Last active
March 4, 2017 04:29
iptables simple
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 1. Delete all existing rules | |
| iptables -F | |
| iptables -X | |
| # 2. Set default chain policies | |
| iptables -P INPUT DROP | |
| # 3. Allow ssh | |
| iptables -A INPUT -i eth0 -p tcp --dport 9022 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| # 4. Allow multi tcp ports | |
| iptables -A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| # 5. Ping from outside to inside | |
| iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| # 6. Allow loopback access | |
| iptables -A INPUT -i lo -j ACCEPT | |
| # 7. Allow Input | |
| iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| # 8. Prevent DoS attack | |
| iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT | |
| # 9. Log dropped packets | |
| # iptables -N LOGGING | |
| # iptables -A INPUT -j LOGGING | |
| # iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "Packet/Dropped: " --log-level 7 | |
| # iptables -A LOGGING -j DROP | |
| # 10. redirect | |
| iptables -t nat -I PREROUTING -i zt0 -p tcp -s 192.168.100.0/24 -d 192.168.100.2 -m multiport --dport 139,445 -j DNAT --to-destination 192.168.100.1 | |
| # iptables -t nat -I PREROUTING -i zt0 -p tcp -s 192.168.100.0/24 -d 192.168.100.2 --dport 139 -j DNA T --to-destination 192.168.100.1:139 | |
| iptables -t nat -I PREROUTING -i zt0 -p udp -s 192.168.100.0/24 -d 192.168.100.2 --dport 137:138 -j DNAT --to-destination 192.168.100.1 | |
| # iptables -t nat -A POSTROUTING -j MASQUERADE | |
| tcpdump -i zt0 port 8080 or port 80 | |
| # without MASQUERADE | |
| # iptables -t nat -A PREROUTING -d 192.168.75.5 -p tcp --dport 80 -j DNAT --to-destination 192.168.75.3:8000 | |
| # iptables -t nat -A POSTROUTING -d 192.168.75.3 -p tcp --dport 8000 -j SNAT 192.168.75.5 | |
| # 11 redsocks | |
| iptables -t nat -N free | |
| iptables -t nat -A free -p tcp -d 115.231.94.0/24 -j DNAT --to-destination 127.0.0.1:18082 | |
| ## DNAT target 重写目的IP地址 | |
| iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.10.10 | |
| ## --to-ports 内部转发 | |
| iptables -t nat -A free -p tcp -d 64.18.0.0/20 -j REDIRECT --to-ports 18082 | |
| iptables -t nat -A free -p tcp -d 64.233.160.0/19 -j REDIRECT --to-ports 18082 | |
| iptables -t nat -A free -p tcp -d 66.102.0.0/20 -j REDIRECT --to-ports 18082 | |
| iptables -t nat -A free -p tcp -d 66.249.80.0/20 -j REDIRECT --to-ports 18082 | |
| iptables -t nat -A free -p tcp -d 72.14.192.0/18 -j REDIRECT --to-ports 18082 | |
| iptables -t nat -A free -p tcp -d 74.125.0.0/16 -j REDIRECT --to-ports 18082 | |
| iptables -t nat -A free -p tcp -d 108.177.8.0/21 -j REDIRECT --to-ports 18082 | |
| iptables -t nat -A free -p tcp -d 173.194.0.0/16 -j REDIRECT --to-ports 18082 | |
| iptables -t nat -A free -p tcp -d 207.126.144.0/20 -j REDIRECT --to-ports 18082 | |
| iptables -t nat -A free -p tcp -d 209.85.128.0/17 -j REDIRECT --to-ports 18082 | |
| iptables -t nat -A free -p tcp -d 216.58.192.0/19 -j REDIRECT --to-ports 18082 | |
| iptables -t nat -A free -p tcp -d 216.239.32.0/19 -j REDIRECT --to-ports 18082 | |
| ## prerouting | |
| iptables -t nat -A PREROUTING -i eth0 -p tcp -j free | |
| iptables -t nat -A POSTROUTING -m owner --uid-owner ss4 -j SNAT --to-source 1234 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment