iptables
大家帮我看看我这个iptables有什么问题没有
感谢了
echo "Enable IP Forwarding..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "Starting iptables rules..."
#å? è½½ä¼?ç?¨å?°ç??模å??
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#æ¸?é?¤æ??æ??å®?ä¹?
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#å??许å??ç½?å??æ?¬æ?ºè®¿é?®INPUT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
#IP伪è£?代ç??ä¸?ç½?
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
#丢å¼?å??ç??TCPå??
iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
#对äº?ä¸?管æ?¥è?ªå?ªé??ç??ipç¢?ç??é?½è¿?è¡?æ?§å?¶ï¼?å??许æ¯?ç§?é??è¿?100个ç¢?ç??
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#icmpå??é??è¿?ç??æ?§å?¶ï¼?é?²æ¢icmpé»?客æ?»å?»
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
#é?²æ¢å¤?ç½?ç?¨å??ç½?ip欺éª?
iptables -t nat -A PREROUTING -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i ppp0 -s 172.16.0.0/12 -j DROP
#æ??å¼?æ?¬æ?ºç«¯å?£
iptables -A INPUT -p tcp -m --dport 22 -j ACCEPT
intables -A INPUT -p tcp -m --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m --dport 80 -j ACCEPT
Reply to: