iptables and ebtables

iptables和ebtables都是linux上常用的防火墙，前者主要负责网络层的数据包过滤，后者则负责数据链路层的包过滤。对于两者的语法，可以参考博文 http://blog.csdn.net/windxxf/article/details/815973  

http://itoedr.blog.163.com/blog/static/1202842972012101022023796/

下面是本人总结的相关防火墙策略

iptables

1) Allow all packets input from eth1

2) Allow all packets output to eth0

3) Transmit packets from eth1 to eth0

4) Defend SYN Flood

5) Forbid new access request from eth0

6) Accept tcp traffic from 01:02:03:04:05:06

7) Deny pings from outside

8) Allow the source ip 202.106.12.130 to connect theSSH service port:

9) Drop all request of icmp echo request from eth1

10) Replace the source address and port to one of194.236.50.155~194.236.50.160 and one of 1024~32000 for all tcp traffic frometh0

11) Allow 192.168.1.34 pretend to access outsidenetwork’s 25 port from eth0

12) Transmit all traffic send to 15.45.23.67 to arange of LAN: 192.168.1.2~192.168.1.10. 

1. iptables -A INPUT -i eth1 -j ACCEPT

2. iptables -A OUTPUT -i eth0 -j ACCEPT

3. iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

4. iptables -A INPUT -p tcp --syn -m limit --limit1/s -j ACCEPT

5. iptables -A INPUT -i eth0 -m state --state NEW -jDROP

6. iptables -A INPUT -p tcp -m mac --mac-source01:02:03:04:05:06 -j ACCEPT

7. iptables -A INPUT -p icmp --icmp-type 8 -j DROP

8. iptables -A INPUT -p tcp -s 202.106.12.130--dport 22 -j ACCEPT

9. iptables -A INPUT -p icmp --icmp-type echo-request-i eth1 -j DROP

10. iptables -t nat -A POSTROUTING -p tcp -o eth0 -jSNAT --to-source 194.236.50.155-194.236.50.160:1024-32000

11. iptables -A INPUT -s 192.168.1.34 -i eth0--dport 25 -j ACCEPT

12. iptables -t nat -A PREROUTING -d 15.45.23.67 -jDNAT --to-destination 192.168.1.2-19.168.1.10

ebtables

1)Forward the packets with source MAC00:11:22:33:44:55

2) Change the iptables rule to ebtables: iptables -AFORWARD -s 172.16.1.4 -m mac --mac-source ! 00:11:22:33:44:55 -j DROP

3) Drop all traffic with matching MAC-IP sourceaddress pairs: 00:11:22:33:44:55->192.168.1.300:66:77:88:00:11->192.168.1.4

4) Make all frames destined to 00:11:22:33:44:55that arrived on interface eth0 be transferred to 54:44:33:22:11:00 instead

5) br0 is 0.0.0.0, eth0 is 172.16.1.1, br0 has eth0,make the IP packets must be routed enter the IP routing code through the eth0device, not through the br0 device

6) Make all IP traffic that entered through eth0with the second mark value; and let later rules have the chance of seeing theframe/packet

7) Using arpreply for arp requests and letting thearp request populate the arp cache

8) send all to be forwarded packets to userspaceprograms listening on netlink group number 5 before dropping the packets

1. ebtables -A FORWARD -s 00:11:22:33:44:55 -jACCEPT

2. ebtables -A FORWARD -p ipv4 --ip-src 172.16.1.4-s!00:11:22:33:44:55 -j DROP

3. ebtables -N MACHINE-MC-IP-PAIR

   ebtables -AFORWARD -p ipv4 --among-dst00:11:22:33:44:55=172.16.1.4,00:11:33:44:22:55=172.16.1.5 -j MACHINE-MC-IP-PAIR

4. ebtables -t nat -A PREROUTING -d00:11:22:33:44:55 -i eth0 -j DNAT --to-destination 54:44:33:22:11:00

5. ebtables -t broute -A BROUTING -p ipv4 -i eth0--ip-dst 172.16.1.1 -j DROP

6. ebtables -t broute -A BROUTING -i eth0 -p ipv4 -jREDIRECT --redirect-target DROP

7. ebtables -t nat -A PREROUTING -p arp --arp-opcodeRequest -j ARPREPLY --arpreply-mac 10:11:12:13:14:15

8. ebtables -A FORWARD --ulog-nlgroup 5 -j DROP