iptables_GW.sh
#!/bin/sh
#
modprobe ipt_MASQUERADE
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
###########################INPUT键###################################
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 110,80,25 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 139 -j ACCEPT
#允许内网samba,smtp,pop3,连接
iptables -A INPUT -i eth1 -p udp -m multiport --dports 53 -j ACCEPT
#允许dns连接
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
#允许外网***连接
iptables -A INPUT -s 192.186.0.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
#为了防止DOS太多连接进来,那么可以允许最多15个初始连接,超过的丢弃
iptables -A INPUT -s 192.186.0.0/24 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
#为了防止DOS太多连接进来,那么可以允许最多15个初始连接,超过的丢弃
iptables -A INPUT -p icmp -m limit --limit 3/s -j LOG --log-level INFO --log-prefix "ICMP packet IN: "
iptables -A INPUT -p icmp -j DROP
#禁止icmp通信-ping 不通
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
#内网转发
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
iptables -A syn-flood -j REJECT
#防止SYN*** 轻量
#######################FORWARD链###########################
iptables -P FORWARD DROP
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -m multiport --dports 80,110,21,25,1723 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -A FORWARD -p gre -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -p icmp -s 192.168.0.0/24 -j ACCEPT
#允许 ***客户走***网络连接外网
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -p udp --dport 53 -m string --string "tencent" -m time --timestart 8:15 --timestop 12:30 --days Mon,Tue,Wed,Thu,Fri,Sat -j DROP
#星期一到星期六的8:00-12:30禁止qq通信
iptables -I FORWARD -p udp --dport 53 -m string --string "TENCENT" -m time --timestart 8:15 --timestop 12:30 --days Mon,Tue,Wed,Thu,Fri,Sat -j DROP
#星期一到星期六的8:00-12:30禁止qq通信
iptables -I FORWARD -p udp --dport 53 -m string --string "tencent" -m time --timestart 13:30 --timestop 20:30 --days Mon,Tue,Wed,Thu,Fri,Sat -j DROP
iptables -I FORWARD -p udp --dport 53 -m string --string "TENCENT" -m time --timestart 13:30 --timestop 20:30 --days Mon,Tue,Wed,Thu,Fri,Sat -j DROP
#星期一到星期六的13:30-20:30禁止QQ通信
iptables -I FORWARD -s 192.168.0.0/24 -m string --string "qq.com" -m time --timestart 8:15 --timestop 12:30 --days Mon,Tue,Wed,Thu,Fri,Sat -j DROP
#星期一到星期六的8:00-12:30禁止qq网页
iptables -I FORWARD -s 192.168.0.0/24 -m string --string "qq.com" -m time --timestart 13:00 --timestop 20:30 --days Mon,Tue,Wed,Thu,Fri,Sat -j DROP
#星期一到星期六的13:30-20:30禁止QQ网页
iptables -I FORWARD -s 192.168.0.0/24 -m string --string "ay2000.net" -j DROP
iptables -I FORWARD -d 192.168.0.0/24 -m string --string "宽频影院" -j DROP
iptables -I FORWARD -s 192.168.0.0/24 -m string --string "×××" -j DROP
iptables -I FORWARD -p tcp --sport 80 -m string --string "广告" -j DROP
#禁止ay2000.net,宽频影院,×××,广告网页连接 !但中文 不是很理想
iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP
iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP
iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP
#禁止BT连接
iptables -A FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 24
#######################################################################
sysctl -w net.ipv4.ip_forward=1 &>/dev/null
#打开转发
#######################################################################
sysctl -w net.ipv4.tcp_syncookies=1 &>/dev/null
#打开 syncookie (轻量级预防 DOS ***)
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 &>/dev/null
#设置默认 TCP 连接痴呆时长为 3800 秒(此选项可以大大降低连接数)
sysctl -w net.ipv4.ip_conntrack_max=300000 &>/dev/null
#设置支持最大连接树为 30W(这个根据你的内存和 iptables 版本来,每个 connection 需要 300 多个字节)
#######################################################################
iptables -I INPUT -s 192.168.0.50 -j ACCEPT
iptables -I FORWARD -s 192.168.0.50 -j ACCEPT
#192.168.0.50是我的机子,全部放行!
####################################################################
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward 或者 /etc/sysctl.config 更改
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 219.137.*.*
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 219.137.13.114
##########################NAT ##########################################
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081 REDIRECT
[root@gateway root]# ip a
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
6: eth0:
link/ether 00:30:48:25:1a:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
7: eth1:
link/ether 00:d0:f8:0d:8b:6a brd ff:ff:ff:ff:ff:ff
inet 59.41.59.234/29 brd 59.41.59.239 scope global eth1
8: eth2:
link/ether 00:d0:f8:0d:87:b7 brd ff:ff:ff:ff:ff:ff
inet 10.255.204.253/28 brd 10.255.204.255 scope global eth2
9: eth3:
link/ether 00:30:48:25:1a:73 brd ff:ff:ff:ff:ff:ff
[root@gateway root]#
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
##################打开#转发#链#############
modprobe ip_nat_ftp
##################开启FTP追踪##############
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
iptables -F -t mangle
iptables -t mangle -X
#################清除现有规则#############
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
##############预制output forward 链#######
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
##############允许本地及内网封包进入####
PORT="80,8080,1521,3389,8000"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports $PORT -m state --state NEW -j ACCEPT
iptables -A INPUT -j MIRROR
iptables -P INPUT DROP
#########################预制INPUT链#####################################
iptables -A FORWARD -m iprange --src-range 192.168.1.5-192.168.1.254 -m ipp2p --ipp2p -j DROP
############################# 禁P2P################################################
#iptables -A FORWARD -m domain --name "www.sina.com" -j DROP
##################屏蔽网站############################
#iptables -A FORWARD -p udp --dport 20128 -j DROP
#iptables -A FORWARD -p udp --dport 3075:3078 -j DROP
#iptables -A FORWARD -p tcp --dport 3075:3078 -j DROP
#iptables -A FORWARD -p tcp --dport 2696 -j DROP
#########################迅雷和下载加速器######################
#iptables -I FORWARD -m mac --mac-source 11:11:D8:9C:17:7E -j DROP
#################################封锁某MAC地址上网#############
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j SNAT --to-source 59.41.59.234
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth2 -j SNAT --to-source 10.255.204.253
####################IP伪装 #############################################################
route add -net 10.0.0.0/8 gw 10.255.204.254
route add -net 202.116.225.0/24 gw 10.255.204.254
route add -net 218.199.111.0/24 gw 10.255.204.254
route add -net 61.132.102.0/24 gw 10.255.204.254
route add -net 203.255.8.0/24 gw 10.255.204.254
route add -net 61.191.123.0/24 gw 10.255.204.254
route add -net 62.41.79.0/24 gw 10.255.204.254
route add -net 202.205.7.0/24 gw 10.255.204.254
#######################添加main表路由规则#################################################
iptables -t nat -A PREROUTING -p tcp -d 59.41.59.234 --dport 8089 -j DNAT --to 192.168.1.194:8089
iptables -t nat -A PREROUTING -p tcp -d 59.41.59.234 --dport 8000 -j DNAT --to 192.168.1.212:80
iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.212 --dport 80 -j SNAT --to 192.168.1.1
iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.121 --dport 80 -j SNAT --to 192.168.1.1
iptables -t nat -A PREROUTING -p tcp -d 59.41.59.234 --dport 6262 -j DNAT --to 192.168.1.62:8080
iptables -t nat -A PREROUTING -p tcp -d 59.41.59.234 --dport 6263 -j DNAT --to 192.168.1.4:9229
iptables -t nat -A PREROUTING -p tcp -d 59.41.59.234 --dport 6264 -j DNAT --to 192.168.1.1:22
iptables -t nat -A PREROUTING -p tcp -d 59.41.59.234 --dport 9000 -j DNAT --to 192.168.1.87:3389
#################################内网###映射##############################################
tc qdisc del dev eth0 root 2>/dev/null
tc qdisc add dev eth0 root handle 2: htb
tc class add dev eth0 parent 2: classid 2:1 htb rate 3000kbit
i=8;
while [ $i -lt 254 ]
do
tc class add dev eth0 parent 2:1 classid 2:2$i htb rate 400kbit ceil 512kbit burst 15k
tc qdisc add dev eth0 parent 2:2$i handle 2$i: sfq
tc filter add dev eth0 parent 2:0 protocol ip prio 4 u32 match ip dst 192.168.1.$i flowid 2:2$i
i=`expr $i + 1`
done
#######################下载限制######限制内网每IP带宽最高使用#####################################
arp -f
###################将局域网的IP与MAC进行绑定#########
基本语法
• Iptables –t table –A INPUT –s --sport
–d –dport –p –o –i –j
匹配扩展
• Connlimit
• icmp
• iprange
--source-range
--dst-range
• 0.1---0.100 / 0.101--- 0.254
• Iptables –A FORWARD –m iprange --source-range 192.168.0.1-192.168.0.100 –j DROP
• length 指定按包长度进行匹配
MTU ---- 分片
iptables –A INPUT –m length –length 100:200 –j ACCEPT
• limit 匹配速率限制
--limit rate 个/second 个/hour
--limit-burst number 默认值是5个。令牌桶上限
iptables –A INPUT –m limit –limit 10/minute –p icmp –icmp-type echo-request –j ACCEPT
iptables –A INPUT –p icmp –icmp-type 8 –j DROP
前几个包没限制是由限速算法决定的(令牌上限为5)
漏桶限速
令牌桶限速
• 例:限制下载速度为30k/s(根据MTU,为20个包
iptables –A OUTPUT –d 192.168.0.11 –p tcp --sport 80 –m limit 20/second –j ACCEPT
iptables –A OUTPUT –d 192.168.0.11 –p tcp --sport 80 –j DROP
0.11 wget http://192.168.0.254/file --- 30k/s
• 设定只可以SCP而不能登录SSH
iptables -A INPUT -p tcp --dport 22 -m tos --tos 16 -j DROP
--set-mark
只允许0.1-0.100而不允许0.101-0.200
iptables -t mangle -A PREROUTING -m iprange --src-range 192.168.0.1-192.168.0.100 -j MARK --set-mark 1
iptables -A INPUT -m mark --mark 1 -j ACCEPT
++++++++++++++++++++++++++++++++++++++++++++++++++++++
iptables -m geoip --help
Allow ssh for own country(DE) and the country where you take holidays(FR)
iptables -A INPUT -p tcp --dport 22 -m geoip --src-cc DE,FR -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
Block access to FTP server for Papua New Guinea (PG)
iptables -A INPUT -p tcp --dport 21 -m geoip --src-cc PG -j DROP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
Use separate marks for USA and the others, and send each type of traffic to its own destination
iptables -A INPUT -p tcp --dport 80 -m geoip --src-cc US -d
iptables -A INPUT -p tcp --dport 80 -m geoip ! --src-cc US -d
