iptables范例

只能收发邮件，别的都关闭

iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -j DROP
iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -p udp --dport 53 -j ACCEPT
iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -p tcp --dport 25 -j ACCEPT
iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -p tcp --dport 110 -j ACCEPT

DMZ

iptables -t nat -A PREROUTING -p tcp --dport 80 -d $INTERNET_ADDR -j DNAT --to-destination 192.168.100.2:80     ＃修改目标地址，用于在防火墙后端的web服务器

路由功能

echo "1" > /proc/sys/net/ipv4/ip_forward     ＃开启转发
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE     ＃eth1是公网网卡，使用伪装MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j SNAT  --to-source 118.145.2.239     ＃不使用伪装，修改源地址为公网地址118.145.2.239

FTP服务器的NAT

iptables -I PFWanPriv -p tcp --dport 21 -d 192.168.100.200 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 21 -d $INTERNET_ADDR -j DNAT --to-destination 192.168.100.200:21

只允许访问指定网址

iptables -A Filter -p udp --dport 53 -j ACCEPT
iptables -A Filter -p tcp --dport 53 -j ACCEPT
iptables -A Filter -d www.3322.org -j ACCEPT
iptables -A Filter -d img.cn99.com -j ACCEPT
iptables -A Filter -j DROP

开放一个IP的一些端口，其它都封闭

iptables -A Filter -p tcp --dport 80 -s 192.168.100.200 -d www.pconline.com.cn -j ACCEPT
iptables -A Filter -p tcp --dport 25 -s 192.168.100.200 -j ACCEPT
iptables -A Filter -p tcp --dport 109 -s 192.168.100.200 -j ACCEPT
iptables -A Filter -p tcp --dport 110 -s 192.168.100.200 -j ACCEPT
iptables -A Filter -p tcp --dport 53 -j ACCEPT
iptables -A Filter -p udp --dport 53 -j ACCEPT
iptables -A Filter -j DROP

多个端口

iptables -A Filter -p tcp -m multiport –destination-port 22,53,80,110 -s 192.168.20.3 -j REJECT

连续端口

iptables -A Filter -p tcp -m multiport –source-port 22,53,80,110 -s 192.168.20.3 -j REJECT

指定时间上网

iptables -A Filter -s 10.10.10.253 -m time –timestart 6:00 –timestop 11:00 –days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
iptables -A Filter -m time –timestart 12:00 –timestop 13:00 –days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j ACCEPT
iptables -A Filter -m time –timestart 17:30 –timestop 8:30 –days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j ACCEPT

禁止多个端口服务

iptables -A Filter -m multiport -p tcp --dport 21,23,80 -j ACCEPT

将WAN 口NAT到PC

iptables -t nat -A PREROUTING -i $INTERNET_IF -d $INTERNET_ADDR -j DNAT –to-destination 192.168.0.1

将WAN口8000端口NAT到192.168.100.200的80端口

iptables -t nat -A PREROUTING -p tcp --dport 8000 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:80

MAIL服务器要转的端口

iptables -t nat -A PREROUTING -p tcp --dport 110 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:110
iptables -t nat -A PREROUTING -p tcp --dport 25 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:25

只允许PING 202。96。134。133,别的服务都禁止

iptables -A Filter -p icmp -s 192.168.100.200 -d 202.96.134.133 -j ACCEPT
iptables -A Filter -j DROP

禁用QQ防火墙配置

iptables -A Filter -p udp --dport ! 53 -j DROP
iptables -A Filter -d 218.17.209.0/24 -j DROP
iptables -A Filter -d 218.18.95.0/24 -j DROP
iptables -A Filter -d 219.133.40.177 -j DROP

基于MAC，只能收发邮件，其它都拒绝

iptables -I Filter -m mac –mac-source 00:0A:EB:97:79:A1 -j DROP
iptables -I Filter -m mac –mac-source 00:0A:EB:97:79:A1 -p tcp --dport 25 -j ACCEPT
iptables -I Filter -m mac –mac-source 00:0A:EB:97:79:A1 -p tcp --dport 110 -j ACCEPT

禁用MSN配置

iptables -A Filter -p udp --dport 9 -j DROP
iptables -A Filter -p tcp --dport 1863 -j DROP
iptables -A Filter -p tcp --dport 80 -d 207.68.178.238 -j DROP
iptables -A Filter -p tcp --dport 80 -d 207.46.110.0/24 -j DROP

只允许PING 202.96.134.133 其它公网IP都不许PING

iptables -A Filter -p icmp -s 192.168.100.200 -d 202.96.134.133 -j ACCEPT
iptables -A Filter -p icmp -j DROP

禁止某个MAC地址上网:

iptables -I Filter -m mac –mac-source 00:20:18:8F:72:F8 -j DROP

禁止某个IP地址的PING:

iptables –A Filter –p icmp –s 192.168.0.1 –j DROP

禁止某个IP地址服务：

iptables –A Filter -p tcp -s 192.168.0.1 --dport 80 -j DROP
iptables –A Filter -p udp -s 192.168.0.1 --dport 53 -j DROP

只允许某些服务，其他都拒绝(2条规则)

iptables -A Filter -p tcp -s 192.168.0.1 --dport 1000 -j ACCEPT
iptables -A Filter -j DROP

禁止某个IP地址的某个端口服务

iptables -A Filter -p tcp -s 10.10.10.253 --dport 80 -j DROP