代码: 全选
# Flushing all tables
iptables -F
### filter
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
# allow local loopback connections
iptables -t filter -A INPUT -i lo -j ACCEPT
# drop INVALID connections
iptables -t filter -A INPUT -m state --state INVALID -j DROP
iptables -t filter -A OUTPUT -m state --state INVALID -j DROP
iptables -t filter -A FORWARD -m state --state INVALID -j DROP
# allow all established and related
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow connections to my ISP's DNS servers
iptables -t filter -A INPUT -s 213.73.255.52 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -t filter -A INPUT -s 213.73.255.52 -p udp -j ACCEPT
iptables -t filter -A INPUT -s 213.132.189.250 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -t filter -A INPUT -s 213.132.189.250 -p udp -j ACCEPT
iptables -t filter -A INPUT -s 213.73.255.53 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -t filter -A INPUT -s 213.73.255.53 -p udp -j ACCEPT
#ping
iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/sec -j ACCEPT
#open ports 4662,4672 = amule, 5900,5901 = vnc, 22 = ssh
iptables -t filter -A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport 4672 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#bittorrent :
iptables -t filter -A INPUT -p tcp -m tcp --dport 6881:6889 -j ACCEPT
#samba (only connections from lan are accepted)
iptables -t filter -A INPUT -o eth0 -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 137:139 -j ACCEPT
iptables -t filter -A INPUT -o eth0 -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 137:139 -j ACCEPT
iptables -t filter -A INPUT -o eth0 -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 445 -j ACCEPT
iptables -t filter -A INPUT -o eth0 -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 445 -j ACCEPT
# log all other attempted in going connections
iptables -t filter -A INPUT -o eth0 -j LOG
### nat
# set up IP forwarding and nat
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT
# 6891:6900 = msn filetransfers
# 192.168.0.1 = gateway
# 192.168.0.216 = client in network
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 6891:6900 -j DNAT --to-destination 192.168.0.216:6891-6900
iptables -t nat -A PREROUTING -i eth1 -p udp -m udp --dport 6891:6900 -j DNAT --to-destination 192.168.0.216:6891-6900
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE