(25 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
当勾选默认配置时能够顺利完成安装; | 当勾选默认配置时能够顺利完成安装; | ||
当选择全部的安装包时系统提示有三个连接文件存在依赖关系无法完成最终的安装(其所需安装磁盘容量至少28.5GB); | 当选择全部的安装包时系统提示有三个连接文件存在依赖关系无法完成最终的安装(其所需安装磁盘容量至少28.5GB); | ||
== fedora 14管理配置 == | |||
{|cellpadding="0" cellspacing="0" style="padding: 0em; float:left; margin-left:2px; border: 2px solid #000000; background:none font-size:100%; text-align:center;" width="100%" | |||
| style="background:#3d9d9a; padding: 0em; border: 1px solid #000000;" width="30%"|第一部分 | |||
| style="background:#3d9d9a; padding: 0em; border: 1px solid #000000;" width="35%"|第二部分 | |||
| style="background:#3d9d9a; padding: 0em; border: 1px solid #000000;" width="35%"|第三部分 | |||
|- | |||
| style="background:none; padding: 0em; border: 1px solid #000000;" width="30%"|Linux网络系统基本管理 | |||
| style="background:none; padding: 0em; border: 1px solid #000000;" width="35%"|Linux网络服务管理 | |||
| style="background:none; padding: 0em; border: 1px solid #000000;" width="35%"|Linux安全快速的远程访问管理 | |||
|- | |||
| style="background:none; padding: 0em; border: 1px solid #000000;" width="30%"|Linux系统基本配置;<br>DHCP实现ip地址自动分配;<br>NIS网络信息服务。 | |||
| style="background:none; padding: 0em; border: 1px solid #000000;" width="35%"|Linux网络服务应用;<br>Samba+NFS文件服务;<br>BIND提供域名解析服务;|Apache提供网站服务;|Vsftp提供文件传输服务;|Sendmail邮件服务等。 | |||
| style="background:none; padding: 0em; border: 1px solid #000000;" width="35%"|Linux实现软路由;<br>Iptables网络防火墙;<br>Squid代理服务器配置;|Linux实现VPN服务器;<br>SSH实现Linux安全的访问和数据传输。 | |||
|} | |||
== 配置Fedora-14系统 == | == 配置Fedora-14系统 == | ||
Line 242: | Line 256: | ||
}; | }; | ||
zone " | zone "122.168.192.in-addr.arpa" IN { | ||
type master; | type master; | ||
file "192.168.122. | file "192.168.122.arpa"; | ||
allow-update { none; }; | allow-update { none; }; | ||
Line 262: | Line 276: | ||
$TTL 1D | $TTL 1D | ||
@ IN SOA example.com.cn. root.example.com.cn. ( | |||
42 ; serial | 42 ; serial | ||
Line 278: | Line 292: | ||
IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0 | IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0 | ||
@ IN MX 5 example.com.cn. | |||
www IN A 192.168.122.192 | www IN A 192.168.122.192 | ||
Line 284: | Line 298: | ||
www IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0 | www IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0 | ||
配置反向解析文件:/var/named/192.168. | 配置反向解析文件:/var/named/192.168.122.arpa | ||
cp named.loopback 192.168.122.arpa | cp named.loopback 192.168.122.arpa | ||
vi 192.168. | vi 192.168.122.arpa | ||
$TTL 1D | $TTL 1D | ||
122.168.192.in-addr.arpa. IN SOA example.com.cn. root.example.com.cn. ( | |||
42 ; serial | 42 ; serial | ||
Line 304: | Line 318: | ||
3H ) ; minimum | 3H ) ; minimum | ||
122.168.192.in-addr.arpa. IN NS example.com.cn. | |||
IN A 192.168.122.192 | IN A 192.168.122.192 | ||
Line 318: | Line 332: | ||
chgrp named example.com.cn.zone | chgrp named example.com.cn.zone | ||
chgrp named 192.168. | chgrp named 192.168.122.arpa | ||
设置文件权限: | 设置文件权限: | ||
Line 328: | Line 342: | ||
chmod 644 /var/named/example.com.cn.zone | chmod 644 /var/named/example.com.cn.zone | ||
chmod 644 /var/named/ | chmod 644 /var/named/192.168.122.arpa | ||
重新载入DNS域名解析: | 重新载入DNS域名解析: | ||
Line 337: | Line 351: | ||
=== 安装mysql === | === 安装mysql === | ||
rpm -ivh perl-DBD-Mysql-4.017-1.fc14.x86_64.rpm | |||
rpm -ivh mysql-libs-5.1.51-2.fc14.x86_64.rpm | |||
rpm -ivh mysql-5.1.51-2.fc14.x86_64.rpm | |||
rpm -ivh mysql-server-5.1.52-1.fc14.x86_64.rpm | |||
设置MySQL启动 | |||
service mysqld start | |||
cd /usr ; /usr/bin/mysqld_safe & | |||
cd /usr/mysql-test ; perl mysql-test-run.pl | |||
please report any problems with the /usr/bin/mysqlbug script! | |||
正在启动mysqld:[确定] | |||
创建用户密码: | |||
/usr/bin/mysqladmin -u root password ****** | |||
设置mysql开机自启动 | |||
ntsysv选择mysqld确定 | |||
创建数据库 | |||
mysql -u root -p ****** | |||
mysql> create database mediawiki; | |||
增加一个用户mediawiki去管理mediawiki数据库 | |||
mysql> grant select,insert,update,delete on mediawiki.* to mediawiki@localhost identified by "password"; | |||
=== 配置Apache服务器 === | |||
配置mediawiki | |||
cd | cd /var/www/html | ||
. | tar zxvf mediawiki-1.16.0.tar.gz | ||
chmod 711 mediawiki-1.16.0 | |||
cd mediawiki-1.16.0 | |||
chmod a+w config | |||
开放图片上传功能 | |||
chmod 777 images | |||
改变组别和所有者 | |||
cd .. | |||
chown -hR 1000:1000 mediawiki-1.16.0 | |||
配置apache服务器 | |||
service httpd start | |||
设置开机自启动Apache | |||
ntsysv | |||
配置文件说明如下: | |||
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.bak | |||
gedit /etc/httpd/conf/httpd.conf | |||
修改前的旧文件语句 | |||
TimeOut 60 | |||
KeepAlive Off | |||
#ExtendedStatus on | |||
#ServerName www.example.com:80 | |||
UseCanonicalName Off | |||
修改后语句 | |||
TimeOut 300 | |||
KeepAlive On | |||
ExtendedStatus Off | |||
ServerName www.example.com.cn:80 | |||
UseCanonicalName On | |||
添加根文档目录的访问权限: | |||
<Directory "/var/www/html/mediawiki-1.16.0"> | |||
Options MultiViews Indexes Includes FollowSymLinks | |||
AllowOverride FileInfo AuthConfig Limit | |||
| <Limit GET POST OPTIONS> | ||
Order allow,deny | |||
Allow from all | |||
</Limit> | |||
<LimitExcept GET POST OPTIONS> | |||
Order deny,allow | |||
Deny from all | |||
</LimitExcept> | |||
</Directory> | |||
添加如下注释: | |||
<VirtualHost 192.168.122.192:80> | |||
ServerAdmin root@localhost | |||
/ | DocumentRoot /var/www/html/mediawiki-1.16.0 | ||
ServerName www.example.com.cn | |||
DirectoryIndex index.php index.html index.htm index.shtml | |||
Loglevel debug | |||
HostNameLookups off | |||
/ | </VirtualHost> | ||
重启Apache服务 | |||
service httpd restart | |||
/ | <span style="color:#5f94bb;">设置httpd_rw写权限</span> | ||
/ | <span style="color:#5f94bb;">setsebool allow_polyinstantiation on</span> | ||
<span style="color:#5f94bb;">setsebool samba_export_all_rw on</span> | |||
<span style="color:#5f94bb;">setsebool samba_export_all_ro on</span> | |||
<span style="color:#5f94bb;">setsebool httpd_unified on</span> | |||
<span style="color:#5f94bb;">setsebool httpd_enable_homedirs on</span> | |||
<span style="color:#5f94bb;">setsebool httpd_read_user_content on</span> | |||
添加(add:) | |||
<span style="color:#5f94bb;">vi /etc/rc.d/rc.local</span> | |||
setsebool allow_polyinstantiation on | |||
setsebool samba_export_all_rw on | |||
setsebool samba_export_all_ro on | |||
setsebool httpd_unified on | |||
setsebool httpd_enable_homedirs on | |||
setsebool httpd_read_user_content on | |||
查看 | |||
getsebool -a|grep http | |||
点击firefox | |||
http://192.168.122.192 | |||
或 | |||
http://www.example.com.cn | |||
配置mediawiki选项 | |||
修改文件/var/www/html/mediawiki/LocalSettings.php | |||
更改网站左上角的logo为图片文件wiki-indexed.png | |||
在LocalSettings.php中间加入 | |||
$ | ## Set $wgLogo to the URL path to your own logo image. | ||
$ | $wgLogo = "${wgScriptPath}/skins/monobook/wiki-indexed.png"; | ||
编辑重定向mediawiki首页 | |||
http://www.example.com.cn/index.php/MediaWiki:Mainpage | |||
=== 配置DHCP服务器 === | |||
下载DHCP安装包ftp://58.49.171.28/download/ | |||
dhcp-4.2.0-19.P2.fc14.x86_64.rpm | |||
在系统工具>>终端 | |||
rpm -ivh dhcp-4.2.0-19.P2.fc14.x86_64.rpm | |||
查看DHCP配置文件的模板 | |||
#cat /usr/share/doc/dhcp-4.2.0/dhcpd.conf.sample | |||
通过cp把模板模板文件copy过来并且命名为“dhcpd.conf” | |||
cp /usr/share/doc/dhcp-4.2.0/dhcpd.conf.sample /etc/dhcp/dhcpd.conf | |||
更改DHCP配置文件 | |||
vi /etc/dhcp/dhcpd.conf | |||
配置DHCP租约文件(dhcpd.leases) | |||
第一次启动时dhcpd.leases是一个空文件位置在var/lib/dhcpd/dhcpd.leases显示分配客户机IP对应的MAC信息 | |||
启动dhcp服务器并指定ip地址分配的网络接口(eth1) | |||
vi /etc/sysconfig/dhcpd | |||
# command line options here | |||
DHCPDARGS=eth1 | |||
:w //保存文档 | |||
启动dhcp | |||
service dhcpd start | |||
使DHCP随服务器自启动 | |||
chkconfig --level 35 dhcpd on | |||
使用PS命令检查dhcpd进程: | |||
ps -ef | grep dhcpd | |||
使用netstat检查dhcpd运行端口: | |||
netstat -nutap | grep dhcpd | |||
=== 配置mail邮件服务器 === | |||
=== 配置samba文件服务器 === | |||
安装samba客户端 | |||
rpm -ivh samba-common-3.5.5-68.fc14.1.x86_64.rpm | |||
rpm -ivh samba-client-3.5.5-68.fc14.1.x86_64.rpm | |||
查看共享资源 | |||
smbclient -L 192.168.1.254 | |||
访问共享资源(使用root账户防止访问本地文件夹受限) | |||
smbclient //192.168.1.254/public -u usename | |||
<smb:\>dir | |||
<smb:\>cd video | |||
<smb:\>get RealPlayer11GOLD.rpm | |||
=== 配置FTP服务器 === | |||
=== 配置Redhat集群应用 === | |||
=== 配置防火墙firewall === | |||
*<1>更新防火墙iptables-1.4.10 | |||
下载最新的iptables版本(www.netfilter.org) | |||
scp root@192.168.1.5:/root/iptables-1.4.10.tar.bz2 | |||
mv /root/iptables-1.4.10.tar.bz2 /usr/local/src/ | |||
cd /usr/local/src/ | |||
tar jxvf iptables-1.4.10.tar.bz2 | |||
cd iptables-1.4.10 | |||
./configure | |||
make | |||
make install | |||
*<2>将iptables服务停止 | |||
[root@linux-test root] # service iptables stop | |||
<span style="color: #5f94bb;">[root@linux-test root]# service ip6tables stop</span> | |||
用/usr/local/sbin/iptables新文件替换/sbin/iptables(这个是老版本的连接位置) | |||
并同时替换ip6tables、ip6tables-restore、ip6tables-save、iptables、iptables-restore和iptables-save | |||
[root@linux-test root] # cp /usr/local/sbin/iptables /sbin/iptables | |||
iptables就升级完成了,使用下列命令查看 | |||
[root@linux-test root]# iptables -V | |||
iptables v1.4.10 | |||
[root@linux-test root]# service iptables restart | |||
*<3>使用snort.sh脚本在开机时自动开启防火墙设置(使用合理规则时可实现基于端口的Windows server 2008平台虚拟机web页面穿越防火墙与局域网直接联系,或使用主机代理连接至Internet。开发web不在受平台限制) | |||
<span style="color: #5f94bb;"> # touch /etc/rc.d/snort.sh</span> | |||
# echo "/etc/rc.d/snort.sh">>/etc/rc.d/rc.local | |||
将snort.sh防火墙脚本放在/etc/rc.d目录中 | |||
添加snort.sh文件的可执行权限 | |||
# chmod u+x /etc/rc.d/snort.sh | |||
# echo "1" >/proc/sys/net/ipv4/ip_forward | |||
或是修改/etc/sysctl.conf把net.ipv4.ip_forward = 0改为= 1 | |||
<span style="color: #5f94bb;">当启用ipv6防火墙时启用ipv6_forwarding路由转发设置</span> | |||
<span style="color: #5f94bb;">修改/etc/sysctl.conf在注释#Controls IP packet forwarding下面添加(add:)</span> | |||
<span style="color: #5f94bb;">net.ipv6.conf.all.forwarding = 1</span> | |||
<span style="color: #5f94bb;">save sysctl.conf保存文件并启用/etc/sysctl.conf文件中的变量variable</span> | |||
<span style="color: #5f94bb;">sysctl -p /etc/sysctl.conf</span> | |||
<span style="color: #5f94bb;">检查路由转发功能设置</span> | |||
<span style="color: #5f94bb;">nano /proc/sys/net/ipv6/conf/all/forwarding</span> | |||
<span style="color: #5f94bb;">或是修改echo "1" >/proc/sys/net/ipv6/conf/all/forwarding</span> | |||
以下为<span style="color: #FF9900">Basic_Firewall</span>防火墙脚本snort.sh内容:# gedit /etc/rc.d/snort.sh | |||
#!/bin/bash | |||
echo "1" >/proc/sys/net/ipv4/ip_forward | |||
echo "1" >/proc/sys/net/ipv6/conf/all/forwarding | |||
inet_iface="ppp0" | |||
inet_ip="192.168.122.2" | |||
lan_iface="eth1" | |||
lan_ip="192.168.1.5" | |||
lan_ip_range="192.168.1.0/24" | |||
dns1="202.103.24.68" | |||
dns2="202.103.44.150" | |||
ntp="122.226.192.4" | |||
ipt="/sbin/iptables" | |||
ip6t="/sbin/ip6tables" | |||
/sbin/depmod -a | |||
/sbin/modprobe ipt_MASQUERADE | |||
/sbin/modprobe ip_tables | |||
/sbin/modprobe ip_conntrack | |||
/sbin/modprobe ip_conntrack_ftp | |||
/sbin/modprobe ip_conntrack_irc | |||
/sbin/modprobe iptable_nat | |||
/sbin/modprobe ip_nat_ftp | |||
/sbin/modprobe ipt_connlimit | |||
/sbin/modprobe ipt_limit | |||
/sbin/modprobe ipt_LOG | |||
$ipt - | $ipt -P INPUT DROP | ||
$ipt - | $ipt -P FORWARD DROP | ||
$ipt - | $ipt -P OUTPUT ACCEPT | ||
$ipt -t | $ipt -t nat -P PREROUTING ACCEPT | ||
$ipt -t | $ipt -t nat -P POSTROUTING ACCEPT | ||
$ipt -t | $ipt -t nat -P OUTPUT ACCEPT | ||
for TABLE in filter nat mangle ; do | |||
$ipt -t | $ipt -t $TABLE -F | ||
$ipt -t | $ipt -t $TABLE -X | ||
done | |||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -s $lan_ip_range -i $inet_iface -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -s 192.168.122.0/24 -i $inet_iface -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -s 192.168.0.0/16 -i $inet_iface -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -s 10.0.0.0/8 -i $inet_iface -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -s 172.16.0.0/16 -i $inet_iface -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -s 127.0.0.0/8 -i $inet_iface -j DROP | ||
$ipt -t filter -A INPUT -p udp --dport | $ipt -t filter -A INPUT -p udp -i $lan_iface --dport 67 --sport 68 -j DROP | ||
$ipt -t filter -A INPUT -p tcp --dport | $ipt -t filter -A INPUT -p tcp --dport 0:19 -j DROP | ||
$ipt -t filter -A INPUT -p udp --dport | $ipt -t filter -A INPUT -p udp --dport 0:19 -j DROP | ||
$ipt -t filter -A INPUT -p tcp --dport | $ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 22 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -d 127.0.0.1 -p tcp --dport 22 -j DROP | ||
$ipt -t filter -A INPUT -p tcp --dport | $ipt -t filter -A INPUT -s $lan_ip -p tcp --dport 22 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -d 192.168.122.1 -p tcp --dport 22 -j DROP | ||
$ipt -t filter -A INPUT -p tcp --dport | $ipt -t filter -A INPUT -d $inet_ip -p tcp --dport 22 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -p tcp --dport 23:24 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -p udp --dport 21:52 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -p tcp --dport 26:52 -j DROP | ||
$ipt -t filter -A INPUT -p tcp --dport | $ipt -t filter -A INPUT -p tcp --dport 54:66 -j DROP | ||
$ipt -t filter -A INPUT -p udp --dport | $ipt -t filter -A INPUT -p udp --dport 54:66 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 67 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -i $inet_iface -p udp --dport 67:69 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -p tcp --dport 68:79 -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -p udp --dport 70:79 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 81:109 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -p udp --dport 81:109 -j DROP | ||
$ipt -t filter -A INPUT -p tcp -- | $ipt -t filter -A INPUT -p tcp --dport 112 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -p udp --dport 112 -j DROP | ||
$ipt -t filter -A INPUT -p tcp -- | $ipt -t filter -A INPUT -p tcp --dport 114:138 -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -p udp --dport 114:122 -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -p udp --dport 124:136 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -i $inet_iface -p udp --dport 137:138 -j DROP | ||
$ipt -t filter -A INPUT -i | $ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 139 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 140:142 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 144:442 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p udp --dport 139:442 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 444 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 446:1722 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p udp --dport 444:1193 -j DROP | ||
$ipt -t filter -A INPUT -p udp --dport | $ipt -t filter -A INPUT -p udp --dport 1195:1862 -j DROP | ||
$ipt -t filter -A INPUT -p tcp --dport | $ipt -t filter -A INPUT -p tcp --dport 1724:1862 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -p tcp --dport 31790 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -p udp --dport 31790 -j DROP | ||
$ipt -t filter - | $ipt -t filter -A INPUT -p tcp --dport 31789 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p udp --dport 31789 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 31340 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 31340 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 31339 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p udp --dport 31339 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 31338 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p udp --dport 31338 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 31337 -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -p udp --dport 31337 -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -p tcp --dport 31335 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p udp --dport 31335 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 30100 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p udp --dport 30100 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 27665 -j DROP | ||
$ipt -t filter -A INPUT -p udp | $ipt -t filter -A INPUT -p udp --dport 27665 -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -p tcp --dport 27444 -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -p udp --dport 27444 -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -p tcp --dport 27374 -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -p udp --dport 27374 -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -p tcp --dport 23445 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p udp --dport 23445 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 23444 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p udp --dport 23444 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 19191 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p udp --dport 19191 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 14704 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p udp --dport 14704 -j DROP | ||
$ipt -t filter -A INPUT | $ipt -t filter -A INPUT -p tcp --dport 10000 -j DROP | ||
$ipt -t filter -A INPUT -p | $ipt -t filter -A INPUT -p udp --dport 10000 -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -p tcp --dport 9704 -j DROP | ||
$ipt -t filter -A INPUT - | $ipt -t filter -A INPUT -p udp --dport 9704 -j DROP | ||
$ipt -t filter -A INPUT -p tcp - | $ipt -t filter -A INPUT -p tcp --dport 9393 -j DROP | ||
$ipt -t filter -A INPUT -j DROP | $ipt -t filter -A INPUT -p udp --dport 9393 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 8102 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 8102 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 8011 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 8011 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 7626 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 7626 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 7306 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 7306 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 6667 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 6667 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 6346 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 6346 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 6267 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 6267 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 6129 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 6129 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 6000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 6000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 5900 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 5900 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 5800 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 5800 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 5554 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 5554 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 5400 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 5400 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 5168 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 5168 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 5100 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 5100 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 5000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 5000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 4500 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 4500 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 4444 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 4444 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 3389 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 3389 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 3306 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 3306 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 3150 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 3150 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 3127 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 3127 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 3000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 3000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 2989 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 2989 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 2869 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 2869 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 2500 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 2500 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 2475 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 2475 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 2140 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 2140 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 2115 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 2115 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 2023 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 2023 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 2012 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 2012 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 2001 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 2001 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 2000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 2000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 1981 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 1981 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport 1900 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport 1900 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p icmp -m icmp --icmp-type echo-request -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -f -m limit --limit 150/sec --limit-burst 150 -j ACCEPT | ||
$ipt -t filter -A | <span style="color: #FF9900">$ipt -t filter -A INPUT ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "iniptables:"</span> | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -i $inet_iface -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -i $lan_iface -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -i virbr0 -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -i lo -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m udp -p udp --dport domain -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $dns1 -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $dns1 -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $dns2 -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $dns2 -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport domain ! -s $dns1 -i $inet_iface -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport domain ! -s $dns1 -i $inet_iface -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp --dport domain ! -s $dns2 -i $inet_iface -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p tcp --dport domain ! -s $dns2 -i $inet_iface -j DROP | ||
$ipt -t filter - | $ipt -t filter -N LOGJOIN | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m tcp -p tcp --dport 22 -j LOGJOIN | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m tcp -p tcp --dport 22 -j LOGJOIN | ||
$ipt -t filter -A | $ipt -t filter -A LOGJOIN -j LOG --log-prefix "iptenter:" | ||
$ipt -t filter -A | $ipt -t filter -A LOGJOIN -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -i $lan_iface -p udp --dport 67 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -i $lan_iface -p tcp --dport 67 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -i $inet_iface -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -i $inet_iface -p udp -m multiport --dports 1863,1194,443,113,111,110,80,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p ah -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p esp -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p udp -m multiport --dports 5405,5404,1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -p udp -s $ntp -i $inet_iface --dport 123 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -i $inet_iface -p gre -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p gre -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p gre -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p ah -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p esp -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p udp -m multiport --dports 1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p udp -m multiport --dports 5405,5404 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m udp -p udp --dport domain -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -i virbr0 -p udp --dport 67 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A INPUT -i virbr0 -p tcp --dport 67 -j ACCEPT | ||
$ipt -t filter -A | <span style="color: #5f94bb;">$ipt -t filter -A INPUT -p icmp --icmp-type any -j ACCEPT</span> | ||
$ipt -t filter -A | <span style="color: #b2b2b2">$ipt -t filter -A INPUT -p tcp -j REJECT --reject-with tcp-reset</span> | ||
$ipt -t filter -A | <span style="color: #b2b2b2">$ipt -t filter -A INPUT -j REJECT --reject-with icmp-port-unreachable</span> | ||
$ipt -t filter -A | <span style="color: #b2b2b2">$ipt -t filter -A INPUT -j DROP</span> | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -s $lan_ip_range -i $inet_iface -j DROP | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -s 192.168.122.0/24 -i $inet_iface -j DROP | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -s 192.168.0.0/16 -i $inet_iface -j DROP | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -s 10.0.0.0/8 -i $inet_iface -j DROP | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -s 172.16.0.0/16 -i $inet_iface -j DROP | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -s 127.0.0.0/8 -i $inet_iface -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 0:19 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 0:19 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 22:24 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 21:79 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 26:79 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p tcp --dport 81:109 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p udp --dport 81:109 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p tcp --dport 112 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p udp --dport 112 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p tcp --dport 114:138 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 140:142 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 114:442 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 144:442 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p tcp --dport 444 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 446:1001 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 444:1001 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 31790 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 31790 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 31789 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 31789 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 31340 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 31340 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 31339 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 31339 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 31338 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 31338 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 31337 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 31337 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 31335 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 31335 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 30100 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 30100 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 27665 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 27665 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 27444 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 27444 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 27374 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 27374 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 23445 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 23445 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 23444 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 23444 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 19191 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 19191 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 14704 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 14704 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 10000 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 10000 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp --dport | $ipt -t filter -A FORWARD -p tcp --dport 9704 -j DROP | ||
$ipt -t filter -A FORWARD -p udp --dport | $ipt -t filter -A FORWARD -p udp --dport 9704 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p tcp --dport 9393 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p udp --dport 9393 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp -- | $ipt -t filter -A FORWARD -p tcp --dport 8102 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p udp --dport 8102 -j DROP | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -p tcp --dport 8011 -j DROP | ||
$ipt -t filter -A FORWARD | $ipt -t filter -A FORWARD -p udp --dport 8011 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp -- | $ipt -t filter -A FORWARD -p tcp --dport 7626 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p udp --dport 7626 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp -- | $ipt -t filter -A FORWARD -p tcp --dport 7306 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p udp --dport 7306 -j DROP | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -p tcp --dport 6667 -j DROP | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -p udp --dport 6667 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp | $ipt -t filter -A FORWARD -p tcp --dport 6346 -j DROP | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -p udp --dport 6346 -j DROP | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -p tcp --dport 6267 -j DROP | ||
$ipt -t filter -A FORWARD | $ipt -t filter -A FORWARD -p udp --dport 6267 -j DROP | ||
$ipt -t filter -A FORWARD | $ipt -t filter -A FORWARD -p tcp --dport 6129 -j DROP | ||
$ipt -t filter -A FORWARD | $ipt -t filter -A FORWARD -p udp --dport 6129 -j DROP | ||
$ipt -t filter -A FORWARD | $ipt -t filter -A FORWARD -p tcp --dport 6000 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p udp --dport 6000 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p tcp --dport 5900 -j DROP | ||
$ipt -t filter -A FORWARD -p udp - | $ipt -t filter -A FORWARD -p udp --dport 5900 -j DROP | ||
$ipt -t filter -A FORWARD | $ipt -t filter -A FORWARD -p tcp --dport 5800 -j DROP | ||
$ipt -t filter -A FORWARD | $ipt -t filter -A FORWARD -p udp --dport 5800 -j DROP | ||
$ipt -t filter -A FORWARD | $ipt -t filter -A FORWARD -p tcp --dport 5554 -j DROP | ||
$ipt -t filter -A FORWARD | $ipt -t filter -A FORWARD -p udp --dport 5554 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p tcp --dport 5400 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p udp --dport 5400 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p tcp --dport 5168 -j DROP | ||
$ipt -t filter -A FORWARD -p | $ipt -t filter -A FORWARD -p udp --dport 5168 -j DROP | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -p tcp --dport 5100 -j DROP | ||
$ipt -t filter -A FORWARD - | $ipt -t filter -A FORWARD -p udp --dport 5100 -j DROP | ||
$ipt -t filter -A FORWARD -p tcp - | $ipt -t filter -A FORWARD -p tcp --dport 5000 -j DROP | ||
$ipt -t filter -A FORWARD -j DROP | $ipt -t filter -A FORWARD -p udp --dport 5000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 4500 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 4500 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 4444 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 4444 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 3389 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 3389 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 3306 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 3306 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 3150 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 3150 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 3127 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 3127 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 3000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 3000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 2989 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 2989 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 2869 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 2869 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 2500 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 2500 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 2475 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 2475 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 2140 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 2140 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 2115 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 2115 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 2023 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 2023 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 2012 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 2012 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 2001 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 2001 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 2000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 2000 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1981 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1981 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1900 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1900 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1807 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1807 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1600 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1600 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1524 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1524 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1492 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1492 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1444 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1444 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1443 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1443 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1434 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1434 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1349 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1349 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1245 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1245 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1243 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1243 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1234 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1234 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1099 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1099 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1098 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1098 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1097 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1097 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1095 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1095 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1090 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1090 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1080 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1080 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1057 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1057 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1053 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1053 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1051 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1051 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1045 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1045 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1042 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1042 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1025 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1025 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1024 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1024 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1015 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1015 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1012 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1012 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1011 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1011 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --dport 1010 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp --dport 1010 -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p icmp -m icmp --icmp-type echo-request -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p icmp -m icmp --icmp-type echo-reply -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -f -m limit --limit 150/sec --limit-burst 150 -j ACCEPT | ||
$ipt -t filter -A | <span style="color: #FF9900">$ipt -t filter -A FORWARD ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "foriptables:"</span> | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -i $lan_iface -o virbr0 -d 192.168.122.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP | ||
$ipt -t filter -A | <span style="color: #7dc2f5">$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o virbr0 -p tcp -j ACCEPT</span> | ||
$ipt -t filter -A | <span style="color: #7dc2f5">$ipt -t filter -A FORWARD -i virbr0 -o $lan_iface -d $lan_ip_range -p tcp -j ACCEPT</span> | ||
$ipt -t filter -A | <span style="color: #7dc2f5">$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o virbr0 -p udp -j ACCEPT</span> | ||
$ipt -t filter -A | <span style="color: #7dc2f5">$ipt -t filter -A FORWARD -i virbr0 -o $lan_iface -d $lan_ip_range -p udp -j ACCEPT</span> | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p gre -i $inet_iface -o $lan_iface -d $lan_ip_range -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p gre -s $lan_ip_range -i $lan_iface -o $inet_iface -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp -i $inet_iface -o $lan_iface -d $lan_ip_range -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -s 192.168.122.0/24 -i virbr0 -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -s 192.168.122.0/24 -i virbr0 -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p gre -i $inet_iface -o virbr0 -d 192.168.122.0/24 -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p gre -s 192.168.122.0/24 -i virbr0 -o $inet_iface -j ACCEPT | ||
$ipt -t filter -A | $ipt -t filter -A FORWARD -p udp -i $inet_iface -o virbr0 -d 192.168.122.0/24 -j ACCEPT | ||
$ipt -t filter -A | <span style="color: #5f94bb;">$ipt -t filter -A FORWARD -p icmp --icmp-type any -j ACCEPT</span> | ||
$ipt -t filter -A | <span style="color: #b2b2b2">$ipt -t filter -A FORWARD -p tcp -j REJECT --reject-with tcp-reset</span> | ||
$ipt -t filter -A | <span style="color: #b2b2b2">$ipt -t filter -A FORWARD -j REJECT --reject-with icmp-port-unreachable</span> | ||
$ipt -t filter -A | <span style="color: #b2b2b2">$ipt -t filter -A FORWARD -j DROP</span> | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 0:19 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 0:19 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -o $inet_iface -p tcp --sport 22 -j DROP | ||
$ipt -t filter -A OUTPUT -p tcp --sport | $ipt -t filter -A OUTPUT -p tcp --sport 23:24 -j DROP | ||
$ipt -t filter -A OUTPUT -p udp --sport | $ipt -t filter -A OUTPUT -p udp --sport 22:52 -j DROP | ||
$ipt -t filter -A OUTPUT -p tcp --sport | $ipt -t filter -A OUTPUT -p tcp --sport 26:52 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 54:66 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 54:66 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -o $inet_iface -p tcp --sport 67 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -o $inet_iface -p udp --sport 67:68 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 68:79 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 70:79 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 81:109 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 81:109 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 112 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 112 -j DROP | ||
$ipt -t filter -A OUTPUT -p udp --sport | $ipt -t filter -A OUTPUT -p udp --sport 114:122 -j DROP | ||
$ipt -t filter -A OUTPUT -p tcp --sport | $ipt -t filter -A OUTPUT -p tcp --sport 114:138 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 140:142 -j DROP | ||
$ipt -t filter -A OUTPUT -p tcp --sport | $ipt -t filter -A OUTPUT -p tcp --sport 144:442 -j DROP | ||
$ipt -t filter -A OUTPUT -p udp --sport | $ipt -t filter -A OUTPUT -p udp --sport 124:442 -j DROP | ||
$ipt -t filter -A OUTPUT -p tcp --sport | $ipt -t filter -A OUTPUT -p tcp --sport 444 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 446:1001 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 444:1001 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 31790 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 31790 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 31789 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 31789 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 31340 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 31340 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 31339 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 31339 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 31338 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 31338 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 31337 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 31337 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 31335 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 31335 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 30100 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 30100 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 27665 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 27665 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 27444 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 27444 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 27374 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 27374 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 23445 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 23445 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 23444 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 23444 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p tcp --sport 19191 -j DROP | ||
$ipt -t filter -A OUTPUT -p | $ipt -t filter -A OUTPUT -p udp --sport 19191 -j DROP | ||
$ipt -t filter -A OUTPUT -p udp --sport 1012 -j DROP | $ipt -t filter -A OUTPUT -p tcp --sport 14704 -j DROP | ||
$ipt -t filter -A OUTPUT -p tcp --sport 1011 -j DROP | $ipt -t filter -A OUTPUT -p udp --sport 14704 -j DROP | ||
$ipt -t filter -A OUTPUT -p udp --sport 1011 -j DROP | $ipt -t filter -A OUTPUT -p tcp --sport 10000 -j DROP | ||
$ipt -t filter -A OUTPUT -p udp --sport 10000 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 9704 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 9704 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 9393 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 9393 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 8102 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 8102 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 8011 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 8011 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 7626 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 7626 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 7306 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 7306 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 6667 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 6667 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 6346 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 6346 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 6267 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 6267 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 6129 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 6129 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 6000 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 6000 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 5900 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 5900 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 5800 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 5800 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 5554 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 5554 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 5400 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 5400 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 5168 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 5168 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 5100 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 5100 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 5000 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 5000 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 4500 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 4500 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 4444 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 4444 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 3389 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 3389 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 3306 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 3306 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 3150 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 3150 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 3127 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 3127 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 3000 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 3000 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 2989 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 2989 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 2869 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 2869 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 2500 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 2500 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 2475 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 2475 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 2140 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 2140 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 2115 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 2115 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 2023 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 2023 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 2012 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 2012 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 2001 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 2001 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 2000 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 2000 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1981 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1981 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1900 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1900 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1807 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1807 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1600 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1600 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1524 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1524 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1492 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1492 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1444 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1444 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1443 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1443 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1434 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1434 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1349 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1349 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1245 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1245 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1243 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1243 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1234 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1234 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1099 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1099 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1098 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1098 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1097 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1097 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1095 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1095 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1090 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1090 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1080 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1080 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1057 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1057 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1053 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1053 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1051 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1051 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1045 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1045 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1042 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1042 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1025 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1025 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1024 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1024 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1015 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1015 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1012 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1012 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1011 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1011 -j DROP | |||
$ipt -t filter -A OUTPUT -p tcp --sport 1010 -j DROP | |||
$ipt -t filter -A OUTPUT -p udp --sport 1010 -j DROP | |||
$ipt -t filter -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j DROP | |||
$ipt -t filter -A OUTPUT -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT | |||
$ipt -t filter -A OUTPUT -o lo -j ACCEPT | |||
$ipt -t filter -A OUTPUT -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT | |||
$ipt -t filter -A OUTPUT -p udp -m multiport --dports 1863,1194,443,123,113,111,110,80,21,20 -j ACCEPT | |||
$ipt -t filter -A OUTPUT -p tcp --sport domain -j ACCEPT | |||
$ipt -t filter -A OUTPUT -p udp --sport domain -j ACCEPT | |||
$ipt -t filter -A OUTPUT -o $lan_iface -p ah -j ACCEPT | |||
$ipt -t filter -A OUTPUT -o $lan_iface -p esp -j ACCEPT | |||
$ipt -t filter -A OUTPUT -o virbr0 -p ah -j ACCEPT | |||
$ipt -t filter -A OUTPUT -o virbr0 -p esp -j ACCEPT | |||
$ipt -t filter -A OUTPUT -o $lan_iface -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT | |||
$ipt -t filter -A OUTPUT -o $lan_iface -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT | |||
$ipt -t filter -A OUTPUT -o virbr0 -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT | |||
$ipt -t filter -A OUTPUT -o virbr0 -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT | |||
$ipt -t filter -A OUTPUT -o $inet_iface -p gre -j ACCEPT | |||
$ipt -t filter -A OUTPUT -d $lan_ip_range -o $lan_iface -p gre -j ACCEPT | |||
$ipt -t filter -A OUTPUT -d 192.168.122.0/24 -o virbr0 -p gre -j ACCEPT | |||
<span style="color: #5f94bb;">$ipt -t filter -A OUTPUT -p icmp --icmp-type any -j ACCEPT</span> | |||
if [ "$inet_iface" = ppp0 ] ; then | |||
$ipt -t nat -A POSTROUTING -o $inet_iface -j MASQUERADE | |||
else | |||
$ipt -t nat -A POSTROUTING -o $inet_iface -j SNAT --to $inet_ip | |||
fi | |||
$ip6t -P INPUT DROP | |||
$ip6t -P FORWARD DROP | |||
$ip6t -P OUTPUT ACCEPT | |||
for TABLE in filter mangle ; do | |||
$ip6t -t $TABLE -F | |||
$ip6t -t $TABLE -X | |||
done | |||
$ip6t -t filter -A INPUT -p udp -i $lan_iface --dport 67 --sport 68 -j DROP | |||
$ip6t -t filter -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j DROP | |||
$ip6t -t filter -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT | |||
$ip6t -t filter -A INPUT -p icmpv6 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT | |||
$ip6t -t filter -A INPUT -m limit --limit 150/sec --limit-burst 150 -j ACCEPT | |||
<span style="color: #FF9900">$ip6t -t filter -A INPUT ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "inip6tables:"</span> | |||
$ip6t -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |||
$ip6t -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |||
$ip6t -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP | |||
$ip6t -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |||
$ip6t -t filter -A INPUT -i $inet_iface -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $lan_iface -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
$ip6t -t filter -A INPUT -i virbr0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
$ip6t -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |||
$ip6t -t filter -A INPUT -i lo -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $lan_iface -m state --state NEW -m udp -p udp --dport domain -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $lan_iface -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT | |||
$ip6t -t filter -N ip6LOGJOIN | |||
$ip6t -t filter -A INPUT -i $lan_iface -m state --state NEW -m tcp -p tcp --dport 22 -j ip6LOGJOIN | |||
$ip6t -t filter -A INPUT -i virbr0 -m state --state NEW -m tcp -p tcp --dport 22 -j ip6LOGJOIN | |||
$ip6t -t filter -A ip6LOGJOIN -j LOG --log-prefix "ip6tenter:" | |||
$ip6t -t filter -A ip6LOGJOIN -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $lan_iface -p udp --dport 67 -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $lan_iface -p tcp --dport 67 -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $inet_iface -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $inet_iface -p udp -m multiport --dports 1863,1194,443,113,111,110,80,20 -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $inet_iface -p gre -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $lan_iface -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $lan_iface -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $lan_iface -p udp -m multiport --dports 5405,5404,1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT | |||
$ip6t -t filter -A INPUT -i $lan_iface -p gre -j ACCEPT | |||
$ip6t -t filter -A INPUT -i virbr0 -p gre -j ACCEPT | |||
$ip6t -t filter -A INPUT -i virbr0 -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT | |||
$ip6t -t filter -A INPUT -i virbr0 -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT | |||
$ip6t -t filter -A INPUT -i virbr0 -p udp -m multiport --dports 5405,5404,1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT | |||
$ip6t -t filter -A INPUT -i virbr0 -m state --state NEW -m udp -p udp --dport domain -j ACCEPT | |||
$ip6t -t filter -A INPUT -i virbr0 -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT | |||
$ip6t -t filter -A INPUT -i virbr0 -p udp --dport 67 -j ACCEPT | |||
$ip6t -t filter -A INPUT -i virbr0 -p tcp --dport 67 -j ACCEPT | |||
<span style="color: #5f94bb;">$ip6t -t filter -A INPUT -p icmpv6 -j ACCEPT</span> | |||
<span style="color: #b2b2b2">$ip6t -t filter -A INPUT -p tcp -j REJECT --reject-with tcp-reset</span> | |||
<span style="color: #b2b2b2">$ip6t -t filter -A INPUT -j REJECT --reject-with icmp6-port-unreachable</span> | |||
<span style="color: #b2b2b2">$ip6t -t filter -A INPUT -j DROP</span> | |||
$ip6t -t filter -A FORWARD -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j DROP | |||
$ip6t -t filter -A FORWARD -p icmpv6 -m icmpv6 --icmpv6-type echo-reply -j DROP | |||
$ip6t -t filter -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT | |||
$ip6t -t filter -A FORWARD -p icmpv6 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT | |||
$ip6t -t filter -A FORWARD -m limit --limit 150/sec --limit-burst 150 -j ACCEPT | |||
<span style="color: #FF9900">$ip6t -t filter -A FORWARD ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "forip6tables:"</span> | |||
$ip6t -t filter -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP | |||
$ip6t -t filter -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP | |||
$ip6t -t filter -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP | |||
$ip6t -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |||
$ip6t -t filter -A FORWARD -i $inet_iface -o $lan_iface -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
$ip6t -t filter -A FORWARD -i $inet_iface -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
$ip6t -t filter -A FORWARD -i $lan_iface -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
$ip6t -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP | |||
<span style="color: #7dc2f5">$ip6t -t filter -A FORWARD -i $lan_iface -o virbr0 -p tcp -j ACCEPT</span> | |||
<span style="color: #7dc2f5">$ip6t -t filter -A FORWARD -i $lan_iface -o virbr0 -p udp -j ACCEPT</span> | |||
<span style="color: #7dc2f5">$ip6t -t filter -A FORWARD -i virbr0 -o $lan_iface -p tcp -j ACCEPT</span> | |||
<span style="color: #7dc2f5">$ip6t -t filter -A FORWARD -i virbr0 -o $lan_iface -p udp -j ACCEPT</span> | |||
$ip6t -t filter -A FORWARD -i $lan_iface -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT | |||
$ip6t -t filter -A FORWARD -i $inet_iface -o $lan_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT | |||
$ip6t -t filter -A FORWARD -i $lan_iface -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT | |||
$ip6t -t filter -A FORWARD -i $inet_iface -o $lan_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT | |||
$ip6t -t filter -A FORWARD -p gre -i $inet_iface -o $lan_iface -j ACCEPT | |||
$ip6t -t filter -A FORWARD -p gre -i $lan_iface -o $inet_iface -j ACCEPT | |||
$ip6t -t filter -A FORWARD -i $inet_iface -o virbr0 -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT | |||
$ip6t -t filter -A FORWARD -i virbr0 -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT | |||
$ip6t -t filter -A FORWARD -i $inet_iface -o virbr0 -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT | |||
$ip6t -t filter -A FORWARD -i virbr0 -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT | |||
$ip6t -t filter -A FORWARD -p gre -i $inet_iface -o virbr0 -j ACCEPT | |||
$ip6t -t filter -A FORWARD -p gre -i virbr0 -o $inet_iface -j ACCEPT | |||
<span style="color: #5f94bb;">$ip6t -t filter -A FORWARD -p icmpv6 -j ACCEPT</span> | |||
<span style="color: #b2b2b2">$ip6t -t filter -A FORWARD -p tcp -j REJECT --reject-with tcp-reset</span> | |||
<span style="color: #b2b2b2">$ip6t -t filter -A FORWARD -j REJECT --reject-with icmp6-port-unreachable</span> | |||
<span style="color: #b2b2b2">$ip6t -t filter -A FORWARD -j DROP</span> | |||
$ip6t -t filter -A OUTPUT -p icmpv6 -m icmpv6 --icmpv6-type echo-reply -j DROP | |||
$ip6t -t filter -A OUTPUT -p icmpv6 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT | |||
$ | $ip6t -t filter -A OUTPUT -o lo -j ACCEPT | ||
$ | $ip6t -t filter -A OUTPUT -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT | ||
$ | $ip6t -t filter -A OUTPUT -p udp -m multiport --dports 1863,1194,443,123,113,111,110,80,21,20 -j ACCEPT | ||
$ | $ip6t -t filter -A OUTPUT -p tcp --sport domain -j ACCEPT | ||
$ | $ip6t -t filter -A OUTPUT -p udp --sport domain -j ACCEPT | ||
$ | $ip6t -t filter -A OUTPUT -o $lan_iface -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT | ||
$ | $ip6t -t filter -A OUTPUT -o $lan_iface -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT | ||
$ | $ip6t -t filter -A OUTPUT -o virbr0 -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT | ||
$ | $ip6t -t filter -A OUTPUT -o virbr0 -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT | ||
$ | $ip6t -t filter -A OUTPUT -o $inet_iface -p gre -j ACCEPT | ||
$ | $ip6t -t filter -A OUTPUT -o $lan_iface -p gre -j ACCEPT | ||
$ | $ip6t -t filter -A OUTPUT -o virbr0 -p gre -j ACCEPT | ||
$ | <span style="color: #5f94bb;">$ip6t -t filter -A OUTPUT -p icmpv6 -j ACCEPT</span> | ||
$ipt -t filter - | <span style="color: #FF9900">$ipt -t filter -I FORWARD -i $inet_iface -o virbr0 -p tcp -j ACCEPT</span> | ||
$ipt -t filter - | <span style="color: #FF9900">$ipt -t filter -I FORWARD -i virbr0 -o $inet_iface -p tcp -j ACCEPT</span> | ||
<span style="color: #FF9900">$ipt -t filter -I FORWARD -i $inet_iface -o virbr0 -p udp -j ACCEPT</span> | |||
$ipt -t | <span style="color: #FF9900">$ipt -t filter -I FORWARD -i virbr0 -o $inet_iface -p udp -j ACCEPT</span> | ||
<span style="color: #FF9900">$ipt -t nat -I PREROUTING -p tcp -d $inet_ip --dport 80 -j DNAT --to 192.168.122.192:80</span> | |||
$ipt -t nat - | <span style="color: #FF9900">$ipt -t nat -I PREROUTING -p udp -d $inet_ip --dport 80 -j DNAT --to 192.168.122.192:80</span> | ||
<span style="color: #7dc2f5">$ipt -t nat -I PREROUTING -p tcp -d $lan_ip --dport 80 -j DNAT --to 192.168.122.192:80</span> | |||
$ipt -t nat - | <span style="color: #7dc2f5">$ipt -t nat -I PREROUTING -p udp -d $lan_ip --dport 80 -j DNAT --to 192.168.122.192:80</span> | ||
*保存防火墙配置runing snort.sh | *保存防火墙配置runing snort.sh | ||
service iptables save | service iptables save | ||
service ip6tables save | |||
或者 | 或者 | ||
/etc/init.d/iptables save | /etc/init.d/iptables save | ||
/etc/init.d/ip6tables save | |||
可以在/var/log/messages文件中查看记录信息。 | 可以在/var/log/messages文件中查看记录信息。 | ||
在/etc/crontab中加入如下信息: | |||
# iptables reload(每隔30分钟运行一次防火墙配置) | |||
*/30 * * * * root /etc/rc.d/snort.sh | |||
现实中必须使用service iptables restart且service ip6tables restart | |||
更改自启动firewall+[IDS] | |||
ntsysv | |||
最后更新路由设置ip route | |||
== Fedora-14使用中存在的bug == | == Fedora-14使用中存在的bug == |
Latest revision as of 14:19, 10 May 2011
In other languages:English | 中文(简体) | 中文(繁體) | Български | Català | Cymraeg | Galego | Magyar | Italiano | Nederlands | Português | Русский | Tiếng Việt
安装Fedora-14
在此处获得Fedora-14安装的鏡像文件。
在计算机安装Fedora-14-x86_64-DVD.iso的鏡像文件过程中, 当勾选默认配置时能够顺利完成安装; 当选择全部的安装包时系统提示有三个连接文件存在依赖关系无法完成最终的安装(其所需安装磁盘容量至少28.5GB);
fedora 14管理配置
第一部分 | 第二部分 | 第三部分 |
Linux网络系统基本管理 | Linux网络服务管理 | Linux安全快速的远程访问管理 |
Linux系统基本配置; DHCP实现ip地址自动分配; NIS网络信息服务。 |
Linux网络服务应用; Samba+NFS文件服务; BIND提供域名解析服务;|Apache提供网站服务;|Vsftp提供文件传输服务;|Sendmail邮件服务等。 |
Linux实现软路由; Iptables网络防火墙; Squid代理服务器配置;|Linux实现VPN服务器; SSH实现Linux安全的访问和数据传输。 |
配置Fedora-14系统
VM虚拟机CPU饱和后不允许溢出运行;
解决root用户直接登入问题
su -
密码:
输入命令:gedit /etc/pam.d/gdm&
在文本编辑器中注释掉"auth required pam_succeed_if.so user!=root quiet"这一行(在这一行前面加上"#"注释,即改成#auth required pam_succeed_if.so user!=root quiet)
保存后继续输入命令:gedit /etc/pam.d/gdm-password&
同样地注释掉"auth required pam_succeed_if.so user!=root quiet"这一行。
保存后退出
现在就能使用root用户登录了
安装f-prot
(download_http://www.f-prot.com/download/home_user/)
cd /usr/local/src
tar zxvf fp-Linux-x86_64-ws.tar.gz
cd f-prot
./install-f-prot.pl
选用默认的安装目录/usr/local/bin
选用默认的安装手册目录/usr/share/man/man8
all done!
全盘扫描
fpscan -a
扫描结果
files:88552
skipped files:0
files with errors:2
Running time:06:28
配置DNS服务器
rpm -ivh bind-9.7.2-2.P2.fc14.x86_64.rpm
service named start
查看主机名称
#honstname
设置随机启动named服务:chkconfig --level 35 named on
配置主机名:
vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=example.com.cn
GATEWAY=192.168.1.5
完成本地域名解析
vi /etc/hosts
192.168.122.192 example.com.cn example # Added by NetworkManager
127.0.0.1 localhost.localdomain localhost localhost4
::1 example.com.cn example localhost6.localdomain6 localhost6
查看etc/host.conf文件
vi /etc/host.conf
multi on
order hosts,bind
配置网卡:
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO="none"
DEFROUTE="yes"
DNS1="192.168.122.192"
DOMAIN="com.cn"
GATEWAY="192.168.1.5"
HWADDR="00:16:96:16:3A:14"
IPADDR="192.168.122.192"
IPV4_FAILURE_FATAL="yes"
IPV6INIT="no"
NAME="System eth0"
NM_CONTROLLED="yes"
PREFIX="24"
TYPE="Ethernet"
UUID="5fb06bd0-0bb0-7ffd-45f1-d6edd65f3e03"
NETMASK=255.255.255.0
USERCTL=no
DNS2=192.168.1.5
配置本机DNS解析文件(系统>>管理>>网络>>DNS)
vi /etc/resolv.conf
# Generated by NetworkManager
search com.cn
nameserver 192.168.122.192 //配置本机主域名服务器IP
nameserver 192.168.1.5 //配置外网域名服务器IP
配置named主文件
cp /etc/named.conf /home/patriotserver/下载
vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; }
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
query-source port 53;
query-source-v6 port 53;
allow-query { any; };
allow-query-cache { any;};
recursion yes;
recursive-clients 10000;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* path to ISC DLV key*/
bindkeys-file "/etc/named/dynamic";
};
logging { channel default_debug { file "data/named.run"; severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
配置定义文件vi /etc/named.rfc1912.zones添加如下文件连接:
zone "explame.com.cn" IN {
type master;
file "example.com.cn.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "192.168.122.arpa";
allow-update { none; };
};
配置正向解析文件(添加邮件域名@example.com.cn其中MX越小域名越优先):
cd /var/named
cp named.localhost example.com.cn.zone
vi example.com.cn.zone
$TTL 1D
@ IN SOA example.com.cn. root.example.com.cn. (
42 ; serial
1D ; refresh
1H ; retry
3H ) ; minimum
example.com.cn. IN NS example.com.cn.
IN A 192.168.122.192
IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0
@ IN MX 5 example.com.cn.
www IN A 192.168.122.192
www IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0
配置反向解析文件:/var/named/192.168.122.arpa
cp named.loopback 192.168.122.arpa
vi 192.168.122.arpa
$TTL 1D
122.168.192.in-addr.arpa. IN SOA example.com.cn. root.example.com.cn. (
42 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
122.168.192.in-addr.arpa. IN NS example.com.cn.
IN A 192.168.122.192
IN AAAA 0000:0000:0000:0000:0000:0000:c0a8:7ac0
192 IN PTR www.example.com.cn.
修改文件所属组:
cd /var/named
chgrp named example.com.cn.zone
chgrp named 192.168.122.arpa
设置文件权限:
chmod 644 /etc/named.conf
chmod 644 /etc/named.rfc1912.zones
chmod 644 /var/named/example.com.cn.zone
chmod 644 /var/named/192.168.122.arpa
重新载入DNS域名解析:
service named reload
测试nslookup
安装mysql
rpm -ivh perl-DBD-Mysql-4.017-1.fc14.x86_64.rpm
rpm -ivh mysql-libs-5.1.51-2.fc14.x86_64.rpm
rpm -ivh mysql-5.1.51-2.fc14.x86_64.rpm
rpm -ivh mysql-server-5.1.52-1.fc14.x86_64.rpm
设置MySQL启动
service mysqld start
cd /usr ; /usr/bin/mysqld_safe &
cd /usr/mysql-test ; perl mysql-test-run.pl
please report any problems with the /usr/bin/mysqlbug script!
正在启动mysqld:[确定]
创建用户密码:
/usr/bin/mysqladmin -u root password ******
设置mysql开机自启动
ntsysv选择mysqld确定
创建数据库 mysql -u root -p ******
mysql> create database mediawiki;
增加一个用户mediawiki去管理mediawiki数据库
mysql> grant select,insert,update,delete on mediawiki.* to mediawiki@localhost identified by "password";
配置Apache服务器
配置mediawiki
cd /var/www/html
tar zxvf mediawiki-1.16.0.tar.gz
chmod 711 mediawiki-1.16.0
cd mediawiki-1.16.0
chmod a+w config
开放图片上传功能
chmod 777 images
改变组别和所有者
cd ..
chown -hR 1000:1000 mediawiki-1.16.0
配置apache服务器
service httpd start
设置开机自启动Apache
ntsysv
配置文件说明如下:
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.bak
gedit /etc/httpd/conf/httpd.conf
修改前的旧文件语句
TimeOut 60
KeepAlive Off
#ExtendedStatus on
#ServerName www.example.com:80
UseCanonicalName Off
修改后语句
TimeOut 300
KeepAlive On
ExtendedStatus Off
ServerName www.example.com.cn:80
UseCanonicalName On
添加根文档目录的访问权限:
<Directory "/var/www/html/mediawiki-1.16.0">
Options MultiViews Indexes Includes FollowSymLinks
AllowOverride FileInfo AuthConfig Limit
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
添加如下注释:
<VirtualHost 192.168.122.192:80>
ServerAdmin root@localhost
DocumentRoot /var/www/html/mediawiki-1.16.0
ServerName www.example.com.cn
DirectoryIndex index.php index.html index.htm index.shtml
Loglevel debug
HostNameLookups off
</VirtualHost>
重启Apache服务
service httpd restart
设置httpd_rw写权限
setsebool allow_polyinstantiation on
setsebool samba_export_all_rw on
setsebool samba_export_all_ro on
setsebool httpd_unified on
setsebool httpd_enable_homedirs on
setsebool httpd_read_user_content on
添加(add:)
vi /etc/rc.d/rc.local
setsebool allow_polyinstantiation on
setsebool samba_export_all_rw on
setsebool samba_export_all_ro on
setsebool httpd_unified on
setsebool httpd_enable_homedirs on
setsebool httpd_read_user_content on
查看
getsebool -a|grep http
点击firefox
或
配置mediawiki选项
修改文件/var/www/html/mediawiki/LocalSettings.php
更改网站左上角的logo为图片文件wiki-indexed.png
在LocalSettings.php中间加入
## Set $wgLogo to the URL path to your own logo image.
$wgLogo = "${wgScriptPath}/skins/monobook/wiki-indexed.png";
编辑重定向mediawiki首页
http://www.example.com.cn/index.php/MediaWiki:Mainpage
配置DHCP服务器
下载DHCP安装包ftp://58.49.171.28/download/
dhcp-4.2.0-19.P2.fc14.x86_64.rpm
在系统工具>>终端
rpm -ivh dhcp-4.2.0-19.P2.fc14.x86_64.rpm
查看DHCP配置文件的模板
#cat /usr/share/doc/dhcp-4.2.0/dhcpd.conf.sample
通过cp把模板模板文件copy过来并且命名为“dhcpd.conf”
cp /usr/share/doc/dhcp-4.2.0/dhcpd.conf.sample /etc/dhcp/dhcpd.conf
更改DHCP配置文件
vi /etc/dhcp/dhcpd.conf
配置DHCP租约文件(dhcpd.leases)
第一次启动时dhcpd.leases是一个空文件位置在var/lib/dhcpd/dhcpd.leases显示分配客户机IP对应的MAC信息
启动dhcp服务器并指定ip地址分配的网络接口(eth1)
vi /etc/sysconfig/dhcpd
# command line options here
DHCPDARGS=eth1
:w //保存文档
启动dhcp
service dhcpd start
使DHCP随服务器自启动
chkconfig --level 35 dhcpd on
使用PS命令检查dhcpd进程:
ps -ef | grep dhcpd
使用netstat检查dhcpd运行端口:
netstat -nutap | grep dhcpd
配置mail邮件服务器
配置samba文件服务器
安装samba客户端
rpm -ivh samba-common-3.5.5-68.fc14.1.x86_64.rpm
rpm -ivh samba-client-3.5.5-68.fc14.1.x86_64.rpm
查看共享资源
smbclient -L 192.168.1.254
访问共享资源(使用root账户防止访问本地文件夹受限)
smbclient //192.168.1.254/public -u usename
<smb:\>dir
<smb:\>cd video
<smb:\>get RealPlayer11GOLD.rpm
配置FTP服务器
配置Redhat集群应用
配置防火墙firewall
- <1>更新防火墙iptables-1.4.10
下载最新的iptables版本(www.netfilter.org)
scp root@192.168.1.5:/root/iptables-1.4.10.tar.bz2
mv /root/iptables-1.4.10.tar.bz2 /usr/local/src/
cd /usr/local/src/
tar jxvf iptables-1.4.10.tar.bz2
cd iptables-1.4.10
./configure
make
make install
- <2>将iptables服务停止
[root@linux-test root] # service iptables stop
[root@linux-test root]# service ip6tables stop
用/usr/local/sbin/iptables新文件替换/sbin/iptables(这个是老版本的连接位置)
并同时替换ip6tables、ip6tables-restore、ip6tables-save、iptables、iptables-restore和iptables-save
[root@linux-test root] # cp /usr/local/sbin/iptables /sbin/iptables
iptables就升级完成了,使用下列命令查看
[root@linux-test root]# iptables -V
iptables v1.4.10
[root@linux-test root]# service iptables restart
- <3>使用snort.sh脚本在开机时自动开启防火墙设置(使用合理规则时可实现基于端口的Windows server 2008平台虚拟机web页面穿越防火墙与局域网直接联系,或使用主机代理连接至Internet。开发web不在受平台限制)
# touch /etc/rc.d/snort.sh
# echo "/etc/rc.d/snort.sh">>/etc/rc.d/rc.local
将snort.sh防火墙脚本放在/etc/rc.d目录中
添加snort.sh文件的可执行权限
# chmod u+x /etc/rc.d/snort.sh
# echo "1" >/proc/sys/net/ipv4/ip_forward
或是修改/etc/sysctl.conf把net.ipv4.ip_forward = 0改为= 1
当启用ipv6防火墙时启用ipv6_forwarding路由转发设置
修改/etc/sysctl.conf在注释#Controls IP packet forwarding下面添加(add:)
net.ipv6.conf.all.forwarding = 1
save sysctl.conf保存文件并启用/etc/sysctl.conf文件中的变量variable
sysctl -p /etc/sysctl.conf
检查路由转发功能设置
nano /proc/sys/net/ipv6/conf/all/forwarding
或是修改echo "1" >/proc/sys/net/ipv6/conf/all/forwarding
以下为Basic_Firewall防火墙脚本snort.sh内容:# gedit /etc/rc.d/snort.sh
#!/bin/bash
echo "1" >/proc/sys/net/ipv4/ip_forward
echo "1" >/proc/sys/net/ipv6/conf/all/forwarding
inet_iface="ppp0"
inet_ip="192.168.122.2"
lan_iface="eth1"
lan_ip="192.168.1.5"
lan_ip_range="192.168.1.0/24"
dns1="202.103.24.68"
dns2="202.103.44.150"
ntp="122.226.192.4"
ipt="/sbin/iptables"
ip6t="/sbin/ip6tables"
/sbin/depmod -a
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_connlimit
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_LOG
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
for TABLE in filter nat mangle ; do
$ipt -t $TABLE -F
$ipt -t $TABLE -X
done
$ipt -t filter -A INPUT -s $lan_ip_range -i $inet_iface -j DROP
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -s 192.168.0.0/16 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -s 10.0.0.0/8 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -s 172.16.0.0/16 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -s 127.0.0.0/8 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p udp -i $lan_iface --dport 67 --sport 68 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 0:19 -j DROP
$ipt -t filter -A INPUT -p udp --dport 0:19 -j DROP
$ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 22 -j DROP
$ipt -t filter -A INPUT -d 127.0.0.1 -p tcp --dport 22 -j DROP
$ipt -t filter -A INPUT -s $lan_ip -p tcp --dport 22 -j DROP
$ipt -t filter -A INPUT -d 192.168.122.1 -p tcp --dport 22 -j DROP
$ipt -t filter -A INPUT -d $inet_ip -p tcp --dport 22 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 23:24 -j DROP
$ipt -t filter -A INPUT -p udp --dport 21:52 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 26:52 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 54:66 -j DROP
$ipt -t filter -A INPUT -p udp --dport 54:66 -j DROP
$ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 67 -j DROP
$ipt -t filter -A INPUT -i $inet_iface -p udp --dport 67:69 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 68:79 -j DROP
$ipt -t filter -A INPUT -p udp --dport 70:79 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 81:109 -j DROP
$ipt -t filter -A INPUT -p udp --dport 81:109 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 112 -j DROP
$ipt -t filter -A INPUT -p udp --dport 112 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 114:138 -j DROP
$ipt -t filter -A INPUT -p udp --dport 114:122 -j DROP
$ipt -t filter -A INPUT -p udp --dport 124:136 -j DROP
$ipt -t filter -A INPUT -i $inet_iface -p udp --dport 137:138 -j DROP
$ipt -t filter -A INPUT -i $inet_iface -p tcp --dport 139 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 140:142 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 144:442 -j DROP
$ipt -t filter -A INPUT -p udp --dport 139:442 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 444 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 446:1722 -j DROP
$ipt -t filter -A INPUT -p udp --dport 444:1193 -j DROP
$ipt -t filter -A INPUT -p udp --dport 1195:1862 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 1724:1862 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 31790 -j DROP
$ipt -t filter -A INPUT -p udp --dport 31790 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 31789 -j DROP
$ipt -t filter -A INPUT -p udp --dport 31789 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 31340 -j DROP
$ipt -t filter -A INPUT -p udp --dport 31340 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 31339 -j DROP
$ipt -t filter -A INPUT -p udp --dport 31339 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 31338 -j DROP
$ipt -t filter -A INPUT -p udp --dport 31338 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 31337 -j DROP
$ipt -t filter -A INPUT -p udp --dport 31337 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 31335 -j DROP
$ipt -t filter -A INPUT -p udp --dport 31335 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 30100 -j DROP
$ipt -t filter -A INPUT -p udp --dport 30100 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 27665 -j DROP
$ipt -t filter -A INPUT -p udp --dport 27665 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 27444 -j DROP
$ipt -t filter -A INPUT -p udp --dport 27444 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 27374 -j DROP
$ipt -t filter -A INPUT -p udp --dport 27374 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 23445 -j DROP
$ipt -t filter -A INPUT -p udp --dport 23445 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 23444 -j DROP
$ipt -t filter -A INPUT -p udp --dport 23444 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 19191 -j DROP
$ipt -t filter -A INPUT -p udp --dport 19191 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 14704 -j DROP
$ipt -t filter -A INPUT -p udp --dport 14704 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 10000 -j DROP
$ipt -t filter -A INPUT -p udp --dport 10000 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 9704 -j DROP
$ipt -t filter -A INPUT -p udp --dport 9704 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 9393 -j DROP
$ipt -t filter -A INPUT -p udp --dport 9393 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 8102 -j DROP
$ipt -t filter -A INPUT -p udp --dport 8102 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 8011 -j DROP
$ipt -t filter -A INPUT -p udp --dport 8011 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 7626 -j DROP
$ipt -t filter -A INPUT -p udp --dport 7626 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 7306 -j DROP
$ipt -t filter -A INPUT -p udp --dport 7306 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 6667 -j DROP
$ipt -t filter -A INPUT -p udp --dport 6667 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 6346 -j DROP
$ipt -t filter -A INPUT -p udp --dport 6346 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 6267 -j DROP
$ipt -t filter -A INPUT -p udp --dport 6267 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 6129 -j DROP
$ipt -t filter -A INPUT -p udp --dport 6129 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 6000 -j DROP
$ipt -t filter -A INPUT -p udp --dport 6000 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5900 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5900 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5800 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5800 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5554 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5554 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5400 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5400 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5168 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5168 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5100 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5100 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 5000 -j DROP
$ipt -t filter -A INPUT -p udp --dport 5000 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 4500 -j DROP
$ipt -t filter -A INPUT -p udp --dport 4500 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 4444 -j DROP
$ipt -t filter -A INPUT -p udp --dport 4444 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 3389 -j DROP
$ipt -t filter -A INPUT -p udp --dport 3389 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 3306 -j DROP
$ipt -t filter -A INPUT -p udp --dport 3306 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 3150 -j DROP
$ipt -t filter -A INPUT -p udp --dport 3150 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 3127 -j DROP
$ipt -t filter -A INPUT -p udp --dport 3127 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 3000 -j DROP
$ipt -t filter -A INPUT -p udp --dport 3000 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2989 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2989 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2869 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2869 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2500 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2500 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2475 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2475 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2140 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2140 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2115 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2115 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2023 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2023 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2012 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2012 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2001 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2001 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 2000 -j DROP
$ipt -t filter -A INPUT -p udp --dport 2000 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 1981 -j DROP
$ipt -t filter -A INPUT -p udp --dport 1981 -j DROP
$ipt -t filter -A INPUT -p tcp --dport 1900 -j DROP
$ipt -t filter -A INPUT -p udp --dport 1900 -j DROP
$ipt -t filter -A INPUT -p icmp -m icmp --icmp-type echo-request -j DROP
$ipt -t filter -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$ipt -t filter -A INPUT -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
$ipt -t filter -A INPUT -f -m limit --limit 150/sec --limit-burst 150 -j ACCEPT
$ipt -t filter -A INPUT ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "iniptables:"
$ipt -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$ipt -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$ipt -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$ipt -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ipt -t filter -A INPUT -i $inet_iface -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -t filter -A INPUT -i $lan_iface -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -t filter -A INPUT -i virbr0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ipt -t filter -A INPUT -i lo -j ACCEPT
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m udp -p udp --dport domain -j ACCEPT
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT
$ipt -t filter -A INPUT -s $dns1 -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT
$ipt -t filter -A INPUT -s $dns1 -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT
$ipt -t filter -A INPUT -s $dns2 -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT
$ipt -t filter -A INPUT -s $dns2 -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport domain ! -s $dns1 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p tcp --dport domain ! -s $dns1 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p udp --dport domain ! -s $dns2 -i $inet_iface -j DROP
$ipt -t filter -A INPUT -p tcp --dport domain ! -s $dns2 -i $inet_iface -j DROP
$ipt -t filter -N LOGJOIN
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -m state --state NEW -m tcp -p tcp --dport 22 -j LOGJOIN
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m tcp -p tcp --dport 22 -j LOGJOIN
$ipt -t filter -A LOGJOIN -j LOG --log-prefix "iptenter:"
$ipt -t filter -A LOGJOIN -j ACCEPT
$ipt -t filter -A INPUT -i $lan_iface -p udp --dport 67 -j ACCEPT
$ipt -t filter -A INPUT -i $lan_iface -p tcp --dport 67 -j ACCEPT
$ipt -t filter -A INPUT -i $inet_iface -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A INPUT -i $inet_iface -p udp -m multiport --dports 1863,1194,443,113,111,110,80,20 -j ACCEPT
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p ah -j ACCEPT
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p esp -j ACCEPT
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p udp -m multiport --dports 5405,5404,1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT
$ipt -t filter -A INPUT -p udp -s $ntp -i $inet_iface --dport 123 -j ACCEPT
$ipt -t filter -A INPUT -i $inet_iface -p gre -j ACCEPT
$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p gre -j ACCEPT
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p gre -j ACCEPT
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p ah -j ACCEPT
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p esp -j ACCEPT
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p udp -m multiport --dports 1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -p udp -m multiport --dports 5405,5404 -j ACCEPT
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m udp -p udp --dport domain -j ACCEPT
$ipt -t filter -A INPUT -s 192.168.122.0/24 -i virbr0 -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT
$ipt -t filter -A INPUT -i virbr0 -p udp --dport 67 -j ACCEPT
$ipt -t filter -A INPUT -i virbr0 -p tcp --dport 67 -j ACCEPT
$ipt -t filter -A INPUT -p icmp --icmp-type any -j ACCEPT
$ipt -t filter -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$ipt -t filter -A INPUT -j REJECT --reject-with icmp-port-unreachable
$ipt -t filter -A INPUT -j DROP
$ipt -t filter -A FORWARD -s $lan_ip_range -i $inet_iface -j DROP
$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i $inet_iface -j DROP
$ipt -t filter -A FORWARD -s 192.168.0.0/16 -i $inet_iface -j DROP
$ipt -t filter -A FORWARD -s 10.0.0.0/8 -i $inet_iface -j DROP
$ipt -t filter -A FORWARD -s 172.16.0.0/16 -i $inet_iface -j DROP
$ipt -t filter -A FORWARD -s 127.0.0.0/8 -i $inet_iface -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 0:19 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 0:19 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 22:24 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 21:79 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 26:79 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 81:109 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 81:109 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 112 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 112 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 114:138 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 140:142 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 114:442 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 144:442 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 444 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 446:1001 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 444:1001 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31790 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31790 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31789 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31789 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31340 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31340 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31339 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31339 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31338 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31338 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31337 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31337 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 31335 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 31335 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 30100 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 30100 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 27665 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 27665 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 27444 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 27444 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 27374 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 27374 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 23445 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 23445 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 23444 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 23444 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 19191 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 19191 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 14704 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 14704 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 10000 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 10000 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 9704 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 9704 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 9393 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 9393 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 8102 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 8102 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 8011 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 8011 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 7626 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 7626 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 7306 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 7306 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 6667 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 6667 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 6346 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 6346 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 6267 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 6267 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 6129 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 6129 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 6000 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 6000 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 5900 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 5900 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 5800 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 5800 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 5554 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 5554 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 5400 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 5400 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 5168 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 5168 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 5100 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 5100 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 5000 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 5000 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 4500 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 4500 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 4444 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 4444 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 3389 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 3389 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 3306 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 3306 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 3150 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 3150 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 3127 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 3127 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 3000 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 3000 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2989 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2989 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2869 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2869 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2500 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2500 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2475 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2475 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2140 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2140 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2115 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2115 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2023 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2023 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2012 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2012 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2001 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2001 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 2000 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 2000 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1981 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1981 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1900 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1900 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1807 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1807 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1600 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1600 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1524 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1524 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1492 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1492 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1444 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1444 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1443 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1443 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1434 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1434 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1349 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1349 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1245 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1245 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1243 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1243 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1234 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1234 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1099 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1099 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1098 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1098 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1097 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1097 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1095 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1095 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1090 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1090 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1080 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1080 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1057 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1057 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1053 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1053 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1051 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1051 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1045 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1045 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1042 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1042 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1025 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1025 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1024 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1024 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1015 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1015 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1012 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1012 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1011 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1011 -j DROP
$ipt -t filter -A FORWARD -p tcp --dport 1010 -j DROP
$ipt -t filter -A FORWARD -p udp --dport 1010 -j DROP
$ipt -t filter -A FORWARD -p icmp -m icmp --icmp-type echo-request -j DROP
$ipt -t filter -A FORWARD -p icmp -m icmp --icmp-type echo-reply -j DROP
$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$ipt -t filter -A FORWARD -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
$ipt -t filter -A FORWARD -f -m limit --limit 150/sec --limit-burst 150 -j ACCEPT
$ipt -t filter -A FORWARD ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "foriptables:"
$ipt -t filter -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
$ipt -t filter -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
$ipt -t filter -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -t filter -A FORWARD -i $lan_iface -o virbr0 -d 192.168.122.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o virbr0 -p tcp -j ACCEPT
$ipt -t filter -A FORWARD -i virbr0 -o $lan_iface -d $lan_ip_range -p tcp -j ACCEPT
$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o virbr0 -p udp -j ACCEPT
$ipt -t filter -A FORWARD -i virbr0 -o $lan_iface -d $lan_ip_range -p udp -j ACCEPT
$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -p gre -i $inet_iface -o $lan_iface -d $lan_ip_range -j ACCEPT
$ipt -t filter -A FORWARD -p gre -s $lan_ip_range -i $lan_iface -o $inet_iface -j ACCEPT
$ipt -t filter -A FORWARD -p udp -i $inet_iface -o $lan_iface -d $lan_ip_range -j ACCEPT
$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i virbr0 -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d 192.168.122.0/24 -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -s 192.168.122.0/24 -i virbr0 -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT
$ipt -t filter -A FORWARD -p gre -i $inet_iface -o virbr0 -d 192.168.122.0/24 -j ACCEPT
$ipt -t filter -A FORWARD -p gre -s 192.168.122.0/24 -i virbr0 -o $inet_iface -j ACCEPT
$ipt -t filter -A FORWARD -p udp -i $inet_iface -o virbr0 -d 192.168.122.0/24 -j ACCEPT
$ipt -t filter -A FORWARD -p icmp --icmp-type any -j ACCEPT
$ipt -t filter -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
$ipt -t filter -A FORWARD -j REJECT --reject-with icmp-port-unreachable
$ipt -t filter -A FORWARD -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 0:19 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 0:19 -j DROP
$ipt -t filter -A OUTPUT -o $inet_iface -p tcp --sport 22 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 23:24 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 22:52 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 26:52 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 54:66 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 54:66 -j DROP
$ipt -t filter -A OUTPUT -o $inet_iface -p tcp --sport 67 -j DROP
$ipt -t filter -A OUTPUT -o $inet_iface -p udp --sport 67:68 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 68:79 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 70:79 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 81:109 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 81:109 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 112 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 112 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 114:122 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 114:138 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 140:142 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 144:442 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 124:442 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 444 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 446:1001 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 444:1001 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31790 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31790 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31789 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31789 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31340 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31340 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31339 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31339 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31338 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31338 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31337 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31337 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 31335 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 31335 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 30100 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 30100 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 27665 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 27665 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 27444 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 27444 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 27374 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 27374 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 23445 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 23445 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 23444 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 23444 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 19191 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 19191 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 14704 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 14704 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 10000 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 10000 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 9704 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 9704 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 9393 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 9393 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 8102 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 8102 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 8011 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 8011 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 7626 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 7626 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 7306 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 7306 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 6667 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 6667 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 6346 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 6346 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 6267 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 6267 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 6129 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 6129 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 6000 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 6000 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 5900 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 5900 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 5800 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 5800 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 5554 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 5554 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 5400 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 5400 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 5168 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 5168 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 5100 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 5100 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 5000 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 5000 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 4500 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 4500 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 4444 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 4444 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 3389 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 3389 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 3306 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 3306 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 3150 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 3150 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 3127 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 3127 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 3000 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 3000 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 2989 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 2989 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 2869 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 2869 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 2500 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 2500 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 2475 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 2475 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 2140 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 2140 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 2115 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 2115 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 2023 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 2023 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 2012 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 2012 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 2001 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 2001 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 2000 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 2000 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1981 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1981 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1900 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1900 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1807 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1807 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1600 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1600 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1524 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1524 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1492 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1492 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1444 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1444 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1443 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1443 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1434 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1434 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1349 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1349 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1245 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1245 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1243 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1243 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1234 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1234 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1099 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1099 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1098 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1098 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1097 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1097 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1095 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1095 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1090 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1090 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1080 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1080 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1057 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1057 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1053 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1053 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1051 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1051 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1045 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1045 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1042 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1042 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1025 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1025 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1024 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1024 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1015 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1015 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1012 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1012 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1011 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1011 -j DROP
$ipt -t filter -A OUTPUT -p tcp --sport 1010 -j DROP
$ipt -t filter -A OUTPUT -p udp --sport 1010 -j DROP
$ipt -t filter -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j DROP
$ipt -t filter -A OUTPUT -p icmp --icmp-type any -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
$ipt -t filter -A OUTPUT -o lo -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT
$ipt -t filter -A OUTPUT -p udp -m multiport --dports 1863,1194,443,123,113,111,110,80,21,20 -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp --sport domain -j ACCEPT
$ipt -t filter -A OUTPUT -p udp --sport domain -j ACCEPT
$ipt -t filter -A OUTPUT -o $lan_iface -p ah -j ACCEPT
$ipt -t filter -A OUTPUT -o $lan_iface -p esp -j ACCEPT
$ipt -t filter -A OUTPUT -o virbr0 -p ah -j ACCEPT
$ipt -t filter -A OUTPUT -o virbr0 -p esp -j ACCEPT
$ipt -t filter -A OUTPUT -o $lan_iface -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT
$ipt -t filter -A OUTPUT -o $lan_iface -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT
$ipt -t filter -A OUTPUT -o virbr0 -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT
$ipt -t filter -A OUTPUT -o virbr0 -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT
$ipt -t filter -A OUTPUT -o $inet_iface -p gre -j ACCEPT
$ipt -t filter -A OUTPUT -d $lan_ip_range -o $lan_iface -p gre -j ACCEPT
$ipt -t filter -A OUTPUT -d 192.168.122.0/24 -o virbr0 -p gre -j ACCEPT
$ipt -t filter -A OUTPUT -p icmp --icmp-type any -j ACCEPT
if [ "$inet_iface" = ppp0 ] ; then
$ipt -t nat -A POSTROUTING -o $inet_iface -j MASQUERADE
else
$ipt -t nat -A POSTROUTING -o $inet_iface -j SNAT --to $inet_ip
fi
$ip6t -P INPUT DROP
$ip6t -P FORWARD DROP
$ip6t -P OUTPUT ACCEPT
for TABLE in filter mangle ; do
$ip6t -t $TABLE -F
$ip6t -t $TABLE -X
done
$ip6t -t filter -A INPUT -p udp -i $lan_iface --dport 67 --sport 68 -j DROP
$ip6t -t filter -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j DROP
$ip6t -t filter -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$ip6t -t filter -A INPUT -p icmpv6 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
$ip6t -t filter -A INPUT -m limit --limit 150/sec --limit-burst 150 -j ACCEPT
$ip6t -t filter -A INPUT ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "inip6tables:"
$ip6t -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$ip6t -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$ip6t -t filter -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$ip6t -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ip6t -t filter -A INPUT -i $inet_iface -m state --state ESTABLISHED,RELATED -j ACCEPT
$ip6t -t filter -A INPUT -i $lan_iface -m state --state ESTABLISHED,RELATED -j ACCEPT
$ip6t -t filter -A INPUT -i virbr0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$ip6t -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$ip6t -t filter -A INPUT -i lo -j ACCEPT
$ip6t -t filter -A INPUT -i $lan_iface -m state --state NEW -m udp -p udp --dport domain -j ACCEPT
$ip6t -t filter -A INPUT -i $lan_iface -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT
$ip6t -t filter -A INPUT -i $inet_iface -m state --state NEW -m udp -p udp --sport domain -j ACCEPT
$ip6t -t filter -A INPUT -i $inet_iface -m state --state NEW -m tcp -p tcp --sport domain -j ACCEPT
$ip6t -t filter -N ip6LOGJOIN
$ip6t -t filter -A INPUT -i $lan_iface -m state --state NEW -m tcp -p tcp --dport 22 -j ip6LOGJOIN
$ip6t -t filter -A INPUT -i virbr0 -m state --state NEW -m tcp -p tcp --dport 22 -j ip6LOGJOIN
$ip6t -t filter -A ip6LOGJOIN -j LOG --log-prefix "ip6tenter:"
$ip6t -t filter -A ip6LOGJOIN -j ACCEPT
$ip6t -t filter -A INPUT -i $lan_iface -p udp --dport 67 -j ACCEPT
$ip6t -t filter -A INPUT -i $lan_iface -p tcp --dport 67 -j ACCEPT
$ip6t -t filter -A INPUT -i $inet_iface -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT
$ip6t -t filter -A INPUT -i $inet_iface -p udp -m multiport --dports 1863,1194,443,113,111,110,80,20 -j ACCEPT
$ip6t -t filter -A INPUT -i $inet_iface -p gre -j ACCEPT
$ip6t -t filter -A INPUT -i $lan_iface -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT
$ip6t -t filter -A INPUT -i $lan_iface -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT
$ip6t -t filter -A INPUT -i $lan_iface -p udp -m multiport --dports 5405,5404,1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT
$ip6t -t filter -A INPUT -i $lan_iface -p gre -j ACCEPT
$ip6t -t filter -A INPUT -i virbr0 -p gre -j ACCEPT
$ip6t -t filter -A INPUT -i virbr0 -p tcp -m multiport --dports 1863,1723,995,993,445,443,143,139,113,111,110,80,25,21,20 -j ACCEPT
$ip6t -t filter -A INPUT -i virbr0 -p tcp -m multiport --dports 21064,11111,6160,5989,2049 -j ACCEPT
$ip6t -t filter -A INPUT -i virbr0 -p udp -m multiport --dports 5405,5404,1863,1194,500,443,138,137,123,113,111,110,80,69,20 -j ACCEPT
$ip6t -t filter -A INPUT -i virbr0 -m state --state NEW -m udp -p udp --dport domain -j ACCEPT
$ip6t -t filter -A INPUT -i virbr0 -m state --state NEW -m tcp -p tcp --dport domain -j ACCEPT
$ip6t -t filter -A INPUT -i virbr0 -p udp --dport 67 -j ACCEPT
$ip6t -t filter -A INPUT -i virbr0 -p tcp --dport 67 -j ACCEPT
$ip6t -t filter -A INPUT -p icmpv6 -j ACCEPT
$ip6t -t filter -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$ip6t -t filter -A INPUT -j REJECT --reject-with icmp6-port-unreachable
$ip6t -t filter -A INPUT -j DROP
$ip6t -t filter -A FORWARD -p icmpv6 -m icmpv6 --icmpv6-type echo-request -j DROP
$ip6t -t filter -A FORWARD -p icmpv6 -m icmpv6 --icmpv6-type echo-reply -j DROP
$ip6t -t filter -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
$ip6t -t filter -A FORWARD -p icmpv6 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
$ip6t -t filter -A FORWARD -m limit --limit 150/sec --limit-burst 150 -j ACCEPT
$ip6t -t filter -A FORWARD ! -i lo -m state --state NEW,INVALID -j LOG --log-prefix "forip6tables:"
$ip6t -t filter -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
$ip6t -t filter -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
$ip6t -t filter -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$ip6t -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ip6t -t filter -A FORWARD -i $inet_iface -o $lan_iface -m state --state RELATED,ESTABLISHED -j ACCEPT
$ip6t -t filter -A FORWARD -i $inet_iface -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ip6t -t filter -A FORWARD -i $lan_iface -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ip6t -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$ip6t -t filter -A FORWARD -i $lan_iface -o virbr0 -p tcp -j ACCEPT
$ip6t -t filter -A FORWARD -i $lan_iface -o virbr0 -p udp -j ACCEPT
$ip6t -t filter -A FORWARD -i virbr0 -o $lan_iface -p tcp -j ACCEPT
$ip6t -t filter -A FORWARD -i virbr0 -o $lan_iface -p udp -j ACCEPT
$ip6t -t filter -A FORWARD -i $lan_iface -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT
$ip6t -t filter -A FORWARD -i $inet_iface -o $lan_iface -p tcp -m multiport --dports 8000,1863,1723,995,993,445,443,139,113,111,110,80,25,21,20 -j ACCEPT
$ip6t -t filter -A FORWARD -i $lan_iface -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT
$ip6t -t filter -A FORWARD -i $inet_iface -o $lan_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT
$ip6t -t filter -A FORWARD -p gre -i $inet_iface -o $lan_iface -j ACCEPT
$ip6t -t filter -A FORWARD -p gre -i $lan_iface -o $inet_iface -j ACCEPT
$ip6t -t filter -A FORWARD -i $inet_iface -o virbr0 -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT
$ip6t -t filter -A FORWARD -i virbr0 -o $inet_iface -p tcp -m multiport --dports 8000,1863,1723,445,443,139,113,111,110,80,25,21,20 -j ACCEPT
$ip6t -t filter -A FORWARD -i $inet_iface -o virbr0 -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT
$ip6t -t filter -A FORWARD -i virbr0 -o $inet_iface -p udp -m multiport --dports 8000,1863,1194,443,113,111,110,80,21,20 -j ACCEPT
$ip6t -t filter -A FORWARD -p gre -i $inet_iface -o virbr0 -j ACCEPT
$ip6t -t filter -A FORWARD -p gre -i virbr0 -o $inet_iface -j ACCEPT
$ip6t -t filter -A FORWARD -p icmpv6 -j ACCEPT
$ip6t -t filter -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
$ip6t -t filter -A FORWARD -j REJECT --reject-with icmp6-port-unreachable
$ip6t -t filter -A FORWARD -j DROP
$ip6t -t filter -A OUTPUT -p icmpv6 -m icmpv6 --icmpv6-type echo-reply -j DROP
$ip6t -t filter -A OUTPUT -p icmpv6 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
$ip6t -t filter -A OUTPUT -o lo -j ACCEPT
$ip6t -t filter -A OUTPUT -p tcp -m multiport --dports 5989,1863,1723,995,993,443,143,113,111,110,80,25,21,20 -j ACCEPT
$ip6t -t filter -A OUTPUT -p udp -m multiport --dports 1863,1194,443,123,113,111,110,80,21,20 -j ACCEPT
$ip6t -t filter -A OUTPUT -p tcp --sport domain -j ACCEPT
$ip6t -t filter -A OUTPUT -p udp --sport domain -j ACCEPT
$ip6t -t filter -A OUTPUT -o $lan_iface -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT
$ip6t -t filter -A OUTPUT -o $lan_iface -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT
$ip6t -t filter -A OUTPUT -o virbr0 -p tcp -m multiport --dports 21064,11111,6160,2049,445,139,67,22 -j ACCEPT
$ip6t -t filter -A OUTPUT -o virbr0 -p udp -m multiport --dports 5405,5404,500,69,68,67 -j ACCEPT
$ip6t -t filter -A OUTPUT -o $inet_iface -p gre -j ACCEPT
$ip6t -t filter -A OUTPUT -o $lan_iface -p gre -j ACCEPT
$ip6t -t filter -A OUTPUT -o virbr0 -p gre -j ACCEPT
$ip6t -t filter -A OUTPUT -p icmpv6 -j ACCEPT
$ipt -t filter -I FORWARD -i $inet_iface -o virbr0 -p tcp -j ACCEPT
$ipt -t filter -I FORWARD -i virbr0 -o $inet_iface -p tcp -j ACCEPT
$ipt -t filter -I FORWARD -i $inet_iface -o virbr0 -p udp -j ACCEPT
$ipt -t filter -I FORWARD -i virbr0 -o $inet_iface -p udp -j ACCEPT
$ipt -t nat -I PREROUTING -p tcp -d $inet_ip --dport 80 -j DNAT --to 192.168.122.192:80
$ipt -t nat -I PREROUTING -p udp -d $inet_ip --dport 80 -j DNAT --to 192.168.122.192:80
$ipt -t nat -I PREROUTING -p tcp -d $lan_ip --dport 80 -j DNAT --to 192.168.122.192:80
$ipt -t nat -I PREROUTING -p udp -d $lan_ip --dport 80 -j DNAT --to 192.168.122.192:80
- 保存防火墙配置runing snort.sh
service iptables save
service ip6tables save
或者
/etc/init.d/iptables save
/etc/init.d/ip6tables save
可以在/var/log/messages文件中查看记录信息。
在/etc/crontab中加入如下信息:
# iptables reload(每隔30分钟运行一次防火墙配置)
*/30 * * * * root /etc/rc.d/snort.sh
现实中必须使用service iptables restart且service ip6tables restart
更改自启动firewall+[IDS]
ntsysv
最后更新路由设置ip route
Fedora-14使用中存在的bug
以下是中文(zh_cn)GNOME2.32.0界面中应用软件存在的bug
- 系统>>管理>>防火墙
防火墙配置>>icmp过滤器>>重新定向
"这个出错信息让主机想另一个路由中发送数据包" 软件中文界面解释中“想”应修改为“向”;完整修改如下: "这个出错信息让主机向另一个路由中发送数据包"
- GNU桌面下计算机>>文件系统>>属性显示内容大小错误128.0TB(没有按实际容量显示系统是否只支持128.0TB硬盘容量)