linux:iptables

差别

这里会显示出您选择的修订版和当前版本之间的差别。

到此差别页面的链接

--- linux:iptables [2017/06/29 18:20] – 创建 memory
+++ linux:iptables [2023/12/03 10:24] (当前版本) – 外部编辑 127.0.0.1
@@ 行 1: / 行 1: @@
 ====== iptables ======
+{{user:iptables.png|iptables}}
+图片来源：[[https://wsgzao.github.io/post/iptables/index.html|iptables配置实践]]
 ===== Usage =====
@@ 行 7: / 行 11: @@
   service iptables save
-===== Rule =====
+===== Options =====
+^ option ^ meaning ^
+| -A | append rule |
+| -j | jump, ''ACCEPT'', ''DROP'' |
+| -p | proto, ''tcp'', ''udp'', ''icmp'' |
+| -s | source, address[/mask] |
+| -d | destination, address[/mask] |
+| -m | match |
+===== Rules =====
 List current iptables rules:
@@ 行 17: / 行 31: @@
   iptables -F
-Drop all traffic(ban all incoming traffic):
+Allow ping(icmp):
+  iptables -A INPUT -p icmp -j ACCEPT
-  iptables -A INPUT -j DROP
 Open ports:
@@ 行 29: / 行 43: @@
   iptables -A INPUT -p tcp -s [ip] -j ACCEPT
   iptables -A OUTPUT -p tcp -d [ip] -j ACCEPT
+Allow NTP traffic for time synchronization:
+  iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
+  iptables -A INPUT -p udp --sport 123 -j ACCEPT
+Allow established connections **important**:
+  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+Drop all other traffic(ban all incoming traffic) **put this to bottom**:
+  iptables -A INPUT -j DROP
+===== Router =====
+Redirect all dns query to specified ip:
+  iptables -t nat -A PREROUTING -p udp -s 192.168.1.0/24 --dport 53 -j DNAT --to 192.168.1.1
+Redirect all dns query to specified ip except some ip:
+  iptables -t nat -A PREROUTING -p udp -s 192.168.1.24 -j ACCEPT
+  iptables -t nat -A PREROUTING -p udp -s 192.168.1.0/24 --dport 53 -j DNAT --to 192.168.1.1
+===== Reference =====
+  * [[https://github.com/trimstray/iptables-essentials|Iptables Essentials: Common Firewall Rules and Commands]]

linux/iptables.1498731639.txt.gz · 最后更改: 2023/12/03 10:24 (外部编辑)