iptables


iptables -I INPUT -p tcp --dport 6443 -j DROP
iptables -I INPUT -s 172.16.21.188/32 -p tcp --dport 6443 -j ACCEPT


需要开80端口，指定IP和局域网

下面三行的意思：

先关闭所有的80端口

开启ip段192.168.1.0/24端的80口

开启ip段211.123.16.123/24端ip段的80口

# iptables -I INPUT -p tcp --dport 80 -j DROP
# iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
# iptables -I INPUT -s 211.123.16.123/24 -p tcp --dport 80 -j ACCEPT

以上是临时设置。

1.先备份iptables

# cp /etc/sysconfig/iptables/var/tmp

2.然后保存iptables

# service iptables save

3.重启防火墙

#service iptables restart

以下是端口，先全部封再开某些的IP

iptables -I INPUT -p tcp --dport 9889 -j DROP
iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport 9889 -j ACCEPT
如果用了NAT转发记得配合以下才能生效

iptables -I FORWARD -p tcp --dport 80 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT

常用的IPTABLES规则如下：

只能收发邮件，别的都关闭
iptables -I Filter -m mac --mac-source 00:0F:EA:25:51:37 -j DROP
iptables -I Filter -m mac --mac-source 00:0F:EA:25:51:37 -p udp --dport 53 -j ACCEPT
iptables -I Filter -m mac --mac-source 00:0F:EA:25:51:37 -p tcp --dport 25 -j ACCEPT
iptables -I Filter -m mac --mac-source 00:0F:EA:25:51:37 -p tcp --dport 110 -j ACCEPT

IPSEC NAT 策略
iptables -I PFWanPriv -d 192.168.100.2 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -d $INTERNET_ADDR -j DNAT --to-destination 192.168.100.2:80

iptables -t nat -A PREROUTING -p tcp --dport 1723 -d $INTERNET_ADDR -j DNAT --to-destination 192.168.100.2:1723

iptables -t nat -A PREROUTING -p udp --dport 1723 -d $INTERNET_ADDR -j DNAT --to-destination 192.168.100.2:1723

iptables -t nat -A PREROUTING -p udp --dport 500 -d $INTERNET_ADDR -j DNAT --to-destination 192.168.100.2:500

iptables -t nat -A PREROUTING -p udp --dport 4500 -d $INTERNET_ADDR -j DNAT --to-destination 192.168.100.2:4500


FTP服务器的NAT
iptables -I PFWanPriv -p tcp --dport 21 -d 192.168.100.200 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 21 -d $INTERNET_ADDR -j DNAT --to-destination 192.168.100.200:21

只允许访问指定网址
iptables -A Filter -p udp --dport 53 -j ACCEPT
iptables -A Filter -p tcp --dport 53 -j ACCEPT
iptables -A Filter -d www.3322.org -j ACCEPT
iptables -A Filter -d img.cn99.com -j ACCEPT
iptables -A Filter -j DROP

开放一个IP的一些端口，其它都封闭
iptables -A Filter -p tcp --dport 80 -s 192.168.100.200 -d www.pconline.com.cn -j ACCEPT
iptables -A Filter -p tcp --dport 25 -s 192.168.100.200 -j ACCEPT
iptables -A Filter -p tcp --dport 109 -s 192.168.100.200 -j ACCEPT
iptables -A Filter -p tcp --dport 110 -s 192.168.100.200 -j ACCEPT
iptables -A Filter -p tcp --dport 53 -j ACCEPT
iptables -A Filter -p udp --dport 53 -j ACCEPT
iptables -A Filter -j DROP

多个端口
iptables -A Filter -p tcp -m multiport --destination-port 22,53,80,110 -s 192.168.20.3 -j REJECT

连续端口
iptables -A Filter -p tcp -m multiport --source-port 22,53,80,110 -s 192.168.20.3 -j REJECT iptables -A Filter -p tcp --source-port 2:80 -s 192.168.20.3 -j REJECT

指定时间上网
iptables -A Filter -s 10.10.10.253 -m time --timestart 6:00 --timestop 11:00 --days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
iptables -A Filter -m time --timestart 12:00 --timestop 13:00 --days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j ACCEPT
iptables -A Filter -m time --timestart 17:30 --timestop 8:30 --days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j ACCEPT

禁止多个端口服务
iptables -A Filter -m multiport -p tcp --dport 21,23,80 -j ACCEPT

将WAN 口NAT到PC
iptables -t nat -A PREROUTING -i $INTERNET_IF -d $INTERNET_ADDR -j DNAT --to-destination 192.168.0.1


将WAN口8000端口NAT到192。168。100。200的80端口
iptables -t nat -A PREROUTING -p tcp --dport 8000 -d $INTERNET_ADDR -j DNAT --to-destination 192.168.100.200:80

MAIL服务器要转的端口
iptables -t nat -A PREROUTING -p tcp --dport 110 -d $INTERNET_ADDR -j DNAT --to-destination 192.168.100.200:110
iptables -t nat -A PREROUTING -p tcp --dport 25 -d $INTERNET_ADDR -j DNAT --to-destination 192.168.100.200:25

只允许PING 202。96。134。133,别的服务都禁止
iptables -A Filter -p icmp -s 192.168.100.200 -d 202.96.134.133 -j ACCEPT
iptables -A Filter -j DROP

禁用BT配置
iptables –A Filter –p tcp –dport 6000:20000 –j DROP

禁用QQ防火墙配置
iptables -A Filter -p udp --dport ! 53 -j DROP
iptables -A Filter -d 218.17.209.0/24 -j DROP
iptables -A Filter -d 218.18.95.0/24 -j DROP
iptables -A Filter -d 219.133.40.177 -j DROP

基于MAC，只能收发邮件，其它都拒绝
iptables -I Filter -m mac --mac-source 00:0A:EB:97:79:A1 -j DROP
iptables -I Filter -m mac --mac-source 00:0A:EB:97:79:A1 -p tcp --dport 25 -j ACCEPT
iptables -I Filter -m mac --mac-source 00:0A:EB:97:79:A1 -p tcp --dport 110 -j ACCEPT

禁用MSN配置
iptables -A Filter -p udp --dport 9 -j DROP
iptables -A Filter -p tcp --dport 1863 -j DROP
iptables -A Filter -p tcp --dport 80 -d 207.68.178.238 -j DROP
iptables -A Filter -p tcp --dport 80 -d 207.46.110.0/24 -j DROP

只允许PING 202。96。134。133 其它公网IP都不许PING
iptables -A Filter -p icmp -s 192.168.100.200 -d 202.96.134.133 -j ACCEPT
iptables -A Filter -p icmp -j DROP

禁止某个MAC地址访问internet:
iptables -I Filter -m mac --mac-source 00:20:18:8F:72:F8 -j DROP

禁止某个IP地址的PING:
iptables –A Filter –p icmp –s 192.168.0.1 –j DROP

禁止某个IP地址服务：
iptables –A Filter -p tcp -s 192.168.0.1 --dport 80 -j DROP
iptables –A Filter -p udp -s 192.168.0.1 --dport 53 -j DROP

只允许某些服务，其他都拒绝(2条规则)
iptables -A Filter -p tcp -s 192.168.0.1 --dport 1000 -j ACCEPT
iptables -A Filter -j DROP

禁止某个IP地址的某个端口服务
iptables -A Filter -p tcp -s 10.10.10.253 --dport 80 -j ACCEPT
iptables -A Filter -p tcp -s 10.10.10.253 --dport 80 -j DROP

禁止某个MAC地址的某个端口服务

iptables -I Filter -p tcp -m mac --mac-source 00:20:18:8F:72:F8 --dport 80 -j DROP

禁止某个MAC地址访问internet:
iptables -I Filter -m mac --mac-source 00:11:22:33:44:55 -j DROP

禁止某个IP地址的PING:
iptables –A Filter –p icmp –s 192.168.0.1 –j DROP

_________________________________________


iptables禁止本机访问某 IP

[root@mongodb-01 ~]# iptables -A OUTPUT -d 192.168.2.7 -j DROP

_________________________________________

[root@Redis log]# ^C
[root@Redis log]# grep -B 2 opened secure* |grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+' |nali
218.90.183.131[江苏省无锡市 电信ADSL]
123.56.227.225[河北省 铁通]
85.17.73.11[荷兰 阿姆斯特丹LeaseWeb IDC]
123.56.227.224[河北省 铁通]
139.196.172.90[中国 长城宽带]
123.56.159.110[河北省 铁通]
123.103.21.234[北京市 电信]
139.196.172.90[中国 长城宽带]
123.57.133.68[天津市 铁通]
5.206.231.131[欧洲和中东地区]
123.56.227.224[河北省 铁通]
123.57.133.68[天津市 铁通]
219.238.93.154[北京市 电信通]
219.238.93.154[北京市 电信通]
219.238.93.154[北京市 电信通]
219.238.93.154[北京市 电信通]
120.24.48.189[上海市 有线通]
123.56.227.224[河北省 铁通]
139.129.12.45[中国]
192.168.0.9[局域网 对方和您在同一内部网]
123.56.4.238[辽宁省抚顺市 铁通]
192.168.0.9[局域网 对方和您在同一内部网]
192.168.0.9[局域网 对方和您在同一内部网]
192.168.0.9[局域网 对方和您在同一内部网]
192.168.0.9[局域网 对方和您在同一内部网]
192.168.0.9[局域网 对方和您在同一内部网]
192.168.0.9[局域网 对方和您在同一内部网]
106.184.2.29[日本]
192.168.0.9[局域网 对方和您在同一内部网]
120.25.170.6[上海市 有线通]
123.56.196.249[河北省邯郸市 铁通]
42.159.247.34[中国]
192.168.0.9[局域网 对方和您在同一内部网]
192.168.0.9[局域网 对方和您在同一内部网]
168.160.249.233[北京市]
192.168.0.9[局域网 对方和您在同一内部网]
106.186.113.132[日本]
192.168.0.9[局域网 对方和您在同一内部网]
123.56.233.113[江西省南昌市 铁通]
123.57.137.200[天津市 铁通]
123.56.148.203[河北省 铁通]
123.56.133.17[河北省石家庄市 铁通]
119.235.30.156[印度尼西亚]
123.56.105.54[辽宁省丹东市 铁通]
182.92.199.168[浙江省杭州市 阿里巴巴网络有限公司]
123.56.133.17[河北省石家庄市 铁通]
123.56.195.61[河北省邯郸市 铁通]
123.56.227.224[河北省 铁通]
115.28.81.186[北京市 万网IDC机房]
192.168.0.9[局域网 对方和您在同一内部网]
115.28.81.186[北京市 万网IDC机房]
192.168.0.9[局域网 对方和您在同一内部网]
120.26.224.51[上海市 有线通]
192.168.0.9[局域网 对方和您在同一内部网]
120.25.99.108[上海市 有线通]
89.248.160.198[荷兰]
115.28.156.164[北京市 万网IDC机房]
89.248.160.198[荷兰]
115.28.156.164[北京市 万网IDC机房]
123.59.94.123[广东省广州市 铁通]
115.28.156.164[北京市 万网IDC机房]
101.200.1.91[北京市 北龙中网科技有限公司]
115.28.156.164[北京市 万网IDC机房]
123.56.235.205[江西省南昌市 铁通]

_________________________________________

双网卡是成本比较低的双机共享方法， 对于没有交换机的用户来说比较方便， XP 下双网卡共享比较简单， 在 只需要 ICS 共享或者桥接即可，在 ubuntu 下略显麻烦，不过配置好以后和 XP 下一样轻松。

此方法参考多人经验， 尽量把高手们容易忽略不说的地方都写下来， 并多次测试完善， 尽可能让每个新手都能看懂学会。

对新手来说，下面每个文件打开都需要 root 权限，否则不能保存，如果没有用 root 用户，也可以在终端输入 sudo gedit，然后加个空格，再把该文件拖到终端窗口，回车打开，即可修改保存。

1.设定 IP

打开/etc/network/interfaces 文件，这是 Ubuntu 的网卡配置文件，里面包括 IP、gateway、网络接口号等，以我的 主机为例，内网 eth0 为静态 static，主机外网 eth0 为 dhcp 动态获得。主机内网无须设置网关，并且客户机也无须设 置网关，不过客户机可以自行设置 DNS。

auto lo

iface lo inet loopback

auto eth0

iface eth0 inet static

address 192.168.0.1

netmask 255.255.255.0

auto eth1

iface eth1 inet dhcp

address 192.168.16.9

netmask 255.255.255.0

gateway 192.168.16.1

2.设置 IP 转发 修改/etc/sysctl.conf，在文件中加上下面一行： net.ipv4.ip_forward = 1

3.设置 NAT 转发规则 设置 NAT 规则， 终端模式下： sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE 这里的“192.168.0.0/24”是你的内网网卡卡所在的网络号。“eth1”是你的对外的网卡的网卡代号。根据自己配置的修 改。

4.开机自动转发 /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE 这条命令添加进/etc/rc.local 文件，添加到 exit 0 之前

5.客户机设置 以郑州电信为例，郑州电信 DNS 为 219.150.150.150 和 219.150.32.132 那么客户机设置 IP 如下 IP 地址：192.168.0.2

子网掩码：255.255.255.0

网关：192.168.0.1

首选 DNS 服务器：219.150.150.150

备用 DNS 服务器：219.150.32.132

如果客户机是也是 ubuntu，也可以只用一个 DNS

至此，应该可以上网了，如果仍不能上网，主机按照上面设置完成后重启以下即可。

_________________________________________

很简单，只要两步：FirewallD
1、启动Linux的ip转发功能
[root@localhost ~]# echo "1" > /proc/sys/net/ipv4/ip_forward

2、共享上网（伪装IP）
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

这句的具体含义：
POSTROUTING：在通过Linux路由器之后做的策略，也就是路由器的外网接口
-s 192.168.1.0/24：源数据所来自这个网段，也可以是单个ip，不写表示所有内网ip
-o eth0 -j MASQUERADE：表示在eth0这个外网接口上使用IP伪装

__________________________________________

Tutorials
Blog
About
Contact us
Forum
Linux Scripting Guide
RSS/FEED

Linux FAQ / Howtos
Ubuntu: Stat / Stop / Restart Iptables Firewall Service

by nixCraft on November 11, 2013 · 4 comments· LAST UPDATED April 2, 2014

in Commands, Iptables, Ubuntu Linux

I am a new Ubuntu Linux version 12.04 LTS user. How do I stop or start iptables based firewall service on Ubuntu Linux using bash command line options?

You can type the following commands start / stop firewall service on Ubuntu based server or desktop.

Tutorial details
Difficulty Intermediate (rss)
Root privileges Yes
Requirements ufw/iptables
Estimated completion time 5m
a] ufw command - This command is used for managing a Linux firewall and aims to provide an easy to use interface for the user.

b] iptables command - This command is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel.
Find status of firewall

Login as root user either by opening the Terminal or login over the ssh based session. Type the following command:
$ sudo ufw status
Sample outputs:

Status: inactive

Ubuntu stop iptables service command

Type the following command to unloads firewall and disables firewall on boot:
$ sudo ufw disable
Ubuntu start iptables service command

Type the following command to reloads firewall and enables firewall on boot:
$ sudo ufw enable
Ubuntu reload / restart iptables service command

Type the following command to reloads firewall:
$ sudo ufw reload
Alternative method to enable/disable firewall on Ubuntu and other Linux distros

If you are not using ufw command and/or ufw is not installed, try the following generic methods:
Get IPv4 iptables status

$ sudo iptables -L -n -v
Get IPv6 ip6tables status

$ sudo ip6tables -L -n -v
Save IPv4 iptables firewall

Use the iptables-save command to save current firewall rules:
$ sudo iptables-save > $HOME/firewall.txt
Save IPv6 ip6tables firewall

$ sudo ip6tables-save > $HOME/firewall-6.txt
Restore IPv4 iptables firewall

Use the iptables-restore command to restore firewall rules:
$ sudo iptables-restore > $HOME/firewall.txt
Restore IPv6 ip6tables firewall

$ sudo ip6tables-restore < $HOME/firewall-6.txt
Putting it all together

To stop Ipv4 based iptables firewall, enter:


sudo iptables-save > $HOME/firewall.txt
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT


To stop Ipv6 based iptables firewall, enter:


sudo ip6tables-save > $HOME/firewall-6.txt
sudo ip6tables -X
sudo ip6tables -t mangle -F
sudo ip6tables -t mangle -X
sudo ip6tables -P INPUT ACCEPT
sudo ip6tables -P FORWARD ACCEPT
sudo ip6tables -P OUTPUT ACCEPT


Where,

-F : Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
-X : Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted.
-P chainNameHere ACCEPT : Set the policy for the chain to the given target.
-L : List rules.
-v : Verbose output.
-n : Numeric output. IP addresses and port numbers will be printed in numeric format.

Recommend readings

Debian / Ubuntu Linux: Install and Configure Shoreline Firewall (Shorewall)
Man pages IPv4 firewall: iptables(8), ufw(8), iptables-save(8), iptables-restore(8)
Man pages IPv6 firewall: ip6tables man page

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!
Featured Articles:

30 Cool Open Source Software I Discovered in 2013
30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
Top 30 Nmap Command Examples For Sys/Network Admins
25 PHP Security Best Practices For Sys Admins
20 Linux System Monitoring Tools Every SysAdmin Should Know
20 Linux Server Hardening Security Tips
Linux: 20 Iptables Examples For New SysAdmins
Top 20 OpenSSH Server Best Security Practices
Top 20 Nginx WebServer Best Security Practices
20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
15 Greatest Open Source Terminal Applications Of 2012
My 10 UNIX Command Line Mistakes
Top 10 Open Source Web-Based Project Management Software
Top 5 Email Client For Linux, Mac OS X, and Windows Users
The Novice Guide To Buying A Linux Laptop

{ 4 comments… read them below or add one }

1 Daniel November 12, 2013 at 10:28 am

There is a typo > in the ipv4 tables restore command example.

Reply

2 nixCraft November 12, 2013 at 12:54 pm

Thanks for the heads up!

Reply

3 BroknDodge November 12, 2013 at 3:58 pm

FLUSH is dangerous, it does delete all the rules but it does not change the default policy for each chain. That’s fine on a stock iptables confiFirewallDg as the default policy is to ACCEPT. But, as is usually the case, what if the default policy for each chain has been changed to DROP and you FLUSH the tables while connected over SSH. OOPS!!!

Don’t forget to specifically ACCEPT existing SSH sessions after flushing the rules or you will need a crashcart to get back into your remote server. I always use a script (a list of commands saved in a text file) to send commands to iptables. The following 2 commands are always the first 2 and last 2 in my script file. That will insure that my SSH connection doesn’t get killed.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

The above 2 commands do 2 things, allow existing established connections to remain (your ssh session) and allow new ssh sessions (in case you get disconnected). The safest way to work with iptables is thru the use of script files rather than sending commands directly to the firewall. That way you can ensure the above two commands are always executed after a FLUSH.

Although, after one too many (1 time is enough for me) 2am mad dashes across town to hook up a crash cart to one of my servers and open port 22, I will never FLUSH iptables… ever!

Reply
4 Andrew April 1, 2014 at 3:15 pm

There’s another typo that’s caused me some difficulty –
sudo ip6tables-save > $HOME/firewall.txt
should be
sudo ip6tables-save > $HOME/firewall-6.txt

Anyone know where I can restore default settings for this, as I’ve lost iptables from the line above.

Reply

Leave a Comment

Name *

E-mail *

Website

Notify me of followup comments via e-mail

Tagged as: ip6tables command, ip6tables-restore command, ip6tables-save command, iptables command, iptables-restore command, iptables-save command, ufw command, Intermediate

Previous Faq: RHEL/CentOS: yum Update All Packages Except the Linux Kernel

Next Faq: Unix / Linux: cat .GZ Compressed Text File On Screen
twitter youtube googleplus facebook rss email

Related Faqs
Linux Network IP AccountingLinux Network IP Accounting
DebianLinux Stop Iptables FirewallDebian Linux Stop Iptables Firewall
How Do I Save Iptables Rules or Settings?How Do I Save Iptables Rules or Settings?
RHEL / Centos Linux Disable Firewall RHEL / Centos Linux Disable Firewall
Ubuntu Linux Save / Restore Iptables RulesUbuntu Linux Save / Restore Iptables Rules
HowTo: Flush Iptables Under Ubuntu LinuxHowTo: Flush Iptables Under Ubuntu Linux
Install Iptables Firewall in Redhat / CentOS LinuxInstall Iptables Firewall in Redhat / CentOS Linux
Iptables: Unblock / Delete an IP Address Listed in IPtables TablesIptables: Unblock / Delete an IP Address Listed in IPtables Tables
Iptables Drop IP Address Iptables Drop IP Address
CentOS / RHEL IPv6 ip6tables Firewall ConfigurationCentOS / RHEL IPv6 ip6tables Firewall Configuration
RSS Latest posts from our blog
8 Tips to Solve Linux & Unix Systems Hard Disk Problmes Like Disk Full Or Can’t Write to the Disk
How To Use Vagrant To Create Small Virtual Test Lab on a Linux / OS X / MS-Windows
Secure Your Linux Desktop and SSH Login Using Two Factor Google Authenticator
5 Awesome Open Source Cloning Software
Linux Tutorial: Install Ansible Configuration Management And IT Automation Tool
Subscribe to nixCraft

Learn something new about Linux/Unix by email

Enter your email address:

©2000-2014 nixCraft. All rights reserved. Privacy Policy - Terms of Service - Questions or Comments - We are proudly powered by Linux + Nginx + WordPress.
The content is copyrighted to nixCraft and may not be reproduced on other websites.