10大最常用的iptables规则

1: iptables -A INPUT -p tcp -syn -j DROP

This is a desktop-centric rule that will do two things: First itwill allow you to actually work normally on your desktop. Allnetwork traffic going out of your machine will be allowed out, butall TCP/IP traffic coming into your machine will simply be dropped.This makes for a solid Linux desktop that does not need anyincoming traffic. What if you want to allow specific networkingtraffic in — for example, ssh for remote management? To do this,you’ll need to add an iptables rule for the service and make surethat service rule is run before rule to drop all incomingtraffic.

2: iptables -A INPUT -p tcp –syn –destination-port 22 -j ACCEPT

Let’s build on our first command. To allow traffic to reachport 22 (secure shell), you will add this line. Understand thatthis line will allow any incoming traffic into port 22. This is notthe most secure setup alone. To make it more secure, you’ll wantto limit which machines can actually connect to port 22 on themachine. Fortunately, you can do this with iptables as well. If youknow the IP address of the source machine, you can add the -sSOURCE_ADDRESS option (Where SOURCE_ADDRESS is theactual address of the source machine) before the–destination-port portion of the line.

3: /sbin/iptables -A INPUT -m state –state ESTABLISHED,RELATED -jACCEPT

This will allow all previously initiated and accepted exchangesto bypass rule checking. The ESTABLISHED and RELATED argumentsbelong to the –state switch. The ESTABLISHED argumentsays, “Any packet that belongs to an existing connection,” andthe RELATED argument says, “Any packet that does not belong to analready existing connection but is related to an existingconnection.” The “state machine” of iptables is a means foriptables to track connections with the help of the kernel level“conntrack” module. By tracking connections, iptables knowswhat connections can be allowed and what can’t. This reduces theamount of work the administrator has to do.

Here’s how state works. If the local user initiates aconnection, that packet (to that connection) is set as NEW in theprerouting chain. When the local user gets a return packet, thestate is changed to ESTABLISHED in the prerouting chain. So when astate is set as ESTABLISHED, it can be allowed with the rightiptables rule.

4: iptables -N LOGDROP

With this handy chain, iptables will log all dropped packets. Ofcourse, this is only part of the chain. To complete it, you need toadd the follow two rules: iptables -A logdrop -J LOG andiptables -A logdrop -J DROP. Now all matching packets (inthis case, anything that has been dropped) will be added to thelogdrop chain which will log them and then drop them.

5: iptables -t nat -A PREROUTING -i WLAN_INTERFACE -p tcp–dportPORTNUMBERS -j DNAT –to-destination DESTINATION_IP

When you need to route packets from external sources to specificports on specific internal machines, this is what you want to do.This rule takes advantage of network address translation to routepackets properly. To suit your needs, the WLAN_INTERFACE must bechanged to the WLAN interface that bridges the external network tothe internal network, the PORTNUMBERS must be changed, andDESTINATION_IP must be changed to match the IP address of thedestination machine.

6: iptables -A INPUT -p tcp –syn –dport 25 -j ACCEPT

This is the beginning of a SYN flood protection rule. Thisportion of the rule blocks DoS attacks on a mail server port. (Youcan change this to suit your mail server needs.) There are threemore portions of this rule set. The first is to add the same rulebut modify the port to whatever is being served up by whateverports you have open. The next portion is iptables -A INPUT -ptcp –syn -m limit –limit 1/s –limit-burst 4 -jACCEPT, which is the actual SYN flood protection. Finally,iptables -A INPUT -p tcp –syn -j DROP will drop all SYNflood packets.

7: iptables -A INPUT -p tcp -m tcp -s MALICIOUS_ADDRESS -j DROP

This is where you can take care of malicious source IPaddresses. For this to work properly, you must make sure you knowthe offending source IP address and that, in fact, it’s one youwant to block. The biggest problem with this occurs when theoffending address has been spoofed. If that’s the case, you canwind up blocking legitimate traffic from reaching your network. Doyour research on this address.

8: iptables -N port-scan

This is the beginning of a rule to block furtive port scanning.A furtive port scan is a scan that detects closed ports to deduceopen ports. Two more lines are needed to complete this rule:

iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RSTRST -m limit --limit 1/s -j RETURN
iptables -A port-scan -j DROP

Notice that the above rule set is adding a new chain called“port-scan”. You don’t have to name it such; it’s justeasier to keep things organized. You can also add timeouts to theabove rule set like so:

iptables -A specific-rule-set -p tcp --syn -jsyn-flood
iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RSTRST -j port-scan

9: iptables -A INPUT -i eth0 -p tcp -m state –state NEW -mmultiport –dports ssh,smtp,http,https -j ACCEPT

What you see here is a chain making use of the multiportargument, which will allow you to set up multiple ports. Using themultiport argument lets you write one chain instead of multiplechains. This single rule saves you from writing out four separaterules, one each for ssh, smtp, http, and https. Naturally, you canapply this to ACCEPT, DENY, REJECT.

10: iptables -A PREROUTING -i eth0 -p tcp –dport 80 -m state–state NEW -m nth –counter 0 –every 4 –packet 0 -j DNAT–to-destination 192.168.1.10:80

If you’re looking to load balance between multiple mirroredservers (in the example case, load balancing a Web server at192.168.1.10), this rule is what you want. At the heart of thisrule is the nth extension, which tells iptables to act on every“nth” packet. In the example, iptables uses counter 0 and actsupon every 4th packet. You can extend this to balance out yourmirrored sites this way. Say you have four mirrored servers up andyou want to balance the load between them. You could have one linefor each server like so:

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -mstate --state NEW -m nth --counter 0 --every 4 --packet 0 -j DNAT--to-destination 192.168.1.10:80iptables -APREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth--counter 0 --every 4 --packet 1 -j DNAT --to-destination192.168.1.20:80iptables -A PREROUTING -i eth0 -ptcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4--packet 2 -j DNAT --to-destination192.168.1.30:80iptables -A PREROUTING -i eth0 -ptcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4--packet 3 -j DNAT --to-destination 192.168.1.40:80

As you can see the server on .10 will be routed every 0 packet,the server on .20 will be routed every 1st packet, the server on.30 will be routed every 2nd packet, and the server on .40 will berouted every 3rd packet.