[分享]英文站看到的一个关于iptables的脚本

Web、Mail、Ftp、DNS、Proxy、VPN、Samba、LDAP 等基础网络服务
回复
头像
Stupid kid
帖子: 417
注册时间: 2006-10-18 12:57
送出感谢: 0
接收感谢: 0

[分享]英文站看到的一个关于iptables的脚本

#1

帖子 Stupid kid » 2007-09-22 2:12

不是很明白,哪位帮忙解释一下吧![原文]

代码: 全选

# Flushing all tables
iptables -F

### filter

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT

# allow local loopback connections
iptables -t filter -A INPUT -i lo -j ACCEPT

# drop INVALID connections
iptables -t filter -A INPUT   -m state --state INVALID -j DROP
iptables -t filter -A OUTPUT  -m state --state INVALID -j DROP
iptables -t filter -A FORWARD -m state --state INVALID -j DROP

# allow all established and related
iptables -t filter -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow connections to my ISP's DNS servers
iptables -t filter -A INPUT -s 213.73.255.52 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -t filter -A INPUT -s 213.73.255.52 -p udp -j ACCEPT
iptables -t filter -A INPUT -s 213.132.189.250 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -t filter -A INPUT -s 213.132.189.250 -p udp -j ACCEPT
iptables -t filter -A INPUT -s 213.73.255.53 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -t filter -A INPUT -s 213.73.255.53 -p udp -j ACCEPT

#ping
iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/sec -j ACCEPT

#open ports 4662,4672 = amule, 5900,5901 = vnc, 22 = ssh
iptables -t filter -A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport 4672 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

#bittorrent :
iptables -t filter -A INPUT -p tcp -m tcp --dport 6881:6889 -j ACCEPT

#samba (only connections from lan are accepted)
iptables -t filter -A INPUT -o eth0 -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 137:139 -j ACCEPT
iptables -t filter -A INPUT -o eth0 -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 137:139 -j ACCEPT
iptables -t filter -A INPUT -o eth0 -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 445 -j ACCEPT
iptables -t filter -A INPUT -o eth0 -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 445 -j ACCEPT

# log all other attempted in going connections
iptables -t filter -A INPUT -o eth0 -j LOG

### nat

# set up IP forwarding and nat
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT

# 6891:6900 = msn filetransfers
# 192.168.0.1 = gateway
# 192.168.0.216 = client in network
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 6891:6900 -j DNAT --to-destination 192.168.0.216:6891-6900
iptables -t nat -A PREROUTING -i eth1 -p udp -m udp --dport 6891:6900 -j DNAT --to-destination 192.168.0.216:6891-6900
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
http://twitter.com/nothining
Mail: bjdfzster@gmail.com
南京的开源活动几乎是0,希望能有人组织下(也可以拉我入伙^_^)
最近在从零开始学习Linux程序设计,加油……
头像
aitilang
帖子: 1026
注册时间: 2007-04-28 21:38
送出感谢: 0
接收感谢: 0

#2

帖子 aitilang » 2007-09-22 2:52

。。。这是一个典型的网关服务器的iptables脚本
跟个人使用没多大关系

里面注释得很好
thinkpad x61 2G DDR no cdrom
--------------------------------------------
ABS学习中
sed学习中
awk学习中
perl学习中
新手描述不清,老手猜测不到,胡乱指挥一通,后果难以预料
回复

回到 “服务器基础应用”