From Fedora Project Wiki

 
(25 intermediate revisions by the same user not shown)
Line 6: Line 6:
当勾选默认配置时能够顺利完成安装;
当勾选默认配置时能够顺利完成安装;
当选择全部的安装包时系统提示有三个连接文件存在依赖关系无法完成最终的安装(其所需安装磁盘容量至少28.5GB);
当选择全部的安装包时系统提示有三个连接文件存在依赖关系无法完成最终的安装(其所需安装磁盘容量至少28.5GB);
== fedora 14管理配置 ==
{|cellpadding="0" cellspacing="0" style="padding: 0em; float:left; margin-left:2px; border: 2px solid #000000; background:none font-size:100%; text-align:center;" width="100%"
| style="background:#3d9d9a; padding: 0em; border: 1px solid #000000;" width="30%"|第一部分
| style="background:#3d9d9a; padding: 0em; border: 1px solid #000000;" width="35%"|第二部分
| style="background:#3d9d9a; padding: 0em; border: 1px solid #000000;" width="35%"|第三部分
|-
| style="background:none; padding: 0em; border: 1px solid #000000;" width="30%"|Linux网络系统基本管理
| style="background:none; padding: 0em; border: 1px solid #000000;" width="35%"|Linux网络服务管理
| style="background:none; padding: 0em; border: 1px solid #000000;" width="35%"|Linux安全快速的远程访问管理
|-
| style="background:none; padding: 0em; border: 1px solid #000000;" width="30%"|Linux系统基本配置;<br>DHCP实现ip地址自动分配;<br>NIS网络信息服务。
| style="background:none; padding: 0em; border: 1px solid #000000;" width="35%"|Linux网络服务应用;<br>Samba+NFS文件服务;<br>BIND提供域名解析服务;|Apache提供网站服务;|Vsftp提供文件传输服务;|Sendmail邮件服务等。
| style="background:none; padding: 0em; border: 1px solid #000000;" width="35%"|Linux实现软路由;<br>Iptables网络防火墙;<br>Squid代理服务器配置;|Linux实现VPN服务器;<br>SSH实现Linux安全的访问和数据传输。
|}


== 配置Fedora-14系统 ==
== 配置Fedora-14系统 ==
Line 242: Line 256:
};
};


zone "192.168.192.in-addr.arpa" IN {
zone "122.168.192.in-addr.arpa" IN {


&nbsp;    type master;
&nbsp;    type master;


&nbsp;    file "192.168.122.zone";
&nbsp;    file "192.168.122.arpa";


&nbsp;    allow-update { none; };
&nbsp;    allow-update { none; };
Line 262: Line 276:
&nbsp;$TTL 1D
&nbsp;$TTL 1D


example.com.cn. IN SOA example.com.cn. root.example.com.cn. (
@ IN SOA example.com.cn. root.example.com.cn. (


42 ; serial
42 ; serial
Line 278: Line 292:
IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0
IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0


IN MX 5 example.com.cn.
@ IN MX 5 example.com.cn.


www IN A 192.168.122.192
www IN A 192.168.122.192
Line 284: Line 298:
www IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0
www IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0


配置反向解析文件:/var/named/192.168.192.arpa
配置反向解析文件:/var/named/192.168.122.arpa


cp named.loopback 192.168.122.arpa
cp named.loopback 192.168.122.arpa


vi 192.168.192.arpa
vi 192.168.122.arpa


&nbsp;$TTL 1D
&nbsp;$TTL 1D


192.168.192.in-addr.arpa. IN SOA example.com.cn. root.example.com.cn. (
122.168.192.in-addr.arpa. IN SOA example.com.cn. root.example.com.cn. (


42 ; serial
42 ; serial
Line 304: Line 318:
3H ) ; minimum
3H ) ; minimum


192.168.192.in-addr.arpa. IN NS example.com.cn.
122.168.192.in-addr.arpa. IN NS example.com.cn.


IN A 192.168.122.192
IN A 192.168.122.192
Line 318: Line 332:
chgrp named example.com.cn.zone
chgrp named example.com.cn.zone


chgrp named 192.168.192.arpa
chgrp named 192.168.122.arpa


设置文件权限:
设置文件权限:
Line 328: Line 342:
chmod 644 /var/named/example.com.cn.zone  
chmod 644 /var/named/example.com.cn.zone  


chmod 644 /var/named/122.168.192.arpa  
chmod 644 /var/named/192.168.122.arpa  


重新载入DNS域名解析:
重新载入DNS域名解析:
Line 337: Line 351:


=== 安装mysql ===
=== 安装mysql ===
=== 配置Apache服务器 ===
rpm -ivh perl-DBD-Mysql-4.017-1.fc14.x86_64.rpm


=== 配置DHCP服务器 ===
rpm -ivh mysql-libs-5.1.51-2.fc14.x86_64.rpm


=== 配置mail邮件服务器 ===
rpm -ivh mysql-5.1.51-2.fc14.x86_64.rpm


=== 配置samba文件服务器 ===
rpm -ivh mysql-server-5.1.52-1.fc14.x86_64.rpm
安装samba客户端


rpm -ivh samba-common-3.5.5-68.fc14.1.x86_64.rpm
设置MySQL启动


rpm -ivh samba-client-3.5.5-68.fc14.1.x86_64.rpm
service mysqld start


查看共享资源
cd /usr ; /usr/bin/mysqld_safe &


smbclient -L 192.168.1.254
cd /usr/mysql-test ; perl mysql-test-run.pl


访问共享资源(使用root账户防止访问本地文件夹受限)
please report any problems with the /usr/bin/mysqlbug script!


smbclient //192.168.1.254/public -u usename
正在启动mysqld:[确定]


<smb:\>dir
创建用户密码:


<smb:\>cd video
/usr/bin/mysqladmin -u root password ******


<smb:\>get RealPlayer11GOLD.rpm
设置mysql开机自启动
=== 配置Redhat集群应用 ===


=== 配置防火墙 ===
ntsysv选择mysqld确定
*<1>更新防火墙iptables-1.4.9.1


下载最新的iptables版本(www.netfilter.org)
创建数据库
mysql -u root -p ******


scp root@192.168.1.5:/root/iptables-1.4.9.1.tar.bz2
mysql> create database mediawiki;


mv /root/iptables-1.4.9.1.tar.bz2 /usr/local/src/
增加一个用户mediawiki去管理mediawiki数据库


cd /usr/local/src/
mysql> grant select,insert,update,delete on mediawiki.* to mediawiki@localhost identified by "password";


tar jxvf iptables-1.4.9.1.tar.bz2
=== 配置Apache服务器 ===
配置mediawiki


cd iptables-1.4.9.1
cd /var/www/html


./configure
tar zxvf mediawiki-1.16.0.tar.gz


make
chmod 711 mediawiki-1.16.0


make install
cd mediawiki-1.16.0


*<2>将iptables服务停止
chmod a+w config


开放图片上传功能


  [root@linux-test root]&nbsp;# service iptables stop
chmod 777 images


改变组别和所有者


  用/usr/local/sbin/iptables新文件替换/sbin/iptables(这个是老版本的连接位置)
cd ..


chown -hR 1000:1000 mediawiki-1.16.0


  并同时替换ip6tables、ip6tables-restore、ip6tables-save、iptables、iptables-restore和iptables-save
配置apache服务器


service httpd start


  [root@linux-test root]&nbsp;# cp /usr/local/sbin/iptables /sbin/iptables
设置开机自启动Apache


ntsysv


  iptables就升级完成了,使用下列命令查看
配置文件说明如下:


cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.bak


  [root@linux-test root]&nbsp;# iptables -V
gedit /etc/httpd/conf/httpd.conf


  iptables v1.4.9.1
修改前的旧文件语句


*<3>使用snort.sh脚本在开机时自动开启防火墙设置
TimeOut 60


KeepAlive Off


  &nbsp;# echo "/etc/rc.d/snort.sh">>/etc/rc.d/rc.local
&nbsp;#ExtendedStatus on


&nbsp;#ServerName www.example.com:80


  将snort.sh防火墙脚本放在/etc/rc.d目录中
UseCanonicalName Off


修改后语句


  添加snort.sh文件的可执行权限
TimeOut 300


KeepAlive On


  #chmod u+x /etc/rc.d/snort.sh
ExtendedStatus Off


ServerName www.example.com.cn:80


  #echo "1" >/proc/sys/net/ipv4/ip_forward
UseCanonicalName On


添加根文档目录的访问权限:


  或是修改/etc/sysctl.conf把net.ipv4.ip_forward = 0改为= 1
<Directory "/var/www/html/mediawiki-1.16.0">


&nbsp;        Options MultiViews Indexes Includes FollowSymLinks


  以下为防火墙脚本snort.sh内容:
&nbsp;        AllowOverride FileInfo AuthConfig Limit


&nbsp;#!/bin/bash
&nbsp;       <Limit GET POST OPTIONS>


echo "1" >/proc/sys/net/ipv4/ip_forward
&nbsp;        Order allow,deny


inet_iface="eth0"
&nbsp;&nbsp;      Allow from all


inet_ip="*.*.*.*"
&nbsp;        </Limit>


lan_iface="eth1"
&nbsp;        <LimitExcept GET POST OPTIONS>


lan_ip="*.*.*.*"
&nbsp;        Order deny,allow


lan_ip_range="192.168.1.0/24"
&nbsp;      Deny from all


dns1="*.*.*.*"
&nbsp;        </LimitExcept>


dns2="*.*.*.*"
&nbsp; </Directory>


ntp="*.*.*.*"
添加如下注释:


ipt="/sbin/iptables"
<VirtualHost 192.168.122.192:80>


/sbin/depmod -a
&nbsp; ServerAdmin root@localhost


/sbin/modprobe ipt_MASQUERADE
&nbsp; DocumentRoot /var/www/html/mediawiki-1.16.0


/sbin/modprobe ip_tables
&nbsp; ServerName www.example.com.cn


/sbin/modprobe ip_conntrack
&nbsp; DirectoryIndex index.php index.html index.htm index.shtml


/sbin/modprobe ip_conntrack_ftp
&nbsp; Loglevel debug


/sbin/modprobe ip_conntrack_irc
&nbsp; HostNameLookups off


/sbin/modprobe iptable_nat
</VirtualHost>


/sbin/modprobe ip_nat_ftp
重启Apache服务


/sbin/modprobe ipt_connlimit
service httpd restart


/sbin/modprobe ipt_limit
<span style="color:#5f94bb;">设置httpd_rw写权限</span>


/sbin/modprobe ipt_LOG
<span style="color:#5f94bb;">setsebool allow_polyinstantiation on</span>


$ipt -P INPUT DROP
<span style="color:#5f94bb;">setsebool samba_export_all_rw on</span>


$ipt -P FORWARD DROP
<span style="color:#5f94bb;">setsebool samba_export_all_ro on</span>


$ipt -P OUTPUT ACCEPT
<span style="color:#5f94bb;">setsebool httpd_unified on</span>


$ipt -t nat -P PREROUTING ACCEPT
<span style="color:#5f94bb;">setsebool httpd_enable_homedirs on</span>


$ipt -t nat -P POSTROUTING ACCEPT
<span style="color:#5f94bb;">setsebool httpd_read_user_content on</span>


$ipt -t nat -P OUTPUT ACCEPT
添加(add:)


for TABLE in filter nat mangle ; do
<span style="color:#5f94bb;">vi /etc/rc.d/rc.local</span>


$ipt -t $TABLE -F
setsebool allow_polyinstantiation on


$ipt -t $TABLE -X
setsebool samba_export_all_rw on


done
setsebool samba_export_all_ro on


$ipt -t filter -A INPUT -s $lan_ip_range -i $inet_iface -j DROP
setsebool httpd_unified on


$ipt -t filter -A INPUT -s 192.168.122.0/24 -i $inet_iface -j DROP
setsebool httpd_enable_homedirs on


$ipt -t filter -A INPUT -s 192.168.0.0/16 -i $inet_iface -j DROP
setsebool httpd_read_user_content on


$ipt -t filter -A INPUT -s 10.0.0.0/8 -i $inet_iface -j DROP
查看


$ipt -t filter -A INPUT -s 172.16.0.0/16 -i $inet_iface -j DROP
getsebool -a|grep http


$ipt -t filter -A INPUT -s 127.0.0.0/8 -i $inet_iface -j DROP
点击firefox


$ipt -t filter -A INPUT -p udp -i $lan_iface --dport 67 --sport 68 -j DROP
http://192.168.122.192


$ipt -t filter -A INPUT -p tcp --dport 0:19 -j DROP


$ipt -t filter -A INPUT -p udp --dport 0:19 -j DROP
http://www.example.com.cn


$ipt -t filter -A INPUT -p udp --dport 22 -j DROP
配置mediawiki选项


$ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 22 -j DROP
修改文件/var/www/html/mediawiki/LocalSettings.php


$ipt -t filter -A INPUT -d 127.0.0.1 -p tcp --dport 22 -j DROP
更改网站左上角的logo为图片文件wiki-indexed.png


$ipt -t filter -A INPUT -s $lan_ip -p tcp --dport 22 -j DROP
在LocalSettings.php中间加入


$ipt -t filter -A INPUT -d 192.168.122.1 -p tcp --dport 22 -j DROP
&nbsp;## Set $wgLogo to the URL path to your own logo image.


$ipt -t filter -A INPUT -d $inet_ip -p tcp --dport 22 -j DROP
$wgLogo = "${wgScriptPath}/skins/monobook/wiki-indexed.png";


$ipt -t filter -A INPUT -p tcp --dport 23:24 -j DROP
编辑重定向mediawiki首页


$ipt -t filter -A INPUT -p udp --dport 23:24 -j DROP
http://www.example.com.cn/index.php/MediaWiki:Mainpage


$ipt -t filter -A INPUT -p tcp --dport 26:52 -j DROP
=== 配置DHCP服务器 ===
下载DHCP安装包ftp://58.49.171.28/download/


$ipt -t filter -A INPUT -p udp --dport 26:52 -j DROP
dhcp-4.2.0-19.P2.fc14.x86_64.rpm


$ipt -t filter -A INPUT -p tcp --dport 54:66 -j DROP
在系统工具>>终端


$ipt -t filter -A INPUT -p udp --dport 54:66 -j DROP
rpm -ivh dhcp-4.2.0-19.P2.fc14.x86_64.rpm


$ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 67:68 -j DROP
查看DHCP配置文件的模板


$ipt -t filter -A INPUT -i $inet_iface -p udp --dport 67:68 -j DROP
&nbsp;#cat /usr/share/doc/dhcp-4.2.0/dhcpd.conf.sample


$ipt -t filter -A INPUT -p tcp --dport 69:79 -j DROP
通过cp把模板模板文件copy过来并且命名为“dhcpd.conf”


$ipt -t filter -A INPUT -p udp --dport 69:79 -j DROP
cp /usr/share/doc/dhcp-4.2.0/dhcpd.conf.sample /etc/dhcp/dhcpd.conf


$ipt -t filter -A INPUT -p tcp --dport 81:109 -j DROP
更改DHCP配置文件


$ipt -t filter -A INPUT -p udp --dport 81:109 -j DROP
vi /etc/dhcp/dhcpd.conf


$ipt -t filter -A INPUT -p tcp --dport 112 -j DROP
配置DHCP租约文件(dhcpd.leases)


$ipt -t filter -A INPUT -p udp --dport 111:112 -j DROP
第一次启动时dhcpd.leases是一个空文件位置在var/lib/dhcpd/dhcpd.leases显示分配客户机IP对应的MAC信息


$ipt -t filter -A INPUT -p tcp --dport 123 -j DROP
启动dhcp服务器并指定ip地址分配的网络接口(eth1)


$ipt -t filter -A INPUT -p tcp --dport 114:138 -j DROP
vi /etc/sysconfig/dhcpd


$ipt -t filter -A INPUT -p udp --dport 114:122 -j DROP
&nbsp;# command line options here


$ipt -t filter -A INPUT -p udp --dport 124:138 -j DROP
DHCPDARGS=eth1


$ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 139 -j DROP
&nbsp;:w //保存文档


$ipt -t filter -A INPUT -i $inet_iface -p udp --dport 139 -j DROP
启动dhcp


$ipt -t filter -A INPUT -p tcp --dport 140:142 -j DROP
service dhcpd start


$ipt -t filter -A INPUT -p tcp --dport 144:442 -j DROP
使DHCP随服务器自启动


$ipt -t filter -A INPUT -p udp --dport 140:442 -j DROP
chkconfig --level 35 dhcpd on


$ipt -t filter -A INPUT -p tcp --dport 444:1722 -j DROP
使用PS命令检查dhcpd进程:


$ipt -t filter -A INPUT -p udp --dport 1723 -j DROP
ps -ef | grep dhcpd


$ipt -t filter -A INPUT -p udp --dport 444:1862 -j DROP
使用netstat检查dhcpd运行端口:


$ipt -t filter -A INPUT -p tcp --dport 1724:1862 -j DROP
netstat -nutap | grep dhcpd


$ipt -t filter -A INPUT -p tcp --dport 31790 -j DROP
=== 配置mail邮件服务器 ===


$ipt -t filter -A INPUT -p udp --dport 31790 -j DROP
=== 配置samba文件服务器 ===
安装samba客户端


$ipt -t filter -A INPUT -p tcp --dport 31789 -j DROP
rpm -ivh samba-common-3.5.5-68.fc14.1.x86_64.rpm


$ipt -t filter -A INPUT -p udp --dport 31789 -j DROP
rpm -ivh samba-client-3.5.5-68.fc14.1.x86_64.rpm


$ipt -t filter -A INPUT -p tcp --dport 31340 -j DROP
查看共享资源


$ipt -t filter -A INPUT -p udp --dport 31340 -j DROP
smbclient -L 192.168.1.254


$ipt -t filter -A INPUT -p tcp --dport 31339 -j DROP
访问共享资源(使用root账户防止访问本地文件夹受限)


$ipt -t filter -A INPUT -p udp --dport 31339 -j DROP
smbclient //192.168.1.254/public -u usename


$ipt -t filter -A INPUT -p tcp --dport 31338 -j DROP
<smb:\>dir


$ipt -t filter -A INPUT -p udp --dport 31338 -j DROP
<smb:\>cd video


$ipt -t filter -A INPUT -p tcp --dport 31337 -j DROP
<smb:\>get RealPlayer11GOLD.rpm
=== 配置FTP服务器 ===
=== 配置Redhat集群应用 ===


$ipt -t filter -A INPUT -p udp --dport 31337 -j DROP
=== 配置防火墙firewall ===
*<1>更新防火墙iptables-1.4.10


$ipt -t filter -A INPUT -p tcp --dport 31335 -j DROP
下载最新的iptables版本(www.netfilter.org)


$ipt -t filter -A INPUT -p udp --dport 31335 -j DROP
scp root@192.168.1.5:/root/iptables-1.4.10.tar.bz2


$ipt -t filter -A INPUT -p tcp --dport 30100 -j DROP
mv /root/iptables-1.4.10.tar.bz2 /usr/local/src/


$ipt -t filter -A INPUT -p udp --dport 30100 -j DROP
cd /usr/local/src/


$ipt -t filter -A INPUT -p tcp --dport 27665 -j DROP
tar jxvf iptables-1.4.10.tar.bz2


$ipt -t filter -A INPUT -p udp --dport 27665 -j DROP
cd iptables-1.4.10


$ipt -t filter -A INPUT -p tcp --dport 27444 -j DROP
./configure


$ipt -t filter -A INPUT -p udp --dport 27444 -j DROP
make


$ipt -t filter -A INPUT -p tcp --dport 27374 -j DROP
make install


$ipt -t filter -A INPUT -p udp --dport 27374 -j DROP
*<2>将iptables服务停止


$ipt -t filter -A INPUT -p tcp --dport 23445 -j DROP
[root@linux-test root]&nbsp;# service iptables stop


$ipt -t filter -A INPUT -p udp --dport 23445 -j DROP
<span style="color: #5f94bb;">[root@linux-test root]# service ip6tables stop</span>


$ipt -t filter -A INPUT -p tcp --dport 23444 -j DROP
用/usr/local/sbin/iptables新文件替换/sbin/iptables(这个是老版本的连接位置)


$ipt -t filter -A INPUT -p udp --dport 23444 -j DROP
并同时替换ip6tables、ip6tables-restore、ip6tables-save、iptables、iptables-restore和iptables-save


$ipt -t filter -A INPUT -p tcp --dport 19191 -j DROP
[root@linux-test root]&nbsp;# cp /usr/local/sbin/iptables /sbin/iptables


$ipt -t filter -A INPUT -p udp --dport 19191 -j DROP
iptables就升级完成了,使用下列命令查看


$ipt -t filter -A INPUT -p tcp --dport 14704 -j DROP
[root@linux-test root]# iptables -V


$ipt -t filter -A INPUT -p udp --dport 14704 -j DROP
iptables v1.4.10


$ipt -t filter -A INPUT -p tcp --dport 10000 -j DROP
[root@linux-test root]# service iptables restart


$ipt -t filter -A INPUT -p udp --dport 10000 -j DROP
*<3>使用snort.sh脚本在开机时自动开启防火墙设置(使用合理规则时可实现基于端口的Windows server 2008平台虚拟机web页面穿越防火墙与局域网直接联系,或使用主机代理连接至Internet。开发web不在受平台限制)


$ipt -t filter -A INPUT -p tcp --dport 9704 -j DROP
<span style="color: #5f94bb;">&nbsp;# touch /etc/rc.d/snort.sh</span>


$ipt -t filter -A INPUT -p udp --dport 9704 -j DROP
&nbsp;# echo "/etc/rc.d/snort.sh">>/etc/rc.d/rc.local


$ipt -t filter -A INPUT -p tcp --dport 9393 -j DROP


$ipt -t filter -A INPUT -p udp --dport 9393 -j DROP
将snort.sh防火墙脚本放在/etc/rc.d目录中


$ipt -t filter -A INPUT -p tcp --dport 8102 -j DROP


$ipt -t filter -A INPUT -p udp --dport 8102 -j DROP
添加snort.sh文件的可执行权限


$ipt -t filter -A INPUT -p tcp --dport 8011 -j DROP


$ipt -t filter -A INPUT -p udp --dport 8011 -j DROP
&nbsp;# chmod u+x /etc/rc.d/snort.sh


$ipt -t filter -A INPUT -p tcp --dport 7626 -j DROP


$ipt -t filter -A INPUT -p udp --dport 7626 -j DROP
&nbsp;# echo "1" >/proc/sys/net/ipv4/ip_forward


$ipt -t filter -A INPUT -p tcp --dport 7306 -j DROP


$ipt -t filter -A INPUT -p udp --dport 7306 -j DROP
或是修改/etc/sysctl.conf把net.ipv4.ip_forward = 0改为= 1


$ipt -t filter -A INPUT -p tcp --dport 6667 -j DROP
<span style="color: #5f94bb;">当启用ipv6防火墙时启用ipv6_forwarding路由转发设置</span>


$ipt -t filter -A INPUT -p udp --dport 6667 -j DROP
<span style="color: #5f94bb;">修改/etc/sysctl.conf在注释#Controls IP packet forwarding下面添加(add:)</span>


$ipt -t filter -A INPUT -p tcp --dport 6346 -j DROP
<span style="color: #5f94bb;">net.ipv6.conf.all.forwarding = 1</span>


$ipt -t filter -A INPUT -p udp --dport 6346 -j DROP
<span style="color: #5f94bb;">save sysctl.conf保存文件并启用/etc/sysctl.conf文件中的变量variable</span>


$ipt -t filter -A INPUT -p tcp --dport 6267 -j DROP
<span style="color: #5f94bb;">sysctl -p /etc/sysctl.conf</span>


$ipt -t filter -A INPUT -p udp --dport 6267 -j DROP
<span style="color: #5f94bb;">检查路由转发功能设置</span>


$ipt -t filter -A INPUT -p tcp --dport 6129 -j DROP
<span style="color: #5f94bb;">nano /proc/sys/net/ipv6/conf/all/forwarding</span>


$ipt -t filter -A INPUT -p udp --dport 6129 -j DROP
<span style="color: #5f94bb;">或是修改echo "1" >/proc/sys/net/ipv6/conf/all/forwarding</span>


$ipt -t filter -A INPUT -p tcp --dport 6000 -j DROP
以下为<span style="color: #FF9900">Basic_Firewall</span>防火墙脚本snort.sh内容:# gedit /etc/rc.d/snort.sh


$ipt -t filter -A INPUT -p udp --dport 6000 -j DROP
&nbsp;#!/bin/bash


$ipt -t filter -A INPUT -p tcp --dport 5900 -j DROP
echo "1" >/proc/sys/net/ipv4/ip_forward


$ipt -t filter -A INPUT -p udp --dport 5900 -j DROP
echo "1" >/proc/sys/net/ipv6/conf/all/forwarding


$ipt -t filter -A INPUT -p tcp --dport 5800 -j DROP
inet_iface="ppp0"


$ipt -t filter -A INPUT -p udp --dport 5800 -j DROP
inet_ip="192.168.122.2"


$ipt -t filter -A INPUT -p tcp --dport 5554 -j DROP
lan_iface="eth1"


$ipt -t filter -A INPUT -p udp --dport 5554 -j DROP
lan_ip="192.168.1.5"


$ipt -t filter -A INPUT -p tcp --dport 5400 -j DROP
lan_ip_range="192.168.1.0/24"


$ipt -t filter -A INPUT -p udp --dport 5400 -j DROP
dns1="202.103.24.68"


$ipt -t filter -A INPUT -p tcp --dport 5168 -j DROP
dns2="202.103.44.150"


$ipt -t filter -A INPUT -p udp --dport 5168 -j DROP
ntp="122.226.192.4"


$ipt -t filter -A INPUT -p tcp --dport 5100 -j DROP
ipt="/sbin/iptables"


$ipt -t filter -A INPUT -p udp --dport 5100 -j DROP
ip6t="/sbin/ip6tables"


$ipt -t filter -A INPUT -p tcp --dport 5000 -j DROP
/sbin/depmod -a


$ipt -t filter -A INPUT -p udp --dport 5000 -j DROP
/sbin/modprobe ipt_MASQUERADE


$ipt -t filter -A INPUT -p tcp --dport 4500 -j DROP
/sbin/modprobe ip_tables


$ipt -t filter -A INPUT -p udp --dport 4500 -j DROP
/sbin/modprobe ip_conntrack


$ipt -t filter -A INPUT -p tcp --dport 4444 -j DROP
/sbin/modprobe ip_conntrack_ftp


$ipt -t filter -A INPUT -p udp --dport 4444 -j DROP
/sbin/modprobe ip_conntrack_irc


$ipt -t filter -A INPUT -p tcp --dport 3389 -j DROP
/sbin/modprobe iptable_nat


$ipt -t filter -A INPUT -p udp --dport 3389 -j DROP
/sbin/modprobe ip_nat_ftp


$ipt -t filter -A INPUT -p tcp --dport 3306 -j DROP
/sbin/modprobe ipt_connlimit


$ipt -t filter -A INPUT -p udp --dport 3306 -j DROP
/sbin/modprobe ipt_limit


$ipt -t filter -A INPUT -p tcp --dport 3150 -j DROP
/sbin/modprobe ipt_LOG


$ipt -t filter -A INPUT -p udp --dport 3150 -j DROP
$ipt -P INPUT DROP


$ipt -t filter -A INPUT -p tcp --dport 3127 -j DROP
$ipt -P FORWARD DROP


$ipt -t filter -A INPUT -p udp --dport 3127 -j DROP
$ipt -P OUTPUT ACCEPT


$ipt -t filter -A INPUT -p tcp --dport 3000 -j DROP
$ipt -t nat -P PREROUTING ACCEPT


$ipt -t filter -A INPUT -p udp --dport 3000 -j DROP
$ipt -t nat -P POSTROUTING ACCEPT


$ipt -t filter -A INPUT -p tcp --dport 2989 -j DROP
$ipt -t nat -P OUTPUT ACCEPT


$ipt -t filter -A INPUT -p udp --dport 2989 -j DROP
for TABLE in filter nat mangle ; do


$ipt -t filter -A INPUT -p tcp --dport 2869 -j DROP
$ipt -t $TABLE -F


$ipt -t filter -A INPUT -p udp --dport 2869 -j DROP
$ipt -t $TABLE -X


$ipt -t filter -A INPUT -p tcp --dport 2500 -j DROP
done


$ipt -t filter -A INPUT -p udp --dport 2500 -j DROP
$ipt -t filter -A INPUT -s $lan_ip_range -i $inet_iface -j DROP


$ipt -t filter -A INPUT -p tcp --dport 2475 -j DROP
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i $inet_iface -j DROP


$ipt -t filter -A INPUT -p udp --dport 2475 -j DROP
$ipt -t filter -A INPUT -s 192.168.0.0/16 -i $inet_iface -j DROP


$ipt -t filter -A INPUT -p tcp --dport 2140 -j DROP
$ipt -t filter -A INPUT -s 10.0.0.0/8 -i $inet_iface -j DROP


$ipt -t filter -A INPUT -p udp --dport 2140 -j DROP
$ipt -t filter -A INPUT -s 172.16.0.0/16 -i $inet_iface -j DROP


$ipt -t filter -A INPUT -p tcp --dport 2115 -j DROP
$ipt -t filter -A INPUT -s 127.0.0.0/8 -i $inet_iface -j DROP


$ipt -t filter -A INPUT -p udp --dport 2115 -j DROP
$ipt -t filter -A INPUT -p udp -i $lan_iface --dport 67 --sport 68 -j DROP


$ipt -t filter -A INPUT -p tcp --dport 2023 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 0:19 -j DROP


$ipt -t filter -A INPUT -p udp --dport 2023 -j DROP
$ipt -t filter -A INPUT -p udp --dport 0:19 -j DROP


$ipt -t filter -A INPUT -p tcp --dport 2012 -j DROP
$ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 22 -j DROP


$ipt -t filter -A INPUT -p udp --dport 2012 -j DROP
$ipt -t filter -A INPUT -d 127.0.0.1 -p tcp --dport 22 -j DROP


$ipt -t filter -A INPUT -p tcp --dport 2001 -j DROP
$ipt -t filter -A INPUT -s $lan_ip -p tcp --dport 22 -j DROP


$ipt -t filter -A INPUT -p udp --dport 2001 -j DROP
$ipt -t filter -A INPUT -d 192.168.122.1 -p tcp --dport 22 -j DROP


$ipt -t filter -A INPUT -p tcp --dport 2000 -j DROP
$ipt -t filter -A INPUT -d $inet_ip -p tcp --dport 22 -j DROP


$ipt -t filter -A INPUT -p udp --dport 2000 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 23:24 -j DROP


$ipt -t filter -A INPUT -p tcp --dport 1981 -j DROP
$ipt -t filter -A INPUT -p udp --dport 21:52 -j DROP


$ipt -t filter -A INPUT -p udp --dport 1981 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 26:52 -j DROP


$ipt -t filter -A INPUT -p tcp --dport 1900 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 54:66 -j DROP


$ipt -t filter -A INPUT -p udp --dport 1900 -j DROP
$ipt -t filter -A INPUT -p udp --dport 54:66 -j DROP


$ipt -t filter -A INPUT -p icmp -m icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-prohibited
$ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 67 -j DROP


$ipt -t filter -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$ipt -t filter -A INPUT -i $inet_iface -p udp --dport 67:69 -j DROP


$ipt -t filter -A INPUT -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 68:79 -j DROP


$ipt -t filter -A INPUT -f -m limit --limit 150/sec --limit-burst 150 -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 70:79 -j DROP


$ipt -t filter -A INPUT ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "iniptables:"
$ipt -t filter -A INPUT -p tcp --dport 81:109 -j DROP


$ipt -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$ipt -t filter -A INPUT -p udp --dport 81:109 -j DROP


$ipt -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$ipt -t filter -A INPUT -p tcp --dport 112 -j DROP


$ipt -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$ipt -t filter -A INPUT -p udp --dport 112 -j DROP


$ipt -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ipt -t filter -A INPUT -p tcp --dport 114:138 -j DROP


$ipt -t filter -A INPUT -i $inet_iface -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 114:122 -j DROP


$ipt -t filter -A INPUT -i $lan_iface -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 124:136 -j DROP


$ipt -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ipt -t filter -A INPUT -i $inet_iface -p udp --dport 137:138 -j DROP


$ipt -t filter -A INPUT -i lo -j ACCEPT
$ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 139 -j DROP


$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m udp -p udp --dport domain -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 140:142 -j DROP


$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 144:442 -j DROP


$ipt -t filter -A INPUT -s $dns1 -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 139:442 -j DROP


$ipt -t filter -A INPUT -s $dns1 -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 444 -j DROP


$ipt -t filter -A INPUT -s $dns2 -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 446:1722 -j DROP


$ipt -t filter -A INPUT -s $dns2 -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 444:1193 -j DROP


$ipt -t filter -A INPUT -p udp --dport domain ! -s $dns1 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p udp --dport 1195:1862 -j DROP


$ipt -t filter -A INPUT -p tcp --dport domain ! -s $dns1 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p tcp --dport 1724:1862 -j DROP


$ipt -t filter -A INPUT -p udp --dport domain ! -s $dns2 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p tcp --dport 31790 -j DROP


$ipt -t filter -A INPUT -p tcp --dport domain ! -s $dns2 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p udp --dport 31790 -j DROP


$ipt -t filter -N LOGJOIN
$ipt -t filter -A INPUT -p tcp --dport 31789 -j DROP


$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m tcp --dport 22 -j LOGJOIN
$ipt -t filter -A INPUT -p udp --dport 31789 -j DROP


$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p tcp -m tcp --dport 22 -j LOGJOIN
$ipt -t filter -A INPUT -p tcp --dport 31340 -j DROP


$ipt -t filter -A LOGJOIN -j LOG --log-prefix "iptenter:"
$ipt -t filter -A INPUT -p udp --dport 31340 -j DROP


$ipt -t filter -A LOGJOIN -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 31339 -j DROP


$ipt -t filter -A INPUT -i $lan_iface -p udp --dport 67 -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 31339 -j DROP


$ipt -t filter -A INPUT -i $lan_iface -p tcp --dport 67 -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 31338 -j DROP


$ipt -t filter -A INPUT -i $inet_iface -p tcp -m multiport --dports 6160,5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 31338 -j DROP


$ipt -t filter -A INPUT -i $inet_iface -p udp -m multiport --dports 1863,443,113,110,80,21,20 -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 31337 -j DROP


$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p ah -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 31337 -j DROP


$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p esp -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 31335 -j DROP


$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m multiport --dports 6160,2049,1863,1723,995,993,445,443,139,113,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 31335 -j DROP


$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m multiport --dports 21064,11111,5989,143,111 -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 30100 -j DROP


$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p udp -m multiport --dports 5405,5404,1863,1194,445,443,138,137,123,113,110,80,69,21,20 -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 30100 -j DROP


$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p udp -m multiport --dports 500 -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 27665 -j DROP


$ipt -t filter -A INPUT -p udp -s $ntp -i $inet_iface --dport 123 -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 27665 -j DROP


$ipt -t filter -A INPUT -i $inet_iface -p gre -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 27444 -j DROP


$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p gre -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 27444 -j DROP


$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p gre -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 27374 -j DROP


$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p ah -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 27374 -j DROP


$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p esp -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 23445 -j DROP


$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p tcp -m multiport --dports 6160,2049,1863,1723,995,993,445,443,139,113,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 23445 -j DROP


$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p tcp -m multiport --dports 21064,11111,5989,143,111 -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 23444 -j DROP


$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p udp -m multiport --dports 5405,5404,1863,1194,445,443,138,137,123,113,110,80,69,21,20 -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 23444 -j DROP


$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p udp -m multiport --dports 500 -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 19191 -j DROP


$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m udp -p udp --dport domain -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 19191 -j DROP


$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 14704 -j DROP


$ipt -t filter -A INPUT -i virbr0 -p udp --dport 67 -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 14704 -j DROP


$ipt -t filter -A INPUT -i virbr0 -p tcp --dport 67 -j ACCEPT
$ipt -t filter -A INPUT -p tcp --dport 10000 -j DROP


$ipt -t filter -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j REJECT --reject-with icmp-host-prohibited
$ipt -t filter -A INPUT -p udp --dport 10000 -j DROP


$ipt -t filter -A INPUT -j REJECT --reject-with icmp-host-prohibited
$ipt -t filter -A INPUT -p tcp --dport 9704 -j DROP


$ipt -t filter -A INPUT -j REJECT --reject-with icmp-port-unreachable
$ipt -t filter -A INPUT -p udp --dport 9704 -j DROP


$ipt -t filter -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$ipt -t filter -A INPUT -p tcp --dport 9393 -j DROP


$ipt -t filter -A INPUT -j DROP
$ipt -t filter -A INPUT -p udp --dport 9393 -j DROP


$ipt -t filter -A FORWARD -s $lan_ip_range -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p tcp --dport 8102 -j DROP


$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p udp --dport 8102 -j DROP


$ipt -t filter -A FORWARD -s 192.168.0.0/16 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p tcp --dport 8011 -j DROP


$ipt -t filter -A FORWARD -s 10.0.0.0/8 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p udp --dport 8011 -j DROP


$ipt -t filter -A FORWARD -s 172.16.0.0/16 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p tcp --dport 7626 -j DROP


$ipt -t filter -A FORWARD -s 127.0.0.0/8 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p udp --dport 7626 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 0:19 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 7306 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 0:19 -j DROP
$ipt -t filter -A INPUT -p udp --dport 7306 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 22:24 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 6667 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 22:24 -j DROP
$ipt -t filter -A INPUT -p udp --dport 6667 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 26:79 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 6346 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 26:79 -j DROP
$ipt -t filter -A INPUT -p udp --dport 6346 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 81:109 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 6267 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 81:109 -j DROP
$ipt -t filter -A INPUT -p udp --dport 6267 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 111:442 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 6129 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 111:442 -j DROP
$ipt -t filter -A INPUT -p udp --dport 6129 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 444 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 6000 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 444 -j DROP
$ipt -t filter -A INPUT -p udp --dport 6000 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 446:1001 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5900 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 446:1001 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5900 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 31790 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5800 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 31790 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5800 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 31789 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5554 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 31789 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5554 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 31340 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5400 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 31340 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5400 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 31339 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5168 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 31339 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5168 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 31338 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5100 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 31338 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5100 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 31337 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5000 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 31337 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5000 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 31335 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 4500 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 31335 -j DROP
$ipt -t filter -A INPUT -p udp --dport 4500 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 30100 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 4444 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 30100 -j DROP
$ipt -t filter -A INPUT -p udp --dport 4444 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 27665 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 3389 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 27665 -j DROP
$ipt -t filter -A INPUT -p udp --dport 3389 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 27444 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 3306 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 27444 -j DROP
$ipt -t filter -A INPUT -p udp --dport 3306 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 27374 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 3150 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 27374 -j DROP
$ipt -t filter -A INPUT -p udp --dport 3150 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 23445 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 3127 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 23445 -j DROP
$ipt -t filter -A INPUT -p udp --dport 3127 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 23444 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 3000 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 23444 -j DROP
$ipt -t filter -A INPUT -p udp --dport 3000 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 19191 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2989 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 19191 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2989 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 14704 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2869 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 14704 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2869 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 10000 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2500 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 10000 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2500 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 9704 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2475 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 9704 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2475 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 9393 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2140 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 9393 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2140 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 8102 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2115 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 8102 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2115 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 8011 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2023 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 8011 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2023 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 7626 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2012 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 7626 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2012 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 7306 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2001 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 7306 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2001 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 6667 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2000 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 6667 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2000 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 6346 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 1981 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 6346 -j DROP
$ipt -t filter -A INPUT -p udp --dport 1981 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 6267 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 1900 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 6267 -j DROP
$ipt -t filter -A INPUT -p udp --dport 1900 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 6129 -j DROP
$ipt -t filter -A INPUT -p icmp -m icmp --icmp-type echo-request -j DROP


$ipt -t filter -A FORWARD -p udp --dport 6129 -j DROP
$ipt -t filter -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 6000 -j DROP
$ipt -t filter -A INPUT -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 6000 -j DROP
$ipt -t filter -A INPUT -f -m limit --limit 150/sec --limit-burst 150 -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 5900 -j DROP
<span style="color: #FF9900">$ipt -t filter -A INPUT ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "iniptables:"</span>


$ipt -t filter -A FORWARD -p udp --dport 5900 -j DROP
$ipt -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 5800 -j DROP
$ipt -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP


$ipt -t filter -A FORWARD -p udp --dport 5800 -j DROP
$ipt -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 5554 -j DROP
$ipt -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP


$ipt -t filter -A FORWARD -p udp --dport 5554 -j DROP
$ipt -t filter -A INPUT -i $inet_iface -m state --state ESTABLISHED,RELATED -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 5400 -j DROP
$ipt -t filter -A INPUT -i $lan_iface -m state --state ESTABLISHED,RELATED -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 5400 -j DROP
$ipt -t filter -A INPUT -i virbr0 -m state --state ESTABLISHED,RELATED -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 5168 -j DROP
$ipt -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP


$ipt -t filter -A FORWARD -p udp --dport 5168 -j DROP
$ipt -t filter -A INPUT -i lo -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 5100 -j DROP
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m udp -p udp --dport domain -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 5100 -j DROP
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 5000 -j DROP
$ipt -t filter -A INPUT -s $dns1 -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 5000 -j DROP
$ipt -t filter -A INPUT -s $dns1 -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 4500 -j DROP
$ipt -t filter -A INPUT -s $dns2 -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 4500 -j DROP
$ipt -t filter -A INPUT -s $dns2 -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 4444 -j DROP
$ipt -t filter -A INPUT -p udp --dport domain ! -s $dns1 -i $inet_iface -j DROP


$ipt -t filter -A FORWARD -p udp --dport 4444 -j DROP
$ipt -t filter -A INPUT -p tcp --dport domain ! -s $dns1 -i $inet_iface -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 3389 -j DROP
$ipt -t filter -A INPUT -p udp --dport domain ! -s $dns2 -i $inet_iface -j DROP


$ipt -t filter -A FORWARD -p udp --dport 3389 -j DROP
$ipt -t filter -A INPUT -p tcp --dport domain ! -s $dns2 -i $inet_iface -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 3306 -j DROP
$ipt -t filter -N LOGJOIN


$ipt -t filter -A FORWARD -p udp --dport 3306 -j DROP
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m tcp -p tcp --dport 22 -j LOGJOIN


$ipt -t filter -A FORWARD -p tcp --dport 3150 -j DROP
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m tcp -p tcp --dport 22 -j LOGJOIN


$ipt -t filter -A FORWARD -p udp --dport 3150 -j DROP
$ipt -t filter -A LOGJOIN -j LOG --log-prefix "iptenter:"


$ipt -t filter -A FORWARD -p tcp --dport 3127 -j DROP
$ipt -t filter -A LOGJOIN -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 3127 -j DROP
$ipt -t filter -A INPUT -i $lan_iface -p udp --dport 67 -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 3000 -j DROP
$ipt -t filter -A INPUT -i $lan_iface -p tcp --dport 67 -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 3000 -j DROP
$ipt -t filter -A INPUT -i $inet_iface -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 2989 -j DROP
$ipt -t filter -A INPUT -i $inet_iface -p udp -m multiport --dports 1863,1194,443,113,111,110,80,20 -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 2989 -j DROP
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p ah -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 2869 -j DROP
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p esp -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 2869 -j DROP
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 2500 -j DROP
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 2500 -j DROP
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p udp -m multiport --dports 5405,5404,1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 2475 -j DROP
$ipt -t filter -A INPUT -p udp -s $ntp -i $inet_iface --dport 123 -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 2475 -j DROP
$ipt -t filter -A INPUT -i $inet_iface -p gre -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 2140 -j DROP
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p gre -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 2140 -j DROP
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p gre -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 2115 -j DROP
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p ah -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 2115 -j DROP
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p esp -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 2023 -j DROP
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 2023 -j DROP
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 2012 -j DROP
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p udp -m multiport --dports 1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 2012 -j DROP
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p udp -m multiport --dports 5405,5404 -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 2001 -j DROP
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m udp -p udp --dport domain -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 2001 -j DROP
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 2000 -j DROP
$ipt -t filter -A INPUT -i virbr0 -p udp --dport 67 -j ACCEPT


$ipt -t filter -A FORWARD -p udp --dport 2000 -j DROP
$ipt -t filter -A INPUT -i virbr0 -p tcp --dport 67 -j ACCEPT


$ipt -t filter -A FORWARD -p tcp --dport 1981 -j DROP
<span style="color: #5f94bb;">$ipt -t filter -A INPUT -p icmp --icmp-type any -j ACCEPT</span>


$ipt -t filter -A FORWARD -p udp --dport 1981 -j DROP
<span style="color: #b2b2b2">$ipt -t filter -A INPUT -p tcp -j REJECT --reject-with tcp-reset</span>


$ipt -t filter -A FORWARD -p tcp --dport 1900 -j DROP
<span style="color: #b2b2b2">$ipt -t filter -A INPUT -j REJECT --reject-with icmp-port-unreachable</span>


$ipt -t filter -A FORWARD -p udp --dport 1900 -j DROP
<span style="color: #b2b2b2">$ipt -t filter -A INPUT -j DROP</span>


$ipt -t filter -A FORWARD -p tcp --dport 1807 -j DROP
$ipt -t filter -A FORWARD -s $lan_ip_range -i $inet_iface -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1807 -j DROP
$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i $inet_iface -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1600 -j DROP
$ipt -t filter -A FORWARD -s 192.168.0.0/16 -i $inet_iface -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1600 -j DROP
$ipt -t filter -A FORWARD -s 10.0.0.0/8 -i $inet_iface -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1524 -j DROP
$ipt -t filter -A FORWARD -s 172.16.0.0/16 -i $inet_iface -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1524 -j DROP
$ipt -t filter -A FORWARD -s 127.0.0.0/8 -i $inet_iface -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1492 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 0:19 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1492 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 0:19 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1444 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 22:24 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1444 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 21:79 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1443 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 26:79 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1443 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 81:109 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1434 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 81:109 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1434 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 112 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1349 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 112 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1349 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 114:138 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1245 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 140:142 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1245 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 114:442 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1243 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 144:442 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1243 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 444 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1234 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 446:1001 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1234 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 444:1001 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1099 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31790 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1099 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31790 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1098 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31789 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1098 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31789 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1097 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31340 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1097 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31340 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1095 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31339 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1095 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31339 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1090 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31338 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1090 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31338 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1080 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31337 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1080 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31337 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1057 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31335 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1057 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31335 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1053 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 30100 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1053 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 30100 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1051 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 27665 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1051 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 27665 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1045 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 27444 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1045 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 27444 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1042 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 27374 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1042 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 27374 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1025 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 23445 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1025 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 23445 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1024 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 23444 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1024 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 23444 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1015 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 19191 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1015 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 19191 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1012 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 14704 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1012 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 14704 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1011 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 10000 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1011 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 10000 -j DROP


$ipt -t filter -A FORWARD -p tcp --dport 1010 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 9704 -j DROP


$ipt -t filter -A FORWARD -p udp --dport 1010 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 9704 -j DROP


$ipt -t filter -A FORWARD -p icmp -m icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-prohibited
$ipt -t filter -A FORWARD -p tcp --dport 9393 -j DROP


$ipt -t filter -A FORWARD -p icmp -m icmp --icmp-type echo-reply -j REJECT --reject-with icmp-host-prohibited
$ipt -t filter -A FORWARD -p udp --dport 9393 -j DROP


$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --dport 8102 -j DROP


$ipt -t filter -A FORWARD -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
$ipt -t filter -A FORWARD -p udp --dport 8102 -j DROP


$ipt -t filter -A FORWARD -f -m limit --limit 150/sec --limit-burst 150 -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --dport 8011 -j DROP


$ipt -t filter -A FORWARD ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "foriptables:"
$ipt -t filter -A FORWARD -p udp --dport 8011 -j DROP


$ipt -t filter -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 7626 -j DROP


$ipt -t filter -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
$ipt -t filter -A FORWARD -p udp --dport 7626 -j DROP


$ipt -t filter -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 7306 -j DROP


$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ipt -t filter -A FORWARD -p udp --dport 7306 -j DROP


$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --dport 6667 -j DROP


$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -t filter -A FORWARD -p udp --dport 6667 -j DROP


$ipt -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 6346 -j DROP


$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o lo -j ACCEPT
$ipt -t filter -A FORWARD -p udp --dport 6346 -j DROP


$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i virbr0 -o lo -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --dport 6267 -j DROP


$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,113,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -p udp --dport 6267 -j DROP


$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,113,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --dport 6129 -j DROP


$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o $inet_iface -p udp -m multiport --dports 8000,1863,445,443,113,110,80,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -p udp --dport 6129 -j DROP


$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -p udp -m multiport --dports 8000,1863,445,443,113,110,80,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --dport 6000 -j DROP


$ipt -t filter -A FORWARD -p gre -i $inet_iface -o $lan_iface -d $lan_ip_range -j ACCEPT
$ipt -t filter -A FORWARD -p udp --dport 6000 -j DROP


$ipt -t filter -A FORWARD -p gre -s $lan_ip_range -i $lan_iface -o $inet_iface -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --dport 5900 -j DROP


$ipt -t filter -A FORWARD -p udp -i $inet_iface -o $lan_iface -d $lan_ip_range -j ACCEPT
$ipt -t filter -A FORWARD -p udp --dport 5900 -j DROP


$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -p tcp -m multiport --dports 8000,1863,1723,445,443,113,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --dport 5800 -j DROP


$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i virbr0 -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,445,443,113,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -p udp --dport 5800 -j DROP


$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -p udp -m multiport --dports 8000,1863,445,443,113,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --dport 5554 -j DROP


$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i virbr0 -o $inet_iface -p udp -m multiport --dports 8000,1863,445,443,113,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -p udp --dport 5554 -j DROP


$ipt -t filter -A FORWARD -p gre -i $inet_iface -o virbr0 -d 192.168.122.0/24 -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --dport 5400 -j DROP


$ipt -t filter -A FORWARD -p gre -s 192.168.122.0/24 -i virbr0 -o $inet_iface -j ACCEPT
$ipt -t filter -A FORWARD -p udp --dport 5400 -j DROP


$ipt -t filter -A FORWARD -p udp -i $inet_iface -o virbr0 -d 192.168.122.0/24 -j ACCEPT
$ipt -t filter -A FORWARD -p tcp --dport 5168 -j DROP


$ipt -t filter -A FORWARD -p icmp -m icmp --icmp-type destination-unreachable -j REJECT --reject-with icmp-host-prohibited
$ipt -t filter -A FORWARD -p udp --dport 5168 -j DROP


$ipt -t filter -A FORWARD -j REJECT --reject-with icmp-host-prohibited
$ipt -t filter -A FORWARD -p tcp --dport 5100 -j DROP


$ipt -t filter -A FORWARD -j REJECT --reject-with icmp-port-unreachable
$ipt -t filter -A FORWARD -p udp --dport 5100 -j DROP


$ipt -t filter -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
$ipt -t filter -A FORWARD -p tcp --dport 5000 -j DROP


$ipt -t filter -A FORWARD -j DROP
$ipt -t filter -A FORWARD -p udp --dport 5000 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 0:19 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 4500 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 0:19 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 4500 -j DROP


$ipt -t filter -A OUTPUT -o $inet_iface -p tcp --sport 22 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 4444 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 22 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 4444 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 23:24 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 3389 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 23:24 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 3389 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 26:52 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 3306 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 26:52 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 3306 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 54:66 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 3150 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 54:66 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 3150 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 69:79 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 3127 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 69:79 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 3127 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 81:109 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 3000 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 81:109 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 3000 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 112 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2989 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 111:112 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2989 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 123 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2869 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 114:122 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2869 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 114:138 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2500 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 124:138 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2500 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 140:142 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2475 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 144:442 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2475 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 140:442 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2140 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 444:1001 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2140 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 444:1001 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2115 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 31790 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2115 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 31790 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2023 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 31789 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2023 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 31789 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2012 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 31340 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2012 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 31340 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2001 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 31339 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2001 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 31339 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2000 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 31338 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2000 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 31338 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1981 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 31337 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1981 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 31337 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1900 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 31335 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1900 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 31335 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1807 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 30100 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1807 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 30100 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1600 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 27665 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1600 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 27665 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1524 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 27444 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1524 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 27444 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1492 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 27374 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1492 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 27374 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1444 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 23445 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1444 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 23445 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1443 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 23444 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1443 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 23444 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1434 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 19191 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1434 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 19191 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1349 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 14704 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1349 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 14704 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1245 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 10000 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1245 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 10000 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1243 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 9704 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1243 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 9704 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1234 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 9393 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1234 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 9393 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1099 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 8102 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1099 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 8102 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1098 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 8011 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1098 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 8011 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1097 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 7626 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1097 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 7626 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1095 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 7306 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1095 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 7306 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1090 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 6667 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1090 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 6667 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1080 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 6346 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1080 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 6346 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1057 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 6267 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1057 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 6267 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1053 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 6129 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1053 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 6129 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1051 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 6000 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1051 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 6000 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1045 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 5900 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1045 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 5900 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1042 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 5800 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1042 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 5800 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1025 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 5554 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1025 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 5554 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1024 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 5400 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1024 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 5400 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1015 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 5168 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1015 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 5168 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1012 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 5100 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1012 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 5100 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1011 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 5000 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1011 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 5000 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1010 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 4500 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1010 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 4500 -j DROP
$ipt -t filter -A FORWARD -p icmp -m icmp --icmp-type echo-request -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 4444 -j DROP
$ipt -t filter -A FORWARD -p icmp -m icmp --icmp-type echo-reply -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 4444 -j DROP
$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT


$ipt -t filter -A OUTPUT -p tcp --sport 3389 -j DROP
$ipt -t filter -A FORWARD -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT


$ipt -t filter -A OUTPUT -p udp --sport 3389 -j DROP
$ipt -t filter -A FORWARD -f -m limit --limit 150/sec --limit-burst 150 -j ACCEPT


$ipt -t filter -A OUTPUT -p tcp --sport 3306 -j DROP
<span style="color: #FF9900">$ipt -t filter -A FORWARD ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "foriptables:"</span>


$ipt -t filter -A OUTPUT -p udp --sport 3306 -j DROP
$ipt -t filter -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 3150 -j DROP
$ipt -t filter -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 3150 -j DROP
$ipt -t filter -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 3127 -j DROP
$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 3127 -j DROP
$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -m state --state RELATED,ESTABLISHED -j ACCEPT


$ipt -t filter -A OUTPUT -p tcp --sport 3000 -j DROP
$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT


$ipt -t filter -A OUTPUT -p udp --sport 3000 -j DROP
$ipt -t filter -A FORWARD -i $lan_iface -o virbr0 -d 192.168.122.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT


$ipt -t filter -A OUTPUT -p tcp --sport 2989 -j DROP
$ipt -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 2989 -j DROP
<span style="color: #7dc2f5">$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o virbr0 -p tcp -j ACCEPT</span>


$ipt -t filter -A OUTPUT -p tcp --sport 2869 -j DROP
<span style="color: #7dc2f5">$ipt -t filter -A FORWARD -i virbr0 -o $lan_iface -d $lan_ip_range -p tcp -j ACCEPT</span>


$ipt -t filter -A OUTPUT -p udp --sport 2869 -j DROP
<span style="color: #7dc2f5">$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o virbr0 -p udp -j ACCEPT</span>


$ipt -t filter -A OUTPUT -p tcp --sport 2500 -j DROP
<span style="color: #7dc2f5">$ipt -t filter -A FORWARD -i virbr0 -o $lan_iface -d $lan_ip_range -p udp -j ACCEPT</span>


$ipt -t filter -A OUTPUT -p udp --sport 2500 -j DROP
$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT


$ipt -t filter -A OUTPUT -p tcp --sport 2475 -j DROP
$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT


$ipt -t filter -A OUTPUT -p udp --sport 2475 -j DROP
$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT


$ipt -t filter -A OUTPUT -p tcp --sport 2140 -j DROP
$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT


$ipt -t filter -A OUTPUT -p udp --sport 2140 -j DROP
$ipt -t filter -A FORWARD -p gre -i $inet_iface -o $lan_iface -d $lan_ip_range -j ACCEPT


$ipt -t filter -A OUTPUT -p tcp --sport 2115 -j DROP
$ipt -t filter -A FORWARD -p gre -s $lan_ip_range -i $lan_iface -o $inet_iface -j ACCEPT


$ipt -t filter -A OUTPUT -p udp --sport 2115 -j DROP
$ipt -t filter -A FORWARD -p udp -i $inet_iface -o $lan_iface -d $lan_ip_range -j ACCEPT


$ipt -t filter -A OUTPUT -p tcp --sport 2023 -j DROP
$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT


$ipt -t filter -A OUTPUT -p udp --sport 2023 -j DROP
$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i virbr0 -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT


$ipt -t filter -A OUTPUT -p tcp --sport 2012 -j DROP
$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT


$ipt -t filter -A OUTPUT -p udp --sport 2012 -j DROP
$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i virbr0 -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT


$ipt -t filter -A OUTPUT -p tcp --sport 2001 -j DROP
$ipt -t filter -A FORWARD -p gre -i $inet_iface -o virbr0 -d 192.168.122.0/24 -j ACCEPT


$ipt -t filter -A OUTPUT -p udp --sport 2001 -j DROP
$ipt -t filter -A FORWARD -p gre -s 192.168.122.0/24 -i virbr0 -o $inet_iface -j ACCEPT


$ipt -t filter -A OUTPUT -p tcp --sport 2000 -j DROP
$ipt -t filter -A FORWARD -p udp -i $inet_iface -o virbr0 -d 192.168.122.0/24 -j ACCEPT


$ipt -t filter -A OUTPUT -p udp --sport 2000 -j DROP
<span style="color: #5f94bb;">$ipt -t filter -A FORWARD -p icmp --icmp-type any -j ACCEPT</span>


$ipt -t filter -A OUTPUT -p tcp --sport 1981 -j DROP
<span style="color: #b2b2b2">$ipt -t filter -A FORWARD -p tcp -j REJECT --reject-with tcp-reset</span>


$ipt -t filter -A OUTPUT -p udp --sport 1981 -j DROP
<span style="color: #b2b2b2">$ipt -t filter -A FORWARD -j REJECT --reject-with icmp-port-unreachable</span>


$ipt -t filter -A OUTPUT -p tcp --sport 1900 -j DROP
<span style="color: #b2b2b2">$ipt -t filter -A FORWARD -j DROP</span>


$ipt -t filter -A OUTPUT -p udp --sport 1900 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 0:19 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1807 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 0:19 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1807 -j DROP
$ipt -t filter -A OUTPUT -o $inet_iface -p tcp --sport 22 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1600 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 23:24 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1600 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 22:52 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1524 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 26:52 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1524 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 54:66 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1492 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 54:66 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1492 -j DROP
$ipt -t filter -A OUTPUT -o $inet_iface -p tcp --sport 67 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1444 -j DROP
$ipt -t filter -A OUTPUT -o $inet_iface -p udp --sport 67:68 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1444 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 68:79 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1443 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 70:79 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1443 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 81:109 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1434 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 81:109 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1434 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 112 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1349 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 112 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1349 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 114:122 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1245 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 114:138 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1245 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 140:142 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1243 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 144:442 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1243 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 124:442 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1234 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 444 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1234 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 446:1001 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1099 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 444:1001 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1099 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31790 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1098 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31790 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1098 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31789 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1097 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31789 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1097 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31340 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1095 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31340 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1095 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31339 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1090 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31339 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1090 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31338 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1080 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31338 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1080 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31337 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1057 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31337 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1057 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31335 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1053 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31335 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1053 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 30100 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1051 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 30100 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1051 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 27665 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1045 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 27665 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1045 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 27444 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1042 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 27444 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1042 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 27374 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1025 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 27374 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1025 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 23445 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1024 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 23445 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1024 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 23444 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1015 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 23444 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1015 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 19191 -j DROP


$ipt -t filter -A OUTPUT -p tcp --sport 1012 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 19191 -j DROP


$ipt -t filter -A OUTPUT -p udp --sport 1012 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 14704 -j DROP
 
 
$ipt -t filter -A OUTPUT -p tcp --sport 1011 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 14704 -j DROP
 
 
$ipt -t filter -A OUTPUT -p udp --sport 1011 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 10000 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 10000 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 9704 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 9704 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 9393 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 9393 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 8102 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 8102 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 8011 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 8011 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 7626 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 7626 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 7306 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 7306 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 6667 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 6667 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 6346 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 6346 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 6267 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 6267 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 6129 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 6129 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 6000 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 6000 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 5900 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 5900 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 5800 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 5800 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 5554 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 5554 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 5400 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 5400 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 5168 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 5168 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 5100 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 5100 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 5000 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 5000 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 4500 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 4500 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 4444 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 4444 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 3389 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 3389 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 3306 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 3306 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 3150 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 3150 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 3127 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 3127 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 3000 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 3000 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 2989 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 2989 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 2869 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 2869 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 2500 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 2500 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 2475 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 2475 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 2140 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 2140 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 2115 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 2115 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 2023 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 2023 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 2012 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 2012 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 2001 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 2001 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 2000 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 2000 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1981 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1981 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1900 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1900 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1807 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1807 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1600 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1600 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1524 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1524 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1492 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1492 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1444 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1444 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1443 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1443 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1434 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1434 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1349 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1349 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1245 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1245 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1243 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1243 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1234 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1234 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1099 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1099 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1098 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1098 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1097 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1097 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1095 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1095 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1090 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1090 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1080 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1080 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1057 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1057 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1053 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1053 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1051 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1051 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1045 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1045 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1042 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1042 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1025 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1025 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1024 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1024 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1015 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1015 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1012 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1012 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1011 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1011 -j DROP
 
$ipt -t filter -A OUTPUT -p tcp --sport 1010 -j DROP
 
$ipt -t filter -A OUTPUT -p udp --sport 1010 -j DROP
 
$ipt -t filter -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j DROP
 
$ipt -t filter -A OUTPUT -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
 
$ipt -t filter -A OUTPUT -o lo -j ACCEPT
 
$ipt -t filter -A OUTPUT -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT
 
$ipt -t filter -A OUTPUT -p udp -m multiport --dports 1863,1194,443,123,113,111,110,80,21,20 -j ACCEPT
 
$ipt -t filter -A OUTPUT -p tcp --sport domain -j ACCEPT
 
$ipt -t filter -A OUTPUT -p udp --sport domain -j ACCEPT
 
$ipt -t filter -A OUTPUT -o $lan_iface -p ah -j ACCEPT
 
$ipt -t filter -A OUTPUT -o $lan_iface -p esp -j ACCEPT
 
$ipt -t filter -A OUTPUT -o virbr0 -p ah -j ACCEPT
 
$ipt -t filter -A OUTPUT -o virbr0 -p esp -j ACCEPT
 
$ipt -t filter -A OUTPUT -o $lan_iface -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT
 
$ipt -t filter -A OUTPUT -o $lan_iface -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT
 
$ipt -t filter -A OUTPUT -o virbr0 -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT
 
$ipt -t filter -A OUTPUT -o virbr0 -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT
 
$ipt -t filter -A OUTPUT -o $inet_iface -p gre -j ACCEPT
 
$ipt -t filter -A OUTPUT -d $lan_ip_range -o $lan_iface -p gre -j ACCEPT
 
$ipt -t filter -A OUTPUT -d 192.168.122.0/24 -o virbr0 -p gre -j ACCEPT
 
<span style="color: #5f94bb;">$ipt -t filter -A OUTPUT -p icmp --icmp-type any -j ACCEPT</span>
 
if [ "$inet_iface" = ppp0 ] ; then
 
$ipt -t nat -A POSTROUTING -o $inet_iface -j MASQUERADE
 
else
 
$ipt -t nat -A POSTROUTING -o $inet_iface -j SNAT --to $inet_ip
 
fi
 
$ip6t -P INPUT DROP
 
$ip6t -P FORWARD DROP
 
$ip6t -P OUTPUT ACCEPT
 
for TABLE in filter mangle ; do
 
$ip6t -t $TABLE -F
 
$ip6t -t $TABLE -X
 
done
 
$ip6t -t filter -A INPUT -p udp -i $lan_iface --dport 67 --sport 68 -j DROP
 
$ip6t -t filter -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j DROP
 
$ip6t -t filter -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
 
$ip6t -t filter -A INPUT -p icmpv6 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
 
$ip6t -t filter -A INPUT -m limit --limit 150/sec --limit-burst 150 -j ACCEPT
 
<span style="color: #FF9900">$ip6t -t filter -A INPUT ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "inip6tables:"</span>
 
$ip6t -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 
$ip6t -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 
$ip6t -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
 
$ip6t -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
$ip6t -t filter -A INPUT -i $inet_iface -m state --state ESTABLISHED,RELATED -j ACCEPT
 
$ip6t -t filter -A INPUT -i $lan_iface -m state --state ESTABLISHED,RELATED -j ACCEPT
 
$ip6t -t filter -A INPUT -i virbr0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
$ip6t -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 
$ip6t -t filter -A INPUT -i lo -j ACCEPT
 
$ip6t -t filter -A INPUT -i $lan_iface -m state --state NEW -m udp -p udp --dport domain -j ACCEPT
 
$ip6t -t filter -A INPUT -i $lan_iface -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT
 
$ip6t -t filter -A INPUT -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT
 
$ip6t -t filter -A INPUT -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT
 
$ip6t -t filter -N ip6LOGJOIN
 
$ip6t -t filter -A INPUT -i $lan_iface -m state --state NEW -m tcp -p tcp --dport 22 -j ip6LOGJOIN
 
$ip6t -t filter -A INPUT -i virbr0 -m state --state NEW -m tcp -p tcp --dport 22 -j ip6LOGJOIN
 
$ip6t -t filter -A ip6LOGJOIN -j LOG --log-prefix "ip6tenter:"
 
$ip6t -t filter -A ip6LOGJOIN -j ACCEPT
 
$ip6t -t filter -A INPUT -i $lan_iface -p udp --dport 67 -j ACCEPT
 
$ip6t -t filter -A INPUT -i $lan_iface -p tcp --dport 67 -j ACCEPT
 
$ip6t -t filter -A INPUT -i $inet_iface -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT
 
$ip6t -t filter -A INPUT -i $inet_iface -p udp -m multiport --dports 1863,1194,443,113,111,110,80,20 -j ACCEPT
 
$ip6t -t filter -A INPUT -i $inet_iface -p gre -j ACCEPT
 
$ip6t -t filter -A INPUT -i $lan_iface -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT
 
$ip6t -t filter -A INPUT -i $lan_iface -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT
 
$ip6t -t filter -A INPUT -i $lan_iface -p udp -m multiport --dports 5405,5404,1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT
 
$ip6t -t filter -A INPUT -i $lan_iface -p gre -j ACCEPT
 
$ip6t -t filter -A INPUT -i virbr0 -p gre -j ACCEPT
 
$ip6t -t filter -A INPUT -i virbr0 -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT
 
$ip6t -t filter -A INPUT -i virbr0 -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT
 
$ip6t -t filter -A INPUT -i virbr0 -p udp -m multiport --dports 5405,5404,1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT
 
$ip6t -t filter -A INPUT -i virbr0 -m state --state NEW -m udp -p udp --dport domain -j ACCEPT
 
$ip6t -t filter -A INPUT -i virbr0 -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT
 
$ip6t -t filter -A INPUT -i virbr0 -p udp --dport 67 -j ACCEPT
 
$ip6t -t filter -A INPUT -i virbr0 -p tcp --dport 67 -j ACCEPT
 
<span style="color: #5f94bb;">$ip6t -t filter -A INPUT -p icmpv6 -j ACCEPT</span>
 
<span style="color: #b2b2b2">$ip6t -t filter -A INPUT -p tcp -j REJECT --reject-with tcp-reset</span>
 
<span style="color: #b2b2b2">$ip6t -t filter -A INPUT -j REJECT --reject-with icmp6-port-unreachable</span>
 
<span style="color: #b2b2b2">$ip6t -t filter -A INPUT -j DROP</span>
 
$ip6t -t filter -A FORWARD -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j DROP
 
$ip6t -t filter -A FORWARD -p icmpv6 -m icmpv6 --icmpv6-type echo-reply -j DROP
 
$ip6t -t filter -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
 
$ip6t -t filter -A FORWARD -p icmpv6 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
 
$ip6t -t filter -A FORWARD -m limit --limit 150/sec --limit-burst 150 -j ACCEPT
 
<span style="color: #FF9900">$ip6t -t filter -A FORWARD ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "forip6tables:"</span>
 
$ip6t -t filter -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
 
$ip6t -t filter -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
 
$ip6t -t filter -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
 
$ip6t -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
$ip6t -t filter -A FORWARD -i $inet_iface -o $lan_iface -m state --state RELATED,ESTABLISHED -j ACCEPT
 
$ip6t -t filter -A FORWARD -i $inet_iface -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 
$ip6t -t filter -A FORWARD -i $lan_iface -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 
$ip6t -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
 
<span style="color: #7dc2f5">$ip6t -t filter -A FORWARD -i $lan_iface -o virbr0 -p tcp -j ACCEPT</span>
 
<span style="color: #7dc2f5">$ip6t -t filter -A FORWARD -i $lan_iface -o virbr0 -p udp -j ACCEPT</span>
 
<span style="color: #7dc2f5">$ip6t -t filter -A FORWARD -i virbr0 -o $lan_iface -p tcp -j ACCEPT</span>
 
<span style="color: #7dc2f5">$ip6t -t filter -A FORWARD -i virbr0 -o $lan_iface -p udp -j ACCEPT</span>
 
$ip6t -t filter -A FORWARD -i $lan_iface -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT
 
$ip6t -t filter -A FORWARD -i $inet_iface -o $lan_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT
 
$ip6t -t filter -A FORWARD -i $lan_iface -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT
 
$ip6t -t filter -A FORWARD -i $inet_iface -o $lan_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT
 
$ip6t -t filter -A FORWARD -p gre -i $inet_iface -o $lan_iface -j ACCEPT
 
$ip6t -t filter -A FORWARD -p gre -i $lan_iface -o $inet_iface -j ACCEPT
 
$ip6t -t filter -A FORWARD -i $inet_iface -o virbr0 -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT
 
$ip6t -t filter -A FORWARD -i virbr0 -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT
 
$ip6t -t filter -A FORWARD -i $inet_iface -o virbr0 -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT
 
$ip6t -t filter -A FORWARD -i virbr0 -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT
 
$ip6t -t filter -A FORWARD -p gre -i $inet_iface -o virbr0 -j ACCEPT
 
$ip6t -t filter -A FORWARD -p gre -i virbr0 -o $inet_iface -j ACCEPT
 
<span style="color: #5f94bb;">$ip6t -t filter -A FORWARD -p icmpv6 -j ACCEPT</span>
 
<span style="color: #b2b2b2">$ip6t -t filter -A FORWARD -p tcp -j REJECT --reject-with tcp-reset</span>
 
<span style="color: #b2b2b2">$ip6t -t filter -A FORWARD -j REJECT --reject-with icmp6-port-unreachable</span>
 
<span style="color: #b2b2b2">$ip6t -t filter -A FORWARD -j DROP</span>
 
$ip6t -t filter -A OUTPUT -p icmpv6 -m icmpv6 --icmpv6-type echo-reply -j DROP
 
$ip6t -t filter -A OUTPUT -p icmpv6 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT


$ipt -t filter -A OUTPUT -p tcp --sport 1010 -j DROP
$ip6t -t filter -A OUTPUT -o lo -j ACCEPT


$ipt -t filter -A OUTPUT -p udp --sport 1010 -j DROP
$ip6t -t filter -A OUTPUT -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT


$ipt -t filter -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j REJECT --reject-with icmp-host-prohibited
$ip6t -t filter -A OUTPUT -p udp -m multiport --dports 1863,1194,443,123,113,111,110,80,21,20 -j ACCEPT


$ipt -t filter -A OUTPUT -o lo -j ACCEPT
$ip6t -t filter -A OUTPUT -p tcp --sport domain -j ACCEPT
 
$ipt -t filter -A OUTPUT -p tcp -m multiport --dports 8000,6160,5989,1863,1723,995,993,443,143,113,110,80,25,21,20 -j ACCEPT
 
$ipt -t filter -A OUTPUT -p tcp -m multiport --dports 111 -j ACCEPT
 
$ipt -t filter -A OUTPUT -p udp -m multiport --dports 8000,1863,443,123,113,110,80,21,20 -j ACCEPT
 
$ipt -t filter -A OUTPUT -p tcp --sport domain -j ACCEPT
 
$ipt -t filter -A OUTPUT -p udp --sport domain -j ACCEPT


$ipt -t filter -A OUTPUT -o $lan_iface -p ah -j ACCEPT
$ip6t -t filter -A OUTPUT -p udp --sport domain -j ACCEPT


$ipt -t filter -A OUTPUT -o $lan_iface -p esp -j ACCEPT
$ip6t -t filter -A OUTPUT -o $lan_iface -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT


$ipt -t filter -A OUTPUT -o virbr0 -p ah -j ACCEPT
$ip6t -t filter -A OUTPUT -o $lan_iface -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT


$ipt -t filter -A OUTPUT -o virbr0 -p esp -j ACCEPT
$ip6t -t filter -A OUTPUT -o virbr0 -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT


$ipt -t filter -A OUTPUT -o $lan_iface -p tcp -m multiport --dports 21064,11111,2049,445,139,68,67,22 -j ACCEPT
$ip6t -t filter -A OUTPUT -o virbr0 -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT


$ipt -t filter -A OUTPUT -o $lan_iface -p udp -m multiport --dports 5405,5404,1194,500,445,139,69,68,67 -j ACCEPT
$ip6t -t filter -A OUTPUT -o $inet_iface -p gre -j ACCEPT


$ipt -t filter -A OUTPUT -o virbr0 -p tcp -m multiport --dports 21064,11111,2049,445,139,68,67,22 -j ACCEPT
$ip6t -t filter -A OUTPUT -o $lan_iface -p gre -j ACCEPT


$ipt -t filter -A OUTPUT -o virbr0 -p udp -m multiport --dports 5405,5404,1194,500,445,139,69,68,67 -j ACCEPT
$ip6t -t filter -A OUTPUT -o virbr0 -p gre -j ACCEPT


$ipt -t filter -A OUTPUT -o $inet_iface -p gre -j ACCEPT
<span style="color: #5f94bb;">$ip6t -t filter -A OUTPUT -p icmpv6 -j ACCEPT</span>


$ipt -t filter -A OUTPUT -d $lan_ip_range -o $lan_iface -p gre -j ACCEPT
<span style="color: #FF9900">$ipt -t filter -I FORWARD -i $inet_iface -o virbr0 -p tcp -j ACCEPT</span>


$ipt -t filter -A OUTPUT -d 192.168.122.0/24 -o virbr0 -p gre -j ACCEPT
<span style="color: #FF9900">$ipt -t filter -I FORWARD -i virbr0 -o $inet_iface -p tcp -j ACCEPT</span>


if [ "$inet_iface" = ppp0 ] ; then
<span style="color: #FF9900">$ipt -t filter -I FORWARD -i $inet_iface -o virbr0 -p udp -j ACCEPT</span>


$ipt -t nat -A POSTROUTING -o $inet_iface -j MASQUERADE
<span style="color: #FF9900">$ipt -t filter -I FORWARD -i virbr0 -o $inet_iface -p udp -j ACCEPT</span>


else
<span style="color: #FF9900">$ipt -t nat -I PREROUTING -p tcp -d $inet_ip --dport 80 -j DNAT --to 192.168.122.192:80</span>


$ipt -t nat -A POSTROUTING -o $inet_iface -j SNAT --to $inet_ip
<span style="color: #FF9900">$ipt -t nat -I PREROUTING -p udp -d $inet_ip --dport 80 -j DNAT --to 192.168.122.192:80</span>


fi
<span style="color: #7dc2f5">$ipt -t nat -I PREROUTING -p tcp -d $lan_ip --dport 80 -j DNAT --to 192.168.122.192:80</span>


$ipt -t nat -A POSTROUTING -s 192.168.122.0/255.255.255.0 -j MASQUERADE
<span style="color: #7dc2f5">$ipt -t nat -I PREROUTING -p udp -d $lan_ip --dport 80 -j DNAT --to 192.168.122.192:80</span>


*保存防火墙配置runing snort.sh
*保存防火墙配置runing snort.sh


service iptables save
service iptables save


service ip6tables save


或者
或者


/etc/init.d/iptables save
/etc/init.d/iptables save


/etc/init.d/ip6tables save


可以在/var/log/messages文件中查看记录信息。
可以在/var/log/messages文件中查看记录信息。


在/etc/crontab中加入如下信息:
&nbsp;# iptables reload(每隔30分钟运行一次防火墙配置)


在crontab中加入如下信息:
&nbsp;*/30 * * * * root /etc/rc.d/snort.sh


现实中必须使用service iptables restart且service ip6tables restart


&nbsp;# iptables reload(每隔15分钟运行一次防火墙配置)
更改自启动firewall+[IDS]


ntsysv


&nbsp;*/15 * * * * root /etc/rc.d/snort.sh
最后更新路由设置ip route


== Fedora-14使用中存在的bug ==
== Fedora-14使用中存在的bug ==

Latest revision as of 14:19, 10 May 2011

LanguageIn other languages:English | ‪中文(简体)‬ | 中文(繁體)‬ | Български | Català | Cymraeg | Galego | Magyar | Italiano | Nederlands | Português | Русский | Tiếng Việt

安装Fedora-14

在此处获得Fedora-14安装的鏡像文件

在计算机安装Fedora-14-x86_64-DVD.iso的鏡像文件过程中, 当勾选默认配置时能够顺利完成安装; 当选择全部的安装包时系统提示有三个连接文件存在依赖关系无法完成最终的安装(其所需安装磁盘容量至少28.5GB);

fedora 14管理配置

第一部分 第二部分 第三部分
Linux网络系统基本管理 Linux网络服务管理 Linux安全快速的远程访问管理
Linux系统基本配置;
DHCP实现ip地址自动分配;
NIS网络信息服务。
Linux网络服务应用;
Samba+NFS文件服务;
BIND提供域名解析服务;|Apache提供网站服务;|Vsftp提供文件传输服务;|Sendmail邮件服务等。
Linux实现软路由;
Iptables网络防火墙;
Squid代理服务器配置;|Linux实现VPN服务器;
SSH实现Linux安全的访问和数据传输。

配置Fedora-14系统

VM虚拟机CPU饱和后不允许溢出运行;

解决root用户直接登入问题

su -

密码:

输入命令:gedit /etc/pam.d/gdm&

在文本编辑器中注释掉"auth required pam_succeed_if.so user!=root quiet"这一行(在这一行前面加上"#"注释,即改成#auth required pam_succeed_if.so user!=root quiet)

保存后继续输入命令:gedit /etc/pam.d/gdm-password&

同样地注释掉"auth required pam_succeed_if.so user!=root quiet"这一行。

保存后退出

现在就能使用root用户登录了

安装f-prot

(download_http://www.f-prot.com/download/home_user/)

cd /usr/local/src

tar zxvf fp-Linux-x86_64-ws.tar.gz

cd f-prot

./install-f-prot.pl

选用默认的安装目录/usr/local/bin

选用默认的安装手册目录/usr/share/man/man8

all done!

全盘扫描

fpscan -a

扫描结果

files:88552

skipped files:0

files with errors:2

Running time:06:28

配置DNS服务器

rpm -ivh bind-9.7.2-2.P2.fc14.x86_64.rpm

service named start

查看主机名称

 #honstname

设置随机启动named服务:chkconfig --level 35 named on

配置主机名:

vi /etc/sysconfig/network

NETWORKING=yes

HOSTNAME=example.com.cn

GATEWAY=192.168.1.5

完成本地域名解析

vi /etc/hosts

192.168.122.192 example.com.cn example # Added by NetworkManager

127.0.0.1 localhost.localdomain localhost localhost4

 ::1 example.com.cn example localhost6.localdomain6 localhost6

查看etc/host.conf文件

vi /etc/host.conf

multi on

order hosts,bind

配置网卡:

vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE="eth0"

BOOTPROTO="none"

DEFROUTE="yes"

DNS1="192.168.122.192"

DOMAIN="com.cn"

GATEWAY="192.168.1.5"

HWADDR="00:16:96:16:3A:14"

IPADDR="192.168.122.192"

IPV4_FAILURE_FATAL="yes"

IPV6INIT="no"

NAME="System eth0"

NM_CONTROLLED="yes"

PREFIX="24"

TYPE="Ethernet"

UUID="5fb06bd0-0bb0-7ffd-45f1-d6edd65f3e03"

NETMASK=255.255.255.0

USERCTL=no

DNS2=192.168.1.5

配置本机DNS解析文件(系统>>管理>>网络>>DNS)

vi /etc/resolv.conf

 # Generated by NetworkManager

search com.cn

nameserver 192.168.122.192 //配置本机主域名服务器IP

nameserver 192.168.1.5 //配置外网域名服务器IP

配置named主文件

cp /etc/named.conf /home/patriotserver/下载

vi /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

options {

listen-on port 53 { any; }

listen-on-v6 port 53 {  ::1; };

directory "/var/named";

dump-file "var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

query-source port 53;

query-source-v6 port 53;

allow-query { any; };

allow-query-cache { any;};

recursion yes;

recursive-clients 10000;


dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;

/* path to ISC DLV key*/

bindkeys-file "/etc/named/dynamic";

};

logging { channel default_debug { file "data/named.run"; severity dynamic;

};

};

zone "." IN {

type hint;

file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

配置定义文件vi /etc/named.rfc1912.zones添加如下文件连接:

zone "explame.com.cn" IN {

  type master;

  file "example.com.cn.zone";

  allow-update { none; };

};

zone "122.168.192.in-addr.arpa" IN {

  type master;

  file "192.168.122.arpa";

  allow-update { none; };

};

配置正向解析文件(添加邮件域名@example.com.cn其中MX越小域名越优先):

cd /var/named

cp named.localhost example.com.cn.zone

vi example.com.cn.zone

 $TTL 1D

@ IN SOA example.com.cn. root.example.com.cn. (

42 ; serial

1D ; refresh

1H ; retry

3H ) ; minimum

example.com.cn. IN NS example.com.cn.

IN A 192.168.122.192

IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0

@ IN MX 5 example.com.cn.

www IN A 192.168.122.192

www IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0

配置反向解析文件:/var/named/192.168.122.arpa

cp named.loopback 192.168.122.arpa

vi 192.168.122.arpa

 $TTL 1D

122.168.192.in-addr.arpa. IN SOA example.com.cn. root.example.com.cn. (

42 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

122.168.192.in-addr.arpa. IN NS example.com.cn.

IN A 192.168.122.192

IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0

192 IN PTR www.example.com.cn.

修改文件所属组:

cd /var/named

chgrp named example.com.cn.zone

chgrp named 192.168.122.arpa

设置文件权限:

chmod 644 /etc/named.conf

chmod 644 /etc/named.rfc1912.zones

chmod 644 /var/named/example.com.cn.zone

chmod 644 /var/named/192.168.122.arpa

重新载入DNS域名解析:

service named reload

测试nslookup

安装mysql

rpm -ivh perl-DBD-Mysql-4.017-1.fc14.x86_64.rpm

rpm -ivh mysql-libs-5.1.51-2.fc14.x86_64.rpm

rpm -ivh mysql-5.1.51-2.fc14.x86_64.rpm

rpm -ivh mysql-server-5.1.52-1.fc14.x86_64.rpm

设置MySQL启动

service mysqld start

cd /usr ; /usr/bin/mysqld_safe &

cd /usr/mysql-test ; perl mysql-test-run.pl

please report any problems with the /usr/bin/mysqlbug script!

正在启动mysqld:[确定]

创建用户密码:

/usr/bin/mysqladmin -u root password ******

设置mysql开机自启动

ntsysv选择mysqld确定

创建数据库 mysql -u root -p ******

mysql> create database mediawiki;

增加一个用户mediawiki去管理mediawiki数据库

mysql> grant select,insert,update,delete on mediawiki.* to mediawiki@localhost identified by "password";

配置Apache服务器

配置mediawiki

cd /var/www/html

tar zxvf mediawiki-1.16.0.tar.gz

chmod 711 mediawiki-1.16.0

cd mediawiki-1.16.0

chmod a+w config

开放图片上传功能

chmod 777 images

改变组别和所有者

cd ..

chown -hR 1000:1000 mediawiki-1.16.0

配置apache服务器

service httpd start

设置开机自启动Apache

ntsysv

配置文件说明如下:

cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.bak

gedit /etc/httpd/conf/httpd.conf

修改前的旧文件语句

TimeOut 60

KeepAlive Off

 #ExtendedStatus on

 #ServerName www.example.com:80

UseCanonicalName Off

修改后语句

TimeOut 300

KeepAlive On

ExtendedStatus Off

ServerName www.example.com.cn:80

UseCanonicalName On

添加根文档目录的访问权限:

<Directory "/var/www/html/mediawiki-1.16.0">

  Options MultiViews Indexes Includes FollowSymLinks

  AllowOverride FileInfo AuthConfig Limit

  <Limit GET POST OPTIONS>

  Order allow,deny

   Allow from all

  </Limit>

  <LimitExcept GET POST OPTIONS>

  Order deny,allow

  Deny from all

  </LimitExcept>

  </Directory>

添加如下注释:

<VirtualHost 192.168.122.192:80>

  ServerAdmin root@localhost

  DocumentRoot /var/www/html/mediawiki-1.16.0

  ServerName www.example.com.cn

  DirectoryIndex index.php index.html index.htm index.shtml

  Loglevel debug

  HostNameLookups off

</VirtualHost>

重启Apache服务

service httpd restart

设置httpd_rw写权限

setsebool allow_polyinstantiation on

setsebool samba_export_all_rw on

setsebool samba_export_all_ro on

setsebool httpd_unified on

setsebool httpd_enable_homedirs on

setsebool httpd_read_user_content on

添加(add:)

vi /etc/rc.d/rc.local

setsebool allow_polyinstantiation on

setsebool samba_export_all_rw on

setsebool samba_export_all_ro on

setsebool httpd_unified on

setsebool httpd_enable_homedirs on

setsebool httpd_read_user_content on

查看

getsebool -a|grep http

点击firefox

http://192.168.122.192

http://www.example.com.cn

配置mediawiki选项

修改文件/var/www/html/mediawiki/LocalSettings.php

更改网站左上角的logo为图片文件wiki-indexed.png

在LocalSettings.php中间加入

 ## Set $wgLogo to the URL path to your own logo image.

$wgLogo = "${wgScriptPath}/skins/monobook/wiki-indexed.png";

编辑重定向mediawiki首页

http://www.example.com.cn/index.php/MediaWiki:Mainpage

配置DHCP服务器

下载DHCP安装包ftp://58.49.171.28/download/

dhcp-4.2.0-19.P2.fc14.x86_64.rpm

在系统工具>>终端

rpm -ivh dhcp-4.2.0-19.P2.fc14.x86_64.rpm

查看DHCP配置文件的模板

 #cat /usr/share/doc/dhcp-4.2.0/dhcpd.conf.sample

通过cp把模板模板文件copy过来并且命名为“dhcpd.conf”

cp /usr/share/doc/dhcp-4.2.0/dhcpd.conf.sample /etc/dhcp/dhcpd.conf

更改DHCP配置文件

vi /etc/dhcp/dhcpd.conf

配置DHCP租约文件(dhcpd.leases)

第一次启动时dhcpd.leases是一个空文件位置在var/lib/dhcpd/dhcpd.leases显示分配客户机IP对应的MAC信息

启动dhcp服务器并指定ip地址分配的网络接口(eth1)

vi /etc/sysconfig/dhcpd

 # command line options here

DHCPDARGS=eth1

 :w //保存文档

启动dhcp

service dhcpd start

使DHCP随服务器自启动

chkconfig --level 35 dhcpd on

使用PS命令检查dhcpd进程:

ps -ef | grep dhcpd

使用netstat检查dhcpd运行端口:

netstat -nutap | grep dhcpd

配置mail邮件服务器

配置samba文件服务器

安装samba客户端

rpm -ivh samba-common-3.5.5-68.fc14.1.x86_64.rpm

rpm -ivh samba-client-3.5.5-68.fc14.1.x86_64.rpm

查看共享资源

smbclient -L 192.168.1.254

访问共享资源(使用root账户防止访问本地文件夹受限)

smbclient //192.168.1.254/public -u usename

<smb:\>dir

<smb:\>cd video

<smb:\>get RealPlayer11GOLD.rpm

配置FTP服务器

配置Redhat集群应用

配置防火墙firewall

  • <1>更新防火墙iptables-1.4.10

下载最新的iptables版本(www.netfilter.org)

scp root@192.168.1.5:/root/iptables-1.4.10.tar.bz2

mv /root/iptables-1.4.10.tar.bz2 /usr/local/src/

cd /usr/local/src/

tar jxvf iptables-1.4.10.tar.bz2

cd iptables-1.4.10

./configure

make

make install

  • <2>将iptables服务停止

[root@linux-test root] # service iptables stop

[root@linux-test root]# service ip6tables stop

用/usr/local/sbin/iptables新文件替换/sbin/iptables(这个是老版本的连接位置)

并同时替换ip6tables、ip6tables-restore、ip6tables-save、iptables、iptables-restore和iptables-save

[root@linux-test root] # cp /usr/local/sbin/iptables /sbin/iptables

iptables就升级完成了,使用下列命令查看

[root@linux-test root]# iptables -V

iptables v1.4.10

[root@linux-test root]# service iptables restart

  • <3>使用snort.sh脚本在开机时自动开启防火墙设置(使用合理规则时可实现基于端口的Windows server 2008平台虚拟机web页面穿越防火墙与局域网直接联系,或使用主机代理连接至Internet。开发web不在受平台限制)

 # touch /etc/rc.d/snort.sh

 # echo "/etc/rc.d/snort.sh">>/etc/rc.d/rc.local


将snort.sh防火墙脚本放在/etc/rc.d目录中


添加snort.sh文件的可执行权限


 # chmod u+x /etc/rc.d/snort.sh


 # echo "1" >/proc/sys/net/ipv4/ip_forward


或是修改/etc/sysctl.conf把net.ipv4.ip_forward = 0改为= 1

当启用ipv6防火墙时启用ipv6_forwarding路由转发设置

修改/etc/sysctl.conf在注释#Controls IP packet forwarding下面添加(add:)

net.ipv6.conf.all.forwarding = 1

save sysctl.conf保存文件并启用/etc/sysctl.conf文件中的变量variable

sysctl -p /etc/sysctl.conf

检查路由转发功能设置

nano /proc/sys/net/ipv6/conf/all/forwarding

或是修改echo "1" >/proc/sys/net/ipv6/conf/all/forwarding

以下为Basic_Firewall防火墙脚本snort.sh内容:# gedit /etc/rc.d/snort.sh

 #!/bin/bash

echo "1" >/proc/sys/net/ipv4/ip_forward

echo "1" >/proc/sys/net/ipv6/conf/all/forwarding

inet_iface="ppp0"

inet_ip="192.168.122.2"

lan_iface="eth1"

lan_ip="192.168.1.5"

lan_ip_range="192.168.1.0/24"

dns1="202.103.24.68"

dns2="202.103.44.150"

ntp="122.226.192.4"

ipt="/sbin/iptables"

ip6t="/sbin/ip6tables"

/sbin/depmod -a

/sbin/modprobe ipt_MASQUERADE

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_conntrack_irc

/sbin/modprobe iptable_nat

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ipt_connlimit

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_LOG

$ipt -P INPUT DROP

$ipt -P FORWARD DROP

$ipt -P OUTPUT ACCEPT

$ipt -t nat -P PREROUTING ACCEPT

$ipt -t nat -P POSTROUTING ACCEPT

$ipt -t nat -P OUTPUT ACCEPT

for TABLE in filter nat mangle ; do

$ipt -t $TABLE -F

$ipt -t $TABLE -X

done

$ipt -t filter -A INPUT -s $lan_ip_range -i $inet_iface -j DROP

$ipt -t filter -A INPUT -s 192.168.122.0/24 -i $inet_iface -j DROP

$ipt -t filter -A INPUT -s 192.168.0.0/16 -i $inet_iface -j DROP

$ipt -t filter -A INPUT -s 10.0.0.0/8 -i $inet_iface -j DROP

$ipt -t filter -A INPUT -s 172.16.0.0/16 -i $inet_iface -j DROP

$ipt -t filter -A INPUT -s 127.0.0.0/8 -i $inet_iface -j DROP

$ipt -t filter -A INPUT -p udp -i $lan_iface --dport 67 --sport 68 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 0:19 -j DROP

$ipt -t filter -A INPUT -p udp --dport 0:19 -j DROP

$ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 22 -j DROP

$ipt -t filter -A INPUT -d 127.0.0.1 -p tcp --dport 22 -j DROP

$ipt -t filter -A INPUT -s $lan_ip -p tcp --dport 22 -j DROP

$ipt -t filter -A INPUT -d 192.168.122.1 -p tcp --dport 22 -j DROP

$ipt -t filter -A INPUT -d $inet_ip -p tcp --dport 22 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 23:24 -j DROP

$ipt -t filter -A INPUT -p udp --dport 21:52 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 26:52 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 54:66 -j DROP

$ipt -t filter -A INPUT -p udp --dport 54:66 -j DROP

$ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 67 -j DROP

$ipt -t filter -A INPUT -i $inet_iface -p udp --dport 67:69 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 68:79 -j DROP

$ipt -t filter -A INPUT -p udp --dport 70:79 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 81:109 -j DROP

$ipt -t filter -A INPUT -p udp --dport 81:109 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 112 -j DROP

$ipt -t filter -A INPUT -p udp --dport 112 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 114:138 -j DROP

$ipt -t filter -A INPUT -p udp --dport 114:122 -j DROP

$ipt -t filter -A INPUT -p udp --dport 124:136 -j DROP

$ipt -t filter -A INPUT -i $inet_iface -p udp --dport 137:138 -j DROP

$ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 139 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 140:142 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 144:442 -j DROP

$ipt -t filter -A INPUT -p udp --dport 139:442 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 444 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 446:1722 -j DROP

$ipt -t filter -A INPUT -p udp --dport 444:1193 -j DROP

$ipt -t filter -A INPUT -p udp --dport 1195:1862 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 1724:1862 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 31790 -j DROP

$ipt -t filter -A INPUT -p udp --dport 31790 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 31789 -j DROP

$ipt -t filter -A INPUT -p udp --dport 31789 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 31340 -j DROP

$ipt -t filter -A INPUT -p udp --dport 31340 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 31339 -j DROP

$ipt -t filter -A INPUT -p udp --dport 31339 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 31338 -j DROP

$ipt -t filter -A INPUT -p udp --dport 31338 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 31337 -j DROP

$ipt -t filter -A INPUT -p udp --dport 31337 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 31335 -j DROP

$ipt -t filter -A INPUT -p udp --dport 31335 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 30100 -j DROP

$ipt -t filter -A INPUT -p udp --dport 30100 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 27665 -j DROP

$ipt -t filter -A INPUT -p udp --dport 27665 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 27444 -j DROP

$ipt -t filter -A INPUT -p udp --dport 27444 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 27374 -j DROP

$ipt -t filter -A INPUT -p udp --dport 27374 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 23445 -j DROP

$ipt -t filter -A INPUT -p udp --dport 23445 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 23444 -j DROP

$ipt -t filter -A INPUT -p udp --dport 23444 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 19191 -j DROP

$ipt -t filter -A INPUT -p udp --dport 19191 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 14704 -j DROP

$ipt -t filter -A INPUT -p udp --dport 14704 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 10000 -j DROP

$ipt -t filter -A INPUT -p udp --dport 10000 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 9704 -j DROP

$ipt -t filter -A INPUT -p udp --dport 9704 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 9393 -j DROP

$ipt -t filter -A INPUT -p udp --dport 9393 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 8102 -j DROP

$ipt -t filter -A INPUT -p udp --dport 8102 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 8011 -j DROP

$ipt -t filter -A INPUT -p udp --dport 8011 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 7626 -j DROP

$ipt -t filter -A INPUT -p udp --dport 7626 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 7306 -j DROP

$ipt -t filter -A INPUT -p udp --dport 7306 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 6667 -j DROP

$ipt -t filter -A INPUT -p udp --dport 6667 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 6346 -j DROP

$ipt -t filter -A INPUT -p udp --dport 6346 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 6267 -j DROP

$ipt -t filter -A INPUT -p udp --dport 6267 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 6129 -j DROP

$ipt -t filter -A INPUT -p udp --dport 6129 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 6000 -j DROP

$ipt -t filter -A INPUT -p udp --dport 6000 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 5900 -j DROP

$ipt -t filter -A INPUT -p udp --dport 5900 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 5800 -j DROP

$ipt -t filter -A INPUT -p udp --dport 5800 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 5554 -j DROP

$ipt -t filter -A INPUT -p udp --dport 5554 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 5400 -j DROP

$ipt -t filter -A INPUT -p udp --dport 5400 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 5168 -j DROP

$ipt -t filter -A INPUT -p udp --dport 5168 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 5100 -j DROP

$ipt -t filter -A INPUT -p udp --dport 5100 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 5000 -j DROP

$ipt -t filter -A INPUT -p udp --dport 5000 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 4500 -j DROP

$ipt -t filter -A INPUT -p udp --dport 4500 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 4444 -j DROP

$ipt -t filter -A INPUT -p udp --dport 4444 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 3389 -j DROP

$ipt -t filter -A INPUT -p udp --dport 3389 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 3306 -j DROP

$ipt -t filter -A INPUT -p udp --dport 3306 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 3150 -j DROP

$ipt -t filter -A INPUT -p udp --dport 3150 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 3127 -j DROP

$ipt -t filter -A INPUT -p udp --dport 3127 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 3000 -j DROP

$ipt -t filter -A INPUT -p udp --dport 3000 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 2989 -j DROP

$ipt -t filter -A INPUT -p udp --dport 2989 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 2869 -j DROP

$ipt -t filter -A INPUT -p udp --dport 2869 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 2500 -j DROP

$ipt -t filter -A INPUT -p udp --dport 2500 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 2475 -j DROP

$ipt -t filter -A INPUT -p udp --dport 2475 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 2140 -j DROP

$ipt -t filter -A INPUT -p udp --dport 2140 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 2115 -j DROP

$ipt -t filter -A INPUT -p udp --dport 2115 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 2023 -j DROP

$ipt -t filter -A INPUT -p udp --dport 2023 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 2012 -j DROP

$ipt -t filter -A INPUT -p udp --dport 2012 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 2001 -j DROP

$ipt -t filter -A INPUT -p udp --dport 2001 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 2000 -j DROP

$ipt -t filter -A INPUT -p udp --dport 2000 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 1981 -j DROP

$ipt -t filter -A INPUT -p udp --dport 1981 -j DROP

$ipt -t filter -A INPUT -p tcp --dport 1900 -j DROP

$ipt -t filter -A INPUT -p udp --dport 1900 -j DROP

$ipt -t filter -A INPUT -p icmp -m icmp --icmp-type echo-request -j DROP

$ipt -t filter -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

$ipt -t filter -A INPUT -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT

$ipt -t filter -A INPUT -f -m limit --limit 150/sec --limit-burst 150 -j ACCEPT

$ipt -t filter -A INPUT ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "iniptables:"

$ipt -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

$ipt -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$ipt -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$ipt -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$ipt -t filter -A INPUT -i $inet_iface -m state --state ESTABLISHED,RELATED -j ACCEPT

$ipt -t filter -A INPUT -i $lan_iface -m state --state ESTABLISHED,RELATED -j ACCEPT

$ipt -t filter -A INPUT -i virbr0 -m state --state ESTABLISHED,RELATED -j ACCEPT

$ipt -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

$ipt -t filter -A INPUT -i lo -j ACCEPT

$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m udp -p udp --dport domain -j ACCEPT

$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT

$ipt -t filter -A INPUT -s $dns1 -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT

$ipt -t filter -A INPUT -s $dns1 -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT

$ipt -t filter -A INPUT -s $dns2 -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT

$ipt -t filter -A INPUT -s $dns2 -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT

$ipt -t filter -A INPUT -p udp --dport domain ! -s $dns1 -i $inet_iface -j DROP

$ipt -t filter -A INPUT -p tcp --dport domain ! -s $dns1 -i $inet_iface -j DROP

$ipt -t filter -A INPUT -p udp --dport domain ! -s $dns2 -i $inet_iface -j DROP

$ipt -t filter -A INPUT -p tcp --dport domain ! -s $dns2 -i $inet_iface -j DROP

$ipt -t filter -N LOGJOIN

$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m tcp -p tcp --dport 22 -j LOGJOIN

$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m tcp -p tcp --dport 22 -j LOGJOIN

$ipt -t filter -A LOGJOIN -j LOG --log-prefix "iptenter:"

$ipt -t filter -A LOGJOIN -j ACCEPT

$ipt -t filter -A INPUT -i $lan_iface -p udp --dport 67 -j ACCEPT

$ipt -t filter -A INPUT -i $lan_iface -p tcp --dport 67 -j ACCEPT

$ipt -t filter -A INPUT -i $inet_iface -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT

$ipt -t filter -A INPUT -i $inet_iface -p udp -m multiport --dports 1863,1194,443,113,111,110,80,20 -j ACCEPT

$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p ah -j ACCEPT

$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p esp -j ACCEPT

$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT

$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT

$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p udp -m multiport --dports 5405,5404,1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT

$ipt -t filter -A INPUT -p udp -s $ntp -i $inet_iface --dport 123 -j ACCEPT

$ipt -t filter -A INPUT -i $inet_iface -p gre -j ACCEPT

$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p gre -j ACCEPT

$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p gre -j ACCEPT

$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p ah -j ACCEPT

$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p esp -j ACCEPT

$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT

$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT

$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p udp -m multiport --dports 1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT

$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p udp -m multiport --dports 5405,5404 -j ACCEPT

$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m udp -p udp --dport domain -j ACCEPT

$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT

$ipt -t filter -A INPUT -i virbr0 -p udp --dport 67 -j ACCEPT

$ipt -t filter -A INPUT -i virbr0 -p tcp --dport 67 -j ACCEPT

$ipt -t filter -A INPUT -p icmp --icmp-type any -j ACCEPT

$ipt -t filter -A INPUT -p tcp -j REJECT --reject-with tcp-reset

$ipt -t filter -A INPUT -j REJECT --reject-with icmp-port-unreachable

$ipt -t filter -A INPUT -j DROP

$ipt -t filter -A FORWARD -s $lan_ip_range -i $inet_iface -j DROP

$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i $inet_iface -j DROP

$ipt -t filter -A FORWARD -s 192.168.0.0/16 -i $inet_iface -j DROP

$ipt -t filter -A FORWARD -s 10.0.0.0/8 -i $inet_iface -j DROP

$ipt -t filter -A FORWARD -s 172.16.0.0/16 -i $inet_iface -j DROP

$ipt -t filter -A FORWARD -s 127.0.0.0/8 -i $inet_iface -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 0:19 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 0:19 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 22:24 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 21:79 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 26:79 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 81:109 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 81:109 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 112 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 112 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 114:138 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 140:142 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 114:442 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 144:442 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 444 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 446:1001 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 444:1001 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 31790 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 31790 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 31789 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 31789 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 31340 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 31340 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 31339 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 31339 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 31338 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 31338 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 31337 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 31337 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 31335 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 31335 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 30100 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 30100 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 27665 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 27665 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 27444 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 27444 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 27374 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 27374 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 23445 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 23445 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 23444 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 23444 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 19191 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 19191 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 14704 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 14704 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 10000 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 10000 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 9704 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 9704 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 9393 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 9393 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 8102 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 8102 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 8011 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 8011 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 7626 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 7626 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 7306 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 7306 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 6667 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 6667 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 6346 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 6346 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 6267 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 6267 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 6129 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 6129 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 6000 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 6000 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 5900 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 5900 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 5800 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 5800 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 5554 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 5554 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 5400 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 5400 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 5168 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 5168 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 5100 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 5100 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 5000 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 5000 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 4500 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 4500 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 4444 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 4444 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 3389 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 3389 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 3306 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 3306 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 3150 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 3150 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 3127 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 3127 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 3000 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 3000 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 2989 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 2989 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 2869 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 2869 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 2500 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 2500 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 2475 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 2475 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 2140 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 2140 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 2115 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 2115 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 2023 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 2023 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 2012 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 2012 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 2001 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 2001 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 2000 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 2000 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1981 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1981 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1900 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1900 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1807 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1807 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1600 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1600 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1524 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1524 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1492 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1492 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1444 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1444 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1443 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1443 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1434 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1434 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1349 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1349 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1245 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1245 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1243 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1243 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1234 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1234 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1099 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1099 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1098 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1098 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1097 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1097 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1095 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1095 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1090 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1090 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1080 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1080 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1057 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1057 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1053 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1053 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1051 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1051 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1045 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1045 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1042 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1042 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1025 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1025 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1024 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1024 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1015 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1015 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1012 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1012 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1011 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1011 -j DROP

$ipt -t filter -A FORWARD -p tcp --dport 1010 -j DROP

$ipt -t filter -A FORWARD -p udp --dport 1010 -j DROP

$ipt -t filter -A FORWARD -p icmp -m icmp --icmp-type echo-request -j DROP

$ipt -t filter -A FORWARD -p icmp -m icmp --icmp-type echo-reply -j DROP

$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

$ipt -t filter -A FORWARD -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT

$ipt -t filter -A FORWARD -f -m limit --limit 150/sec --limit-burst 150 -j ACCEPT

$ipt -t filter -A FORWARD ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "foriptables:"

$ipt -t filter -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

$ipt -t filter -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

$ipt -t filter -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -m state --state RELATED,ESTABLISHED -j ACCEPT

$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT

$ipt -t filter -A FORWARD -i $lan_iface -o virbr0 -d 192.168.122.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT

$ipt -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o virbr0 -p tcp -j ACCEPT

$ipt -t filter -A FORWARD -i virbr0 -o $lan_iface -d $lan_ip_range -p tcp -j ACCEPT

$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o virbr0 -p udp -j ACCEPT

$ipt -t filter -A FORWARD -i virbr0 -o $lan_iface -d $lan_ip_range -p udp -j ACCEPT

$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT

$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT

$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT

$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT

$ipt -t filter -A FORWARD -p gre -i $inet_iface -o $lan_iface -d $lan_ip_range -j ACCEPT

$ipt -t filter -A FORWARD -p gre -s $lan_ip_range -i $lan_iface -o $inet_iface -j ACCEPT

$ipt -t filter -A FORWARD -p udp -i $inet_iface -o $lan_iface -d $lan_ip_range -j ACCEPT

$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT

$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i virbr0 -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT

$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT

$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i virbr0 -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT

$ipt -t filter -A FORWARD -p gre -i $inet_iface -o virbr0 -d 192.168.122.0/24 -j ACCEPT

$ipt -t filter -A FORWARD -p gre -s 192.168.122.0/24 -i virbr0 -o $inet_iface -j ACCEPT

$ipt -t filter -A FORWARD -p udp -i $inet_iface -o virbr0 -d 192.168.122.0/24 -j ACCEPT

$ipt -t filter -A FORWARD -p icmp --icmp-type any -j ACCEPT

$ipt -t filter -A FORWARD -p tcp -j REJECT --reject-with tcp-reset

$ipt -t filter -A FORWARD -j REJECT --reject-with icmp-port-unreachable

$ipt -t filter -A FORWARD -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 0:19 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 0:19 -j DROP

$ipt -t filter -A OUTPUT -o $inet_iface -p tcp --sport 22 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 23:24 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 22:52 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 26:52 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 54:66 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 54:66 -j DROP

$ipt -t filter -A OUTPUT -o $inet_iface -p tcp --sport 67 -j DROP

$ipt -t filter -A OUTPUT -o $inet_iface -p udp --sport 67:68 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 68:79 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 70:79 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 81:109 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 81:109 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 112 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 112 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 114:122 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 114:138 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 140:142 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 144:442 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 124:442 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 444 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 446:1001 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 444:1001 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 31790 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 31790 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 31789 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 31789 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 31340 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 31340 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 31339 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 31339 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 31338 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 31338 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 31337 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 31337 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 31335 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 31335 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 30100 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 30100 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 27665 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 27665 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 27444 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 27444 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 27374 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 27374 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 23445 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 23445 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 23444 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 23444 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 19191 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 19191 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 14704 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 14704 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 10000 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 10000 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 9704 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 9704 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 9393 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 9393 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 8102 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 8102 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 8011 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 8011 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 7626 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 7626 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 7306 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 7306 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 6667 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 6667 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 6346 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 6346 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 6267 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 6267 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 6129 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 6129 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 6000 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 6000 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 5900 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 5900 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 5800 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 5800 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 5554 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 5554 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 5400 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 5400 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 5168 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 5168 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 5100 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 5100 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 5000 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 5000 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 4500 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 4500 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 4444 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 4444 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 3389 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 3389 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 3306 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 3306 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 3150 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 3150 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 3127 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 3127 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 3000 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 3000 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 2989 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 2989 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 2869 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 2869 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 2500 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 2500 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 2475 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 2475 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 2140 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 2140 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 2115 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 2115 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 2023 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 2023 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 2012 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 2012 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 2001 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 2001 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 2000 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 2000 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1981 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1981 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1900 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1900 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1807 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1807 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1600 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1600 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1524 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1524 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1492 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1492 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1444 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1444 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1443 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1443 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1434 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1434 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1349 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1349 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1245 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1245 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1243 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1243 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1234 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1234 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1099 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1099 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1098 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1098 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1097 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1097 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1095 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1095 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1090 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1090 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1080 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1080 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1057 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1057 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1053 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1053 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1051 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1051 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1045 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1045 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1042 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1042 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1025 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1025 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1024 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1024 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1015 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1015 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1012 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1012 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1011 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1011 -j DROP

$ipt -t filter -A OUTPUT -p tcp --sport 1010 -j DROP

$ipt -t filter -A OUTPUT -p udp --sport 1010 -j DROP

$ipt -t filter -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j DROP

$ipt -t filter -A OUTPUT -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT

$ipt -t filter -A OUTPUT -o lo -j ACCEPT

$ipt -t filter -A OUTPUT -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT

$ipt -t filter -A OUTPUT -p udp -m multiport --dports 1863,1194,443,123,113,111,110,80,21,20 -j ACCEPT

$ipt -t filter -A OUTPUT -p tcp --sport domain -j ACCEPT

$ipt -t filter -A OUTPUT -p udp --sport domain -j ACCEPT

$ipt -t filter -A OUTPUT -o $lan_iface -p ah -j ACCEPT

$ipt -t filter -A OUTPUT -o $lan_iface -p esp -j ACCEPT

$ipt -t filter -A OUTPUT -o virbr0 -p ah -j ACCEPT

$ipt -t filter -A OUTPUT -o virbr0 -p esp -j ACCEPT

$ipt -t filter -A OUTPUT -o $lan_iface -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT

$ipt -t filter -A OUTPUT -o $lan_iface -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT

$ipt -t filter -A OUTPUT -o virbr0 -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT

$ipt -t filter -A OUTPUT -o virbr0 -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT

$ipt -t filter -A OUTPUT -o $inet_iface -p gre -j ACCEPT

$ipt -t filter -A OUTPUT -d $lan_ip_range -o $lan_iface -p gre -j ACCEPT

$ipt -t filter -A OUTPUT -d 192.168.122.0/24 -o virbr0 -p gre -j ACCEPT

$ipt -t filter -A OUTPUT -p icmp --icmp-type any -j ACCEPT

if [ "$inet_iface" = ppp0 ] ; then

$ipt -t nat -A POSTROUTING -o $inet_iface -j MASQUERADE

else

$ipt -t nat -A POSTROUTING -o $inet_iface -j SNAT --to $inet_ip

fi

$ip6t -P INPUT DROP

$ip6t -P FORWARD DROP

$ip6t -P OUTPUT ACCEPT

for TABLE in filter mangle ; do

$ip6t -t $TABLE -F

$ip6t -t $TABLE -X

done

$ip6t -t filter -A INPUT -p udp -i $lan_iface --dport 67 --sport 68 -j DROP

$ip6t -t filter -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j DROP

$ip6t -t filter -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

$ip6t -t filter -A INPUT -p icmpv6 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT

$ip6t -t filter -A INPUT -m limit --limit 150/sec --limit-burst 150 -j ACCEPT

$ip6t -t filter -A INPUT ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "inip6tables:"

$ip6t -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

$ip6t -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$ip6t -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$ip6t -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$ip6t -t filter -A INPUT -i $inet_iface -m state --state ESTABLISHED,RELATED -j ACCEPT

$ip6t -t filter -A INPUT -i $lan_iface -m state --state ESTABLISHED,RELATED -j ACCEPT

$ip6t -t filter -A INPUT -i virbr0 -m state --state ESTABLISHED,RELATED -j ACCEPT

$ip6t -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

$ip6t -t filter -A INPUT -i lo -j ACCEPT

$ip6t -t filter -A INPUT -i $lan_iface -m state --state NEW -m udp -p udp --dport domain -j ACCEPT

$ip6t -t filter -A INPUT -i $lan_iface -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT

$ip6t -t filter -A INPUT -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT

$ip6t -t filter -A INPUT -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT

$ip6t -t filter -N ip6LOGJOIN

$ip6t -t filter -A INPUT -i $lan_iface -m state --state NEW -m tcp -p tcp --dport 22 -j ip6LOGJOIN

$ip6t -t filter -A INPUT -i virbr0 -m state --state NEW -m tcp -p tcp --dport 22 -j ip6LOGJOIN

$ip6t -t filter -A ip6LOGJOIN -j LOG --log-prefix "ip6tenter:"

$ip6t -t filter -A ip6LOGJOIN -j ACCEPT

$ip6t -t filter -A INPUT -i $lan_iface -p udp --dport 67 -j ACCEPT

$ip6t -t filter -A INPUT -i $lan_iface -p tcp --dport 67 -j ACCEPT

$ip6t -t filter -A INPUT -i $inet_iface -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT

$ip6t -t filter -A INPUT -i $inet_iface -p udp -m multiport --dports 1863,1194,443,113,111,110,80,20 -j ACCEPT

$ip6t -t filter -A INPUT -i $inet_iface -p gre -j ACCEPT

$ip6t -t filter -A INPUT -i $lan_iface -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT

$ip6t -t filter -A INPUT -i $lan_iface -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT

$ip6t -t filter -A INPUT -i $lan_iface -p udp -m multiport --dports 5405,5404,1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT

$ip6t -t filter -A INPUT -i $lan_iface -p gre -j ACCEPT

$ip6t -t filter -A INPUT -i virbr0 -p gre -j ACCEPT

$ip6t -t filter -A INPUT -i virbr0 -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT

$ip6t -t filter -A INPUT -i virbr0 -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT

$ip6t -t filter -A INPUT -i virbr0 -p udp -m multiport --dports 5405,5404,1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT

$ip6t -t filter -A INPUT -i virbr0 -m state --state NEW -m udp -p udp --dport domain -j ACCEPT

$ip6t -t filter -A INPUT -i virbr0 -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT

$ip6t -t filter -A INPUT -i virbr0 -p udp --dport 67 -j ACCEPT

$ip6t -t filter -A INPUT -i virbr0 -p tcp --dport 67 -j ACCEPT

$ip6t -t filter -A INPUT -p icmpv6 -j ACCEPT

$ip6t -t filter -A INPUT -p tcp -j REJECT --reject-with tcp-reset

$ip6t -t filter -A INPUT -j REJECT --reject-with icmp6-port-unreachable

$ip6t -t filter -A INPUT -j DROP

$ip6t -t filter -A FORWARD -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j DROP

$ip6t -t filter -A FORWARD -p icmpv6 -m icmpv6 --icmpv6-type echo-reply -j DROP

$ip6t -t filter -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

$ip6t -t filter -A FORWARD -p icmpv6 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT

$ip6t -t filter -A FORWARD -m limit --limit 150/sec --limit-burst 150 -j ACCEPT

$ip6t -t filter -A FORWARD ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "forip6tables:"

$ip6t -t filter -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

$ip6t -t filter -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

$ip6t -t filter -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$ip6t -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$ip6t -t filter -A FORWARD -i $inet_iface -o $lan_iface -m state --state RELATED,ESTABLISHED -j ACCEPT

$ip6t -t filter -A FORWARD -i $inet_iface -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT

$ip6t -t filter -A FORWARD -i $lan_iface -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT

$ip6t -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

$ip6t -t filter -A FORWARD -i $lan_iface -o virbr0 -p tcp -j ACCEPT

$ip6t -t filter -A FORWARD -i $lan_iface -o virbr0 -p udp -j ACCEPT

$ip6t -t filter -A FORWARD -i virbr0 -o $lan_iface -p tcp -j ACCEPT

$ip6t -t filter -A FORWARD -i virbr0 -o $lan_iface -p udp -j ACCEPT

$ip6t -t filter -A FORWARD -i $lan_iface -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT

$ip6t -t filter -A FORWARD -i $inet_iface -o $lan_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT

$ip6t -t filter -A FORWARD -i $lan_iface -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT

$ip6t -t filter -A FORWARD -i $inet_iface -o $lan_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT

$ip6t -t filter -A FORWARD -p gre -i $inet_iface -o $lan_iface -j ACCEPT

$ip6t -t filter -A FORWARD -p gre -i $lan_iface -o $inet_iface -j ACCEPT

$ip6t -t filter -A FORWARD -i $inet_iface -o virbr0 -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT

$ip6t -t filter -A FORWARD -i virbr0 -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT

$ip6t -t filter -A FORWARD -i $inet_iface -o virbr0 -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT

$ip6t -t filter -A FORWARD -i virbr0 -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT

$ip6t -t filter -A FORWARD -p gre -i $inet_iface -o virbr0 -j ACCEPT

$ip6t -t filter -A FORWARD -p gre -i virbr0 -o $inet_iface -j ACCEPT

$ip6t -t filter -A FORWARD -p icmpv6 -j ACCEPT

$ip6t -t filter -A FORWARD -p tcp -j REJECT --reject-with tcp-reset

$ip6t -t filter -A FORWARD -j REJECT --reject-with icmp6-port-unreachable

$ip6t -t filter -A FORWARD -j DROP

$ip6t -t filter -A OUTPUT -p icmpv6 -m icmpv6 --icmpv6-type echo-reply -j DROP

$ip6t -t filter -A OUTPUT -p icmpv6 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT

$ip6t -t filter -A OUTPUT -o lo -j ACCEPT

$ip6t -t filter -A OUTPUT -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT

$ip6t -t filter -A OUTPUT -p udp -m multiport --dports 1863,1194,443,123,113,111,110,80,21,20 -j ACCEPT

$ip6t -t filter -A OUTPUT -p tcp --sport domain -j ACCEPT

$ip6t -t filter -A OUTPUT -p udp --sport domain -j ACCEPT

$ip6t -t filter -A OUTPUT -o $lan_iface -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT

$ip6t -t filter -A OUTPUT -o $lan_iface -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT

$ip6t -t filter -A OUTPUT -o virbr0 -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT

$ip6t -t filter -A OUTPUT -o virbr0 -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT

$ip6t -t filter -A OUTPUT -o $inet_iface -p gre -j ACCEPT

$ip6t -t filter -A OUTPUT -o $lan_iface -p gre -j ACCEPT

$ip6t -t filter -A OUTPUT -o virbr0 -p gre -j ACCEPT

$ip6t -t filter -A OUTPUT -p icmpv6 -j ACCEPT

$ipt -t filter -I FORWARD -i $inet_iface -o virbr0 -p tcp -j ACCEPT

$ipt -t filter -I FORWARD -i virbr0 -o $inet_iface -p tcp -j ACCEPT

$ipt -t filter -I FORWARD -i $inet_iface -o virbr0 -p udp -j ACCEPT

$ipt -t filter -I FORWARD -i virbr0 -o $inet_iface -p udp -j ACCEPT

$ipt -t nat -I PREROUTING -p tcp -d $inet_ip --dport 80 -j DNAT --to 192.168.122.192:80

$ipt -t nat -I PREROUTING -p udp -d $inet_ip --dport 80 -j DNAT --to 192.168.122.192:80

$ipt -t nat -I PREROUTING -p tcp -d $lan_ip --dport 80 -j DNAT --to 192.168.122.192:80

$ipt -t nat -I PREROUTING -p udp -d $lan_ip --dport 80 -j DNAT --to 192.168.122.192:80

  • 保存防火墙配置runing snort.sh

service iptables save

service ip6tables save

或者

/etc/init.d/iptables save

/etc/init.d/ip6tables save

可以在/var/log/messages文件中查看记录信息。

在/etc/crontab中加入如下信息:

 # iptables reload(每隔30分钟运行一次防火墙配置)

 */30 * * * * root /etc/rc.d/snort.sh

现实中必须使用service iptables restart且service ip6tables restart

更改自启动firewall+[IDS]

ntsysv

最后更新路由设置ip route

Fedora-14使用中存在的bug

以下是中文(zh_cn)GNOME2.32.0界面中应用软件存在的bug

  • 系统>>管理>>防火墙

防火墙配置>>icmp过滤器>>重新定向

"这个出错信息让主机想另一个路由中发送数据包" 软件中文界面解释中“想”应修改为“向”;完整修改如下: "这个出错信息让主机向另一个路由中发送数据包"

  • GNU桌面下计算机>>文件系统>>属性显示内容大小错误128.0TB(没有按实际容量显示系统是否只支持128.0TB硬盘容量)