Новости
Видео
Microsoft
Windows 10
Железо
Программы
Форум
Имя пользователя:
Пароль:  
Помощь | Регистрация | Забыли пароль?  

Название темы: IPTABLES!!! RULES, Разгавор о iptables
Показать сообщение отдельно

Аватара для sergleo

Старожил


Сообщения: 178
Благодарности: 4

Профиль | Отправить PM | Цитировать

Код: Выделить весь код
#------------------------------------------------------------
# DNS Name Server
# DNS Fowarding Name Server or client requests
-A OUTPUT -o eth1 -p udp -s x.x.x.x --sport 1024:65535 -d x1.x1.x1.x1 --dport domain -j ACCEPT
-A INPUT  -i eth1 -p udp -s x1.x1.x1.x1 --sport domain -d x.x.x.x --dport 1024:65535 -j ACCEPT
-A OUTPUT -o eth1 -p udp -s x.x.x.x --sport 1024:65535 -d x2.x2.x2.x2 --dport domain -j ACCEPT
-A INPUT  -i eth1 -p udp -s x2.x2.x2.x2 --sport domain -d x.x.x.x --dport 1024:65535 -j ACCEPT
#...............................................................
# TCP is used for large responses
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 -d x1.x1.x1.x1 --dport domain -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn -s x1.x1.x1.x1 --sport domain -d x.x.x.x --dport 1024:65535 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 -d x2.x2.x2.x2 --dport domain -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn -s x2.x2.x2.x2 --sport domain -d x.x.x.x --dport 1024:65535 -j ACCEPT
#...............................................................
# DNS Caching Name Server (local server to primary server)
-A OUTPUT -o eth1 -p udp -s x.x.x.x --sport domain -d x1.x1.x1.x1  --dport domain -j ACCEPT
-A INPUT  -i eth1 -p udp -s x1.x1.x1.x1  --sport domain -d x.x.x.x --dport domain -j ACCEPT
-A OUTPUT -o eth1 -p udp -s x.x.x.x --sport domain -d x2.x2.x2.x2 --dport domain -j ACCEPT
-A INPUT  -i eth1 -p udp -s x2.x2.x2.x2 --sport domain -d x.x.x.x --dport domain -j ACCEPT
#...............................................................
# DNS full nameserver - client to server DNS transaction
-A INPUT  -i eth1 -p udp --sport 1024:65535 -d x.x.x.x --dport domain -j ACCEPT
-A OUTPUT -o eth1 -p udp -s x.x.x.x --sport domain --dport 1024:65535 -j ACCEPT
#...............................................................
# peer-to-peer server DNS transaction
-A INPUT  -i eth1 -p udp -s x1.x1.x1.x1  --sport domain -d x.x.x.x --dport domain -j ACCEPT
-A OUTPUT -o eth1 -p udp -s x.x.x.x --sport domain -d x1.x1.x1.x1 --dport domain -j ACCEPT
-A INPUT  -i eth1 -p udp -s x2.x2.x2.x2  --sport domain -d x.x.x.x --dport domain -j ACCEPT
-A OUTPUT -o eth1 -p udp -s x.x.x.x --sport domain -d x2.x2.x2.x2 --dport domain -j ACCEPT
#...............................................................
# Zone Transfers due to the potential danger of zone transfers,only allow TCP traffic to specific secondaries.
-A INPUT  -i eth1 -p tcp -s x1.x1.x1.x1 --sport 1024:65535 -d x.x.x.x --dport domain -j ACCEPT
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport domain -d x1.x1.x1.x1 --dport 1024:65535 -j ACCEPT
-A INPUT  -i eth1 -p tcp -s x2.x2.x2.x2 --sport 1024:65535 -d x.x.x.x --dport domain -j ACCEPT
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport domain -d x2.x2.x2.x2 --dport 1024:65535 -j ACCEPT

#------------------------------------------------------------
# Filtering the AUTH User Identification Service (TCP Port 113)
# Outgoing Local Client Requests to Remote Servers
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport auth -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport auth -d x.x.x.x --dport 1024:65535 -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
-A INPUT  -i eth1 -p tcp --sport 1024:65535 -d x.x.x.x --dport auth -j REJECT --reject-with tcp-reset
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport auth --dport 1024:65535 -j REJECT --reject-with tcp-reset

#------------------------------------------------------------
# Sending Mail to Any External Mail Server
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport smtp -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport smtp -d x.x.x.x --dport 1024:65535 -j ACCEPT
#...............................................................
# Receiving Mail as a Local SMTP server (25)
-A INPUT  -i eth1 -p tcp -s any/0 --sport 1024:65535 -d x.x.x.x --dport smtp -j ACCEPT
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport smtp -d any/0 --dport 1024:65535 -j ACCEPT

#------------------------------------------------------------
# Retrieving Mail as a POP Client (TCP Port 110)
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport pop3 -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport pop3 -d x.x.x.x --dport 1024:65535 -j ACCEPT
#............................................................
# Hosting a Server for Remote Clients
-A INPUT  -i eth1 -p tcp --sport 1024:65535 -d x.x.x.x --dport pop3 -j REJECT --reject-with tcp-reset
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport pop3 --dport 1024:65535 -j REJECT --reject-with tcp-reset

#------------------------------------------------------------
# Retrieving Mail as a IMAP Client (TCP Port 143)
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport imap -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport imap -d x.x.x.x --dport 1024:65535 -j ACCEPT
#............................................................
# Hosting a Server for Remote Clients
-A INPUT  -i eth1 -p tcp --sport 1024:65535 -d x.x.x.x --dport imap -j ACCEPT
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport imap --dport 1024:65535 -j ACCEPT

#------------------------------------------------------------
# ssh (TCP Port 22)
# Outgoing Local  Client Requests to Remote Servers
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport ssh -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --source-port ssh -d x.x.x.x --dport 1024:65535 -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
-A INPUT  -i eth1 -p tcp --sport 1024:65535 -d x.x.x.x --dport ssh -j ACCEPT
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport ssh --dport 1024:65535 -j ACCEPT

#------------------------------------------------------------
# HTTP Web Traffic (TCP Port 80)
# Outgoing Local Client Requests to Remote Servers
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport http -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport http -d x.x.x.x --dport 1024:65535 -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
-A INPUT  -i eth1 -p tcp --sport 1024:65535 -d x.x.x.x --dport http -j ACCEPT
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport http --dport 1024:65535 -j ACCEPT

#------------------------------------------------------------
# SSL Web Traffic (TCP Port 443)
# Outgoing Local  Client Requests to Remote Servers
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport https -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport https -d x.x.x.x --dport 1024:65535 -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
-A INPUT  -i eth1 -p tcp --sport 1024:65535 -d x.x.x.x --dport https -j ACCEPT
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport https --dport 1024:65535 -j ACCEPT

#------------------------------------------------------------
# TELNET (23) Allowing Outgoing Client Access to Remote Sites
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport telnet -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport telnet -d x.x.x.x --dport 1024:65535 -j ACCEPT
#...............................................................
# Allowing Incoming Access to Your Local Server
-A INPUT  -i eth1 -p tcp --sport 1024:65535 -d x.x.x.x --dport telnet -j REJECT --reject-with tcp-reset
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport telnet --dport 1024:65535 -j REJECT --reject-with tcp-reset

#------------------------------------------------------------
# FINGER (79) Accessing Remote finger Servers as a Client
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport finger -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport finger -d x.x.x.x --dport 1024:65535 -j ACCEPT
#...............................................................
# Allowing Remote Client Access to a Local finger Server
-A INPUT  -i eth1 -p tcp --sport 1024:65535 -d x.x.x.x --dport finger -j REJECT --reject-with tcp-reset
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport finger --dport 1024:65535 -j REJECT --reject-with tcp-reset

#------------------------------------------------------------
# whois (TCP Port 43)
# Outgoing Local  Client Requests to Remote Servers
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport nicname -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport nicname -d x.x.x.x --dport 1024:65535 -j ACCEPT

#------------------------------------------------------------
# Gopher client (70)
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport gopher -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport gopher -d x.x.x.x --dport 1024:65535 -j ACCEPT

#------------------------------------------------------------
# WAIS client (210)
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport 210 -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport 210 -d x.x.x.x --dport 1024:65535 -j ACCEPT

#------------------------------------------------------------
# MySQL server (3306)
-A INPUT  -i eth1 -p tcp --sport 1024:65535 -d x.x.x.x --dport mysql -j ACCEPT
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport mysql --dport 1024:65535 -j ACCEPT

-------
Best regard`s SergLeo

Отправлено: 11:54, 24-02-2006 | #9

Название темы: IPTABLES!!! RULES, Разгавор о iptables