HOME 生活记录运维/编程
iptables 配置讲解「未完」
作者/来源:yixinu.com
栏目:运维/编程
日期:2013-06-20 18:16:24
# Generated by iptables-save v1.4.7 on Thu Jun 20 18:15:07 2013
*filter
:INPUT DROP [2608:237952]
:FORWARD ACCEPT [152:14351]
:OUTPUT DROP [8:480]
-A INPUT -p tcp -m multiport --dports 80,443,25,110,995,143,993,587,465 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 4233 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40000:40080 -j ACCEPT 
-A INPUT -d 172.16.0.1/32 -p udp -m udp --dport 111 -j ACCEPT 
-A INPUT -i virbr0 -j ACCEPT 
-A INPUT -i virbr1 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -p udp -m udp --sport 53 -j ACCEPT 
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT 
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 4233 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 21 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 20 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT 
-A OUTPUT -s 172.16.0.0/16 -j ACCEPT 
-A OUTPUT -s 192.168.3.0/24 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 143 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 993 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 995 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 40000:40080 -j ACCEPT 
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT 
-A OUTPUT -p icmp -j ACCEPT 
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 
COMMIT
# Completed on Thu Jun 20 18:15:07 2013
# Generated by iptables-save v1.4.7 on Thu Jun 20 18:15:07 2013
*nat
:PREROUTING ACCEPT [9032:707555]
:POSTROUTING ACCEPT [6619:426262]
:OUTPUT ACCEPT [8201:535726]
-A PREROUTING -d 124.232.164.178/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.3.4:25 
-A PREROUTING -d 124.232.164.178/32 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.3.4:110 
-A PREROUTING -d 124.232.164.178/32 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.3.4:143 
-A POSTROUTING -d 192.168.3.4/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 124.232.164.178 
-A POSTROUTING -d 192.168.3.4/32 -p tcp -m tcp --dport 110 -j SNAT --to-source 124.232.164.178 
-A POSTROUTING -d 192.168.3.4/32 -p tcp -m tcp --dport 143 -j SNAT --to-source 124.232.164.178 
-A POSTROUTING -s 192.168.3.0/24 -o eth0 -j SNAT --to-source 124.232.164.178 
COMMIT
# Completed on Thu Jun 20 18:15:07 2013
# Generated by iptables-save v1.4.7 on Thu Jun 20 18:15:07 2013
*mangle
:PREROUTING ACCEPT [272955:164281998]
:INPUT ACCEPT [185710:120388927]
:FORWARD ACCEPT [85936:43780729]
:OUTPUT ACCEPT [140428:159804574]
:POSTROUTING ACCEPT [223725:203398669]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill 
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill 
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill 
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill 
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill 
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill 
COMMIT
# Completed on Thu Jun 20 18:15:07 2013


[root@tyServer temp]# iptables -L -n -v
Chain INPUT (policy DROP 2650 packets, 241K bytes)
 pkts bytes target     prot opt in     out     source               destination         
53051   10M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 80,443,25,110,995,143,993,587,465 
 128K  110M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   37  3108 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
    4   188 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8008 
    6   376 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:4233 
  106  6360 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
  264 15840 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:40000:40080 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            172.16.0.1          udp dpt:111 
  856 56710 ACCEPT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0          
  126  5065 ACCEPT     all  --  virbr1 *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 
 
Chain FORWARD (policy ACCEPT 152 packets, 14351 bytes)
 pkts bytes target     prot opt in     out     source               destination         
85308   44M ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0          
  570 60308 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/0            0.0.0.0/0          
 
Chain OUTPUT (policy DROP 8 packets, 480 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 111K  140M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 1283  895K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:4233 
 5658   15M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 
 1849  147K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:20 
 1217  215K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:443 
13524 3472K ACCEPT     all  --  *      *       172.16.0.0/16        0.0.0.0/0          
 1779  188K ACCEPT     all  --  *      *       192.168.3.0/24       0.0.0.0/0          
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:25 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:110 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:143 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:993 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:995 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spts:40000:40080 
    4   188 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0          
    5   420 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
 1791  125K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53


分享到:
更多
相关阅读
snmpwalk命令常用方法总结
bash常用快捷键
iptables + l7 限制迅雷及p2p下载
ubuntu右键添加打开终端的快捷菜单
pssh 管理多台服务器
ubuntu 安装man手册、中文手册查看函数原型
所有评论:

Copyright © 2013-2014 yixinu.com 湘ICP备14004402号

QQ:316686606  Email: 316686606@qq.com