ip_nat_pptp

echo "enable forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "enable dynamic addr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#  start firewall

    #default policies
    $iptables -P INPUT DROP
    $iptables -F INPUT
    $iptables -P OUTPUT DROP
    $iptables -F OUTPUT
    $iptables -P FORWARD DROP
    $iptables -F FORWARD
    $iptables -t nat -F


echo "  opening loopback interface for socket based services."
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

echo "  allow all connections OUT and ONLY existing related ones IN"
$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -o $EXTIF -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

$iptables -A INPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
$iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "Dropped by firewall: "

echo "  enabling SNAT (MASQUERADE) functionality on $EXTIF"
$iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

$iptables -A INPUT -i $INTIF -j ACCEPT
$iptables -A OUTPUT -o $INTIF -j ACCEPT

echo "  Allowing packets with ICMP data (pings)"
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A OUTPUT -p icmp -j ACCEPT

$iptables -A INPUT -p udp -i $INTIF --dport 67 -m state --state NEW -j ACCEPT

echo "  port 137 for netBios"
$iptables -A INPUT -i $INTIF -p udp --dport 137 -j ACCEPT
$iptables -A OUTPUT -o $INTIF -p udp --dport 137 -j ACCEPT

echo "  opening port 53 for DNS queries"
$iptables -A INPUT -p udp -i $EXTIF --sport 53 -j ACCEPT

#echo "  opening port 22 for internal ssh"
$iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT


$iptables -A INPUT -p gre -j ACCEPT
$iptables -A FORWARD -p gre -j ACCEPT

echo "  opening port 1723 for VPN Server"
$iptables  -A INPUT -p tcp -i $EXTIF --dport 1723 -m state --state NEW -j ACCEPT

echo "  opening port 80 for webserver"
$iptables -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW -j ACCEPT

echo "  opening port 21 for FTP Server"
$iptables  -A INPUT -p tcp -i $EXTIF --dport 21 -m state --state NEW -j ACCEPT

echo "  opening ssh for web on port 2609 for firewig"
$iptables -A INPUT -p tcp --dport 2609 -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 2609 -j ACCEPT

echo "  opening ssh for web on port 22  for betty"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 22 -j DNAT  --to 192.168.10.96:2302
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 2302 -j ACCEPT

#echo "   opening Apache webserver for HoH"
$iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.10.96:80
$iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.10.96 --dport 80 -j ACCEPT

}
flush() {
    echo "flushing rules...."
    $iptables -P FORWARD ACCEPT
    $iptables -F INPUT
    $iptables -P INPUT ACCEPT
}

case "$1" in

    start|restart)
    flush
    load
    ;;
    stop)
    flush
    ;;
*)
    echo "usage: start|stop|restart."
;;

esac
exit 0
}