Iptables usages
- Wed, 20 Nov 2013 12:45:53 +0800
- iptables -I INPUT -s 111.111.111.0/24 -j DROP iptables will drop the packets from 111.111.111.0-111.111.111.255Chain optionsthe options list below:-A / --appendadd a rule to chain.e.giptables -A INPUT ... append a rule to INPUT chain.-D / --deletedelete a rule from chaine.giptables -D INPUT 1 ... delete a rule which indicated by 1 from INPUT chain.-R / --replacereplace a rule in chaine.giptables -R INPUT 1iptables -R INPUT 1 -s 192.168.1.100 --dport 80 -j DROP-I / --insertinsert a rule to chaine.giptables -I INPUT -s 1.2.3.4 -j DROP-L / --listshow current rule list in chaine.giptables -L INPUT-F / --flushdelete all rules in a chainiptables -F INPUT-Z / --zeroreset the packet countere.g iptables -Z INPUT-N / --new-chaincreate a chaine.g iptables -N allowed-X / --delete-chaindelete a chaine.g iptables -X allowed-P / --policydefine the rule policy. That means, the packets which unmatched the rule will do this rule.e.g iptables -P INPUT DROP-E / --rename-chainrename a chaine.g. iptables -E allowed disallowedPacket options:-p / --protocolIndicate the protocole.giptables -A INPUT -p tcpIt can use operator, such as !, e.g iptables -A INPUT -p ! tcp, meaning that all protocol but TCP.-s / --src / --source / -d / --dst / --distinationIndicate the source/distination packetse.g iptables -A INPUT -s 1.2.3.0/24-i / --in-interface / -o / --out-interfaceIndicate which interface to match on.e.g iptables -A INPUT -i eth0--sport / --source-port / --dport / --distination-portIndicate which port to match on.e.g iptables -A INPUT -p tcp --dport 80--tcp-flagsMatch the packet's TCP flage.g iptables -A INPUT --tcp-flags SYN,ACK,FINflag values: SYN, ACK, FIN, RST, URG, PSHOperation options:-j operator, values:ACCEPT,REJECT,DROP,REDIRECT,MASQUERADE,LOG,DNAT,SNAT,MIRROR,QUEUE,RETURN,MARKWe use following ways to set the default policy:1) Accept all packets first, then prevent the danger.#iptables -P INPUT ACCEPT#iptables -P OUTPUT ACCEPT#iptables -P FORWARD ACCEPT2) Reject all packets first, then accept the requisite.#iptables -P INPUT DROP#iptables -P OUTPUT DROP#iptables -P FORWARD DROPFrequently used:Open 80 port:# iptables -A INPUT -p tcp -dport 80 -j ACCEPT# iptables -A OUTPUT -p tcp -sport 80 -j ACCEPTPrevent SyncFlood:# iptables -A FORWARD -p tcp -syn -m limit -limit 1/s -j ACCEPTPrevent scanning:# iptables -A FORWARD -p tcp -tcp-flags SYN,ACK,FIN,RST RST -m limit -limit 1/s -j ACCEPTPrevent Ping of death:# iptables -A FORWARD -p icmp -icmp-type echo-request -m limit -limit 1/s -j ACCEPT
Tag:iptables
- Hots
-
- Iptables usages
- Show coding system currently in emacs
- GODADDY 2013 VALID PROMO CODE
- YANNI - Renegade
- DEDECMS安全
- SSL certificates inside
- The life's wonderful show
- lewphee.com is about to close the comments.
- Using SSL to improve the security of SSH login
- The Perl scripts occur 'No such file or directory' error on Unix
- Tags
- Emacs FreeBSD GODADDY MySQL Newage Nginx Perl PHP SSH SSL Subversion UNIX VPS&虚拟主机 WEB WINDOWS 单曲 数据库 服务器 随写 音乐
- Recent Post
-
- Iptables usages
- Show coding system currently in emacs
- GODADDY 2013 VALID PROMO CODE
- YANNI - Renegade
- DEDECMS安全
- SSL certificates inside
- The life's wonderful show
- lewphee.com is about to close the comments.
- Using SSL to improve the security of SSH login
- The Perl scripts occur 'No such file or directory' error on Unix
- Recent Comments
-
- Copyright Notes
- You can reship all of these articles without permission but MUST mark the original link in your post. Please contact with me() if u have advice or other arrangements.