Skip to content
This repository has been archived by the owner on Nov 1, 2023. It is now read-only.

Latest commit

 

History

History
187 lines (153 loc) · 4.88 KB

IPtables.org

File metadata and controls

187 lines (153 loc) · 4.88 KB

+TITLE: IPtables

REDIRECT

摘自 man iptables-extensions

It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface

The primary address of the incoming interface!! 不是 127.0.0.1 !

同一个坑踩两次是要哪样!每次3小时!

持久化

sudo apt-get install -y iptables-persistent
sudo systemctl status netfilter-persistent
sudo systemctl enable netfilter-persistent

不好使,启动时莫名失败

sudo apt remove -y netfilter-persistent
cat <<'EOF' | sudo tee /etc/network/if-pre-up.d/iptables
#!/bin/bash

set -e

v4=/etc/iptables/rules.v4
v6=/etc/iptables/rules.v6

if [ "$IFACE" = lo ]; then
  if [ -r $v4 ]; then
    iptables-restore <$v4 || echo "iptables restore failed!"
  fi
  if [ -r $v6 ]; then
    ip6tables-restore <$v6 || echo "ip6tables restore failed!"
  fi
fi
EOF
sudo chmod +x /etc/network/if-pre-up.d/iptables

EMPTY

sudo touch /etc/iptables/rules.v{4,6}
cat <<EOF | sudo tee /etc/iptables/rules.v4
# Empty iptables rule file
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
EOF
sudo iptables-restore </etc/iptables/rules.v4
sudo ip6tables-restore </etc/iptables/rules.v6

NO FORWARD, all OUTPUT, only ssh INPUT, lo free

IPv4

sudo iptables -N TCP
sudo iptables -N UDP

sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
sudo iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

sudo iptables -A TCP -p tcp --dport 22 -j ACCEPT

sudo iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

sudo iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
sudo iptables -P INPUT DROP
cat <<EOF | sudo tee /etc/iptables/rules.v4
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [36:5787]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
EOF
sudo iptables-restore </etc/iptables/rules.v4

IPv6

sudo ip6tables -N TCP
sudo ip6tables -N UDP

sudo ip6tables -P FORWARD DROP
sudo ip6tables -P OUTPUT ACCEPT

sudo ip6tables -A INPUT -i lo -j ACCEPT
sudo ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
sudo ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
sudo ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
sudo ip6tables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

sudo ip6tables -A TCP -p tcp --dport 22 -j ACCEPT

sudo ip6tables -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
sudo ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

sudo ip6tables -A INPUT -j REJECT --reject-with icmp6-port-unreachable
sudo ip6tables -P INPUT DROP
cat <<EOF | sudo tee /etc/iptables/rules.v6
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [197:48063]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
EOF
sudo ip6tables-restore </etc/iptables/rules.v6

FORWARD

IN=eth0
NET=1.1.1.0/24
sudo iptables -I FORWARD -i $IN -s $NET ! -d $NET -j ACCEPT
sudo iptables-save | sudo tee /etc/iptables/rules.v4

SNAT

OUT=eth0
SRC=1.1.1.4-1.1.1.254
sudo iptables -t nat -A POSTROUTING -o $OUT -j SNAT --to-source $SRC
sudo iptables-save | sudo tee /etc/iptables/rules.v4