resource from : IBM
***Packet Filtering and Network Address
只有 incoming Packet 才會參考 -i 的規則
***Tables:
filter
nat: snat,dnat
mangle 亂砍
***other feather
transparent proxing
#a packet that needs to be routed is snet to the local system (e.g. proxy) instead (DNAT)
Port forwarding
#a packet that is snet to a local port is masqueraded and sent to another server instead (DNAT)
#useful if you have an internet web server inside the firewall
Stateful TCP inspection
#Requires ipt_state kernel module
Packet Mangling
#change IP and TCP options on packets in transit
***command
-L List all rules
-F Flush all rules 清空
-Z Zero all counters 計數器青空
-A Append a rule
-I insert a rule #first match
-P Defaualt action for thtis chain
-N Create user defined chaing
-X Delete user defined chain
-D Delete rules
-R replace rule
***parameters
-i incoming interface
-o outgoing interface
-p protocol
-s source-IP
-sport source
-d destination-IP
--dport destionation-port
--icmp-type type
Use ! to negate options
***Targets:
Basic:ACCEPT,DROP
Extended:REJECT,LOG
TABLE -cmd ***CHAIN *****************RULE -J (POLICY)
iptable -t table -D -R
filter
nat
mangle
-p tep --dpoart 80 -i eth0 -s 1.2.3.4
也可以啥都不寫
-s -d ip net/mask --sport p1
--dport p1:p2
p2:
:p2
FQDN (
www.google.com) DNS
4. --icmptype type type/e.code 3/0 3/2 3/4 destination unreachable 8(echo request)
5. verify with windows
IPTABLE -T TABLE
iptables -X #順序看板本
iptables -F #再沒 default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT #內部interface
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A INPUT -i pppo -j ACCEPT #如果不是外部的位置 ppp0 外部介面
iptables -A OUTPUT -o pppo -j ACCEPT 從外部進來的ip擋掉
如果沒有-t 就是filter, 沒有就是全部drop掉
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
針對ip詐騙,對外的interface卻有內部的ip,奇怪的ip通通DROP掉
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -d 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i ppp0 -d 172.16.0.0/12 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -d 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -d 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 0.0.0.0 -j DROP
iptables -A INPUT -i ppp0 -d 255.255.255.255 -j DROP
***允許icmp
iptables -A OUTPUT -o ppp0 -p icmp -s 62.186.134.70 -d 0.0.0.0/0 --icpm-type 8 -j ACCEPT
iptables -A INPUT -i ppp0 -p icmp -s 0.0.0.0/0 -d 62.186.134.70 --icpm-type 0 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p icmp -s 0.0.0.0/0 -d 62.186.134.70 --icpm-type 8 -j ACCEPT
iptables -A INPUT -o ppp0 -p icmp -s 62.186.134.70 -d 0.0.0.0/0 --icpm-type 0 -j ACCEPT
***other icmp filtering
destination unreachable (3)
Source Quench (4)
Time exceeded (11)
Parameter Problem (12)
iptables -A INPUT -i ppp0 -p icmp -s 0.0.0.0/0 -d 62.186.134.70 --icpm-type 3 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p icmp -s 62.186.134.70 -d 0.0.0.0/0 --icpm-type 3 -j ACCEPT
iptables -A INPUT -i ppp0 -p icmp -s 0.0.0.0/0 -d 62.186.134.70 --icpm-type 4 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p icmp -s 62.186.134.70 -d 0.0.0.0/0 --icpm-type 4 -j ACCEPT
iptables -A INPUT -i ppp0 -p icmp -s 0.0.0.0/0 -d 62.186.134.70 --icpm-type 11 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p icmp -s 62.186.134.70 -d 0.0.0.0/0 --icpm-type 11 -j ACCEPT
iptables -A INPUT -i ppp0 -p icmp -s 0.0.0.0/0 -d 62.186.134.70 --icpm-type 12 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p icmp -s 62.186.134.70 -d 0.0.0.0/0 --icpm-type 12 -j ACCEPT
#0.0.0.0 是真的ip為0
#0.0.0.0/0 任何位置都可以
***outgoing tcp/udp connection
#source port >1023
#destination port <=1023
iptables -A OUTPUT -o ppp0 -p tcp -s 62.186.134.70 --sport 1024: -d any/0 --dport :1023 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp -s any/0 --sport :1023 -d 62.186.134.70 --dport 1024: -j ACCEPT
***Identd
iptables -P INPUt DROP
iptables -P OUTPUt DROP
iptables -P FORWARD DROP
iptables -z #歸零
***ping得出去 別人ping 不出來
iptables -A OUTPUT -o eth0 -p icmp --icmp-type 8 -s 10.11.1.254 -d 0.0.0.0/0 -j ACCEPT
iptables -D INPUT 3 #delete rule 3
iptables -D OUPUT 3
iptables -v -L
iptables -I OUTPUT 2 -O eth
iptables -I OUTPUT 2 -o eth
iptables -I INPUT 2 -i eth
iptables -v -L
iptables -I OUTPUT 3 -o eth0 -p icmp
iptables -I INPUT 3 -i eth0 -p icmp
iptables -v -L
iptables-save
INPUT -i lo -j ACCEPT
INPUT -d 10.1.1.254 -i eth0 -p icmp -m icmp
INPUT -i eth0 -p icmp -j DROP
INPUT -i eth0 -j ACCEPT
***
vi my.iptables.sh
./my.iptables.sh
iptables-save
ftp 10.1.1.254
***Identd********
vi /etc/hosts.deny
.....................
vsftpd: ALL: DENY
vsftpd: KNOWN@ALL
..........................
cd iptables
iptables -A INPUT -o eth0 -p icmp --icmp-type 8 -s 10.11.1.254 -d 0.0.0.0/0 -j ACCEPT
iptables-save = iptalbe -v -L
iptables-save > my.rules 保存規則
service iptables stop
iptalbes -v -L
iptables-restare < my.rules
vi myiptable
#!/bibn/bash
PATH=/SBIN:/USR/SBIN:/BIN:/USR/bin
iptalbes -F
iptalbes -X
-Use --log-level #specify log level, kernel log, syslod, syslogd
-Use --log-prefix to specify prefix #加上標籤可以過濾
-Use --limit to specify maximum average #每分鐘最多紀錄的封包平均值
-Use --limit-burst to specify maximum initial number 觸發limit的點 允許封包的初始值
iptable -I INPUT -m limit --limit --limit 3/minuste --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "Incoming IP Packet"
#一分鐘最多紀錄3個封包, 一分鐘觸發limit 是三個封包
-m state --state <STATE>
NEW
-i
-o
-m state --state <STATE>
NEW #出去可以
ESTABLISHED #NEW連線已接上所以可以接受
RELATED #NEW連線已接上所以可以接受
INVALID
-s $INT_TRUST_IP #只要內部那依台
-state INVALID DROP #只要封包非法
STATE ESTABLISHED, REALTED -j ACCEPT #NEW 已經建立
cp my.iptables.sh iptables2.sh
service iptables stop #會清空
Output 可以不管
modprobe ip_conntrack_ftp
***Masquerading
iptables -t nat -A POSTROUTING -o ppp0 -p tcp -s 10.0.0.0/24 1024: -d ! 10.0.0.0/24\
--dport :1023 -j SNAT --to-source 62.186.134.70
iptables -t nat -A POSTROUTING -o ppp0 -p tcp -s 10.0.0.0/24 1024: -d ! 10.0.0.0/24\
--dport :1023 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -p tcp -s 10.0.0.0/24 1024: -d ! 10.0.0.0/24\
--dport :1023 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -p tcp -s 10.0.0.0/24 1024: -d ! 10.0.0.0/24\
--dport :1023 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
***enable ssh
iptables -A INPUT -i $INT_IP_P tcp -p --dport 22 -s INT_TRUST_IP -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport -j ACCEPT
icmp type 0 8 3 4 11
port www tcp 80, dns udp 53, ftp tcp 21, tcp email
output
iptable -A OUTPUT -d 1.2.3.4 -j DROP #-D 也可以用DOMAIN NAME FQDN
***NAT
modporbe ip_conntrack_ftp ip_nat_ftp
modprobe ip_conntrack_irc ip_nat_ftp
add to /etc/rc.local
or /etc/modules.conf
***saving and restor rules
/sbin/iptables-save > iptables.rules
cat /etc/iptables.rule
iptables -F
iptables -x
/sbin/iptables-restore < iptables.rules
REDHAT
cat /etc/sysconfig/iptables
service iptables panic
chkconfig --list iptables
modprobe
/etc/rc.local
/etc/rc5/Sxx 都會跑
***讓重開機可以load rule
ls /root/iptables iptables.sh >> /etc/rc.d/rc.local
#如果網路從跑
service iptables save 放在shell script 最後一行
***圖形介面
##Suse
SuSEfirewall
/etc/
#http://www.fwbuilder.org
supports:
ipfilter
OpenBSD PF
Cisco PIX
iptables -A OUTPUT -o ppp0 -p udp -s 62.186.134.70 --sport 1024: -d any/0 --dport :1023 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -s any/0 --sport :1023 -d 62.186.134.70 --dport 1024: -j ACCEPT
**fw
iptables -n -L
#delete all user-defined chains
iptables -X
#flush all rules
iptables -F
#set the default policy for the input,output, and forward chain
iptables -P INPUT DROP
#add the rules to allow traffic over the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#unlimited traffic over the internal interface
iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A OUTPUT -o ppp0 -j ACCEPT
#sending packets which are not destined to/originating from the external interfaces IP address
iptables -A INPUT -i eth0 -s 0.0.0./0 -d ! 10.0.0.1 -j DROP
iptables -A OUTPUT -o eth0 -s ! 10.0.0.1 -d 0.0.0.0/0 -j DROP
#protect your external interface from receiving and/or sending packets from/to IP addresses which are certain to be spoofed
iptables -t nat -A POSTROUTING -O EHT0 -P UDP -S 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j SNAT --TO-SOURCE 10.0.0.1
iptables -t nat -A POSTROUTING -O ETH0 -P ICMP -S 192.168.1.1.0/24 -d ! 192.168.1.0/24 -j SNAT --to-source 10.0.0.1
#useing MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1023 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p udp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1023 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p icmp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1023 -j MASQUERADE
#FORWARD
iptables -A FORWARD -i ppp0 -o eth0 -p tcp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -p tcp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -p udp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -p udp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -p icmp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -p icmp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j ACCEPT
#turn the forwarding on
echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf
............
net.ipv4.ip_forward = 1
............
**ws
ping the teacher
telnet teacher
**teacher
can not ping the ws
telnet ws
#list firewall rules
iptables -L -n -v --lin-numbers
#SUSE
vi /etc/init.d/iptables
ln -s /etc/init.d/iptables /sbin/rciptables
#iptables script, save the firewall rules
service iptables save
#suse rciptables save
vi /etc/sysonfig/iptables
#suse chkconfig SuSEfirewall2 off
chkconfig iptables on
reboot
iptables -L -n -v --line-numbers
#execue a panic denial of all packets
service iptables panic
suse rciptables panic
#restore all iptables rules
service iptables restart
suse rciptables restart
code stolen from netman
#!/bin/bash
PATH=/sbin:/usr/sbin:/bin:/usr/bin
INT_IF=eth0
EXT_IF=eth1
EXT_IP=`ifconfig $EXT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`
### initial
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $INT_IF -j ACCEPT
iptables -A OUTPUT -o $INT_IF -j ACCEPT
iptables -A INPUT -i $EXT_IF -d ! $EXT_IP -j DROP
iptables -A OUTPUT -o $EXT_IF -s ! $EXT_IP -j DROP
### reserved ip
iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
iptables -A OUTPUT -o $EXT_IF -d 172.16.0.0/12 -j DROP
iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
iptables -A OUTPUT -o $EXT_IF -d 192.168.0.0/16 -j DROP
iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP
iptables -A OUTPUT -o $EXT_IF -d 127.0.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 0.0.0.0 -j DROP
iptables -A OUTPUT -o $EXT_IF -d 255.255.255.255 -j DROP
### icmp
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 3 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 4 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 11 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 12 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 12 -j ACCEPT
### tcp/udp
iptables -A OUTPUT -o $EXT_IF -p tcp -s $EXT_IP --sport 1024: -d 0.0.0.0/0 --dport :1023 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p tcp -d $EXT_IP --dport 1024: -s 0.0.0.0/0 --sport :1023 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -p udp -s $EXT_IP --sport 1024: -d 0.0.0.0/0 --dport :1023 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p udp -d $EXT_IP --dport 1024: -s 0.0.0.0/0 --sport :1023 -j ACCEPT
### identd
iptables -A INPUT -i $EXT_IF -p tcp -s 0.0.0.0/0 -d $EXT_IP --dport 113 -j REJECT
server firewall
#!/bin/bash
PATH=/sbin:/usr/sbin:/bin:/usr/bin
modprobe ip_conntrack_ftp
INT_IF=eth1
INT_IP=`ifconfig $INT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`
INT_TRUST_IP=192.168.5.2
EXT_IF=eth0
EXT_IP=`ifconfig $EXT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`
### initial
service iptables stop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT_IF -s $INT_TRUST_IP -j ACCEPT
iptables -A INPUT -i $EXT_IF -d ! $EXT_IP -j DROP
### reserved ipg
#iptables -A INPUT -i $EXT_IF -s 10.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 0.0.0.0 -j DROP
### icmp
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 12 -j ACCEPT
### service
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 80 -j ACCEPT # www
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p udp --dport 53 -j ACCEPT # dns
#iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 53 -s 4.3.2.1 -j ACCEPT # dns-zonetransfer
#iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 53 -s 4.3.2.2 -j ACCEPT # dns-zonetransfer
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 21 -j ACCEPT # ftp
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 25 -j ACCEPT # email
### identd
iptables -A INPUT -i $EXT_IF -p tcp -s 0.0.0.0/0 -d $EXT_IP --dport 113 -j REJECT
### output
iptables -A OUTPUT -d 1.2.3.4 -j DROP
iptables -A OUTPUT -d 1.2.3.5 -j DROP
iptables -A OUTPUT -d 1.2.3.6 -j DROP
***nat 與router 有一樣的效果
route -n
***nat
nat 將私有ip轉換為外部ip,送出internet
nat 再將外部ip轉回nat的 封包轉換 destination ip:私有ip 送回來
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe ip_conntrack_irc ip_nat_ftp
#use post-install in /etc/modules to load modules automatically
post-install ip_conntrack modporbe ip_conntrack_ftp
post-install iptables_nat modporbe ip_nat_ftp
#nat 將通過 ppp0 對外網卡 的 封包,私有ip 10.0.0.2:1287 轉換為外部ip 62.186.134.70:4011,送出internet,如果ppp0上面的外部ip為浮動的,建議使用 MASQUERADE 動作
iptables -t nat -A POSTROUTING -o ppp0 -p tcp -s 10.0.0.0/24 --sport 1024: -d ! 10.0.0.0/24 --dport :1023 -j SNAT --to-source 62.186.134.70
或是
iptables -t nat -A POSTROUTING -o ppp0 -p tcp -s 10.0.0.0/24 --sport 1024: -d ! 10.0.0.0/24 --dport :1023 -j MASQUERADE
#從內部網卡 到連接 外部網卡介面的封包 如果是1024port 以上的(Client) 是forward 的 就接受
iptables -A FORWARD -i eth0 -o ppp0 -p tcp -s 10.0.0.0/24 --sport 1024: -d ! 10.0.0.0/24\
--dport :1023 -j ACCEPT
#從外部網卡介面 到連接內部網卡 的封包 如果是1024port 以下的(server) 是forward 的 就接受
iptables -A FORWARD -i ppp0 -o eth0 -p tcp -s ! 10.0.0.0/24 --sport :1023 -d 10.0.0.0/24\ --dport 1024: -J ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
--------------------------------------------------------
***ipt.client.sh
#!/bin/bash
PATH=/sbin:/usr/sbin:/bin:/usr/bin
modprobe ip_conntrack_ftp
INT_IF=eth1
INT_IP=`ifconfig $INT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`
INT_TRUST_IP=192.168.5.2
EXT_IF=eth0
EXT_IP=`ifconfig $EXT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`
### initial
service iptables stop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT_IF -s $INT_TRUST_IP -j ACCEPT
iptables -A INPUT -i $EXT_IF -d ! $EXT_IP -j DROP
### reserved ipg
#iptables -A INPUT -i $EXT_IF -s 10.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 0.0.0.0 -j DROP
### icmp
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 12 -j ACCEPT
### service
### identd
iptables -A INPUT -i $EXT_IF -p tcp -s 0.0.0.0/0 -d $EXT_IP --dport 113 -j REJECT
### output
iptables -A OUTPUT -d 1.2.3.4 -j DROP
iptables -A OUTPUT -d 1.2.3.5 -j DROP
iptables -A OUTPUT -d 1.2.3.6 -j DROP
from netman