Iptables piemērs darbstacijai
#!/bin/sh
# Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
# Flush all specific rules
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -F -t filter
# Set counters to zero
iptables -Z
iptables -Z -t mangle
iptables -Z -t nat
iptables -Z -t filter
# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable. These rules apply if a more specific rule below
# is not applicable. Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
##########
# Allow #
##########
# Allow ICMP from anywhere
iptables -A INPUT -p icmp -j ACCEPT
# Allow ICMP ECHO Replies from Anywhere
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Permit packets in to firewall itself that are part of existing and related connections.
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable SSH on port 22 from anywhere
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT
# Allow all inputs to firewall from the internal network and local interfaces
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i vmnet1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i vmnet8 -s 0/0 -d 0/0 -j ACCEPT
###############
# MASQUERADE #
###############
# masquerade VmWare NAT subnet packets (10.0.0.** in this case)
iptables -A POSTROUTING -t nat -s 10.0.100.0/24 -o eth0 -j MASQUERADE
# Finally, DROP all connection requests not yet provided
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
# Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
# Flush all specific rules
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -F -t filter
# Set counters to zero
iptables -Z
iptables -Z -t mangle
iptables -Z -t nat
iptables -Z -t filter
# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable. These rules apply if a more specific rule below
# is not applicable. Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
##########
# Allow #
##########
# Allow ICMP from anywhere
iptables -A INPUT -p icmp -j ACCEPT
# Allow ICMP ECHO Replies from Anywhere
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Permit packets in to firewall itself that are part of existing and related connections.
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable SSH on port 22 from anywhere
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT
# Allow all inputs to firewall from the internal network and local interfaces
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i vmnet1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i vmnet8 -s 0/0 -d 0/0 -j ACCEPT
###############
# MASQUERADE #
###############
# masquerade VmWare NAT subnet packets (10.0.0.** in this case)
iptables -A POSTROUTING -t nat -s 10.0.100.0/24 -o eth0 -j MASQUERADE
# Finally, DROP all connection requests not yet provided
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
Tags
Linux
Drošība
Tīkls
Created by Valdis Vītoliņš on 2008-08-09 07:38
Last modified by Valdis Vītoliņš on 2025-05-18 19:11
Created by Valdis Vītoliņš on 2008-08-09 07:38
Last modified by Valdis Vītoliņš on 2025-05-18 19:11
