# Flush all policy
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -S INPUT #查看链策略,默认是filter表
# Enable ip forward
echo "1" > /proc/sys/net/ipv4/ip_forward
# module
modprobe ip_conntrack_ftp
modprobe ip_conntrack_tftp
modprobe ip_nat_ftp
modprobe ip_nat_tftp #
# Default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
# Enable lo interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# DNS lookup
iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
# SSH Server
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --sport 22 -j ACCEPT
# SSH client
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --sport 22 -j ACCEPT
# icmp request
iptables -A INPUT -s 192.168.0.0/24 -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p icmp --icmp-type 0 -j ACCEPT
# icmp echo
iptables -A OUTPUT -d 192.168.0.0/24 -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p icmp --icmp-type 0 -j ACCEPT
# FTP server
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --sport 21 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# SNAT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 1.2.3.4
# DNAT
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j DNAT --to-dest 192.168.0.254
分享标题:iptables常用命令
文章转载:
http://bzwzjz.com/article/jphgds.html
