|
在网上搜索了很久,许多网友也说了一些iptables方法,但我用了都没用。
在这里我想问下,iptables文件是不是在这个目录下:/tmp/etc/iptables
怎么设置才能封住tcp 2000-65535的目的端口,开放8080的TCP端口
===网上找的,都没用
-A QOSO -p tcp -m multiport --dports
iptables -I FORWARD $a -s $i -p udp --dport 1024:65535 -j REJECT --reject-with icmp-proto-unreachable
iptables -I FORWARD -o vlan1 -j DROP
iptables -I FORWARD -p udp --dport 53 -j ACCEPT
用iptables来封端口,详细的请google,以下给出简单的例子
#封tcp协议目的端口1234
iptables -I FORWARD -i br0 -p tcp --dport 1234 -j DROP
========
--
个人路由器里的信息。
*mangle
REROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
OSO - [0:0]
-A QOSO -j CONNMARK --restore-mark --mask 0xff
-A QOSO -m connmark ! --mark 0/0x0f00 -j RETURN
OSSIZE - [0:0]
-I QOSO 3 -m connmark ! --mark 0/0xff000 -j QOSSIZE
-I QOSO 4 -m connmark ! --mark 0/0xff000 -j RETURN
-A QOSSIZE -m connmark --mark 0x1000/0xff000 -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 10240: -j
-A QOSO -p udp --dport 53 -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:10239 -j CONNMARK --set-
-A QOSO -p tcp --dport 53 -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:10239 -j CONNMARK --set-
-A QOSO -p udp -m multiport --ports 135,2101,2103,2105 -j CONNMARK --set-return 0x200101/0xFF
-A QOSO -p tcp -m multiport --ports 135,2101,2103,2105 -j CONNMARK --set-return 0x200101/0xFF
-A QOSO -p udp --dport 22 -j CONNMARK --set-return 0x300104/0xFF
-A QOSO -p tcp --dport 22 -j CONNMARK --set-return 0x300104/0xFF
-A QOSO -p tcp -m multiport --sports 80,8080 -j CONNMARK --set-return 0x400104/0xFF
-A QOSO -p tcp -m multiport --ports 3389 -j CONNMARK --set-return 0x500104/0xFF
-A QOSO -p udp -m multiport --ports 554,5004,5005 -j CONNMARK --set-return 0x600103/0xFF
-A QOSO -p tcp -m multiport --ports 554,5004,5005 -j CONNMARK --set-return 0x600103/0xFF
-A QOSO -p udp -m multiport --ports 1755 -j CONNMARK --set-return 0x700103/0xFF
-A QOSO -p tcp -m multiport --ports 1755 -j CONNMARK --set-return 0x700103/0xFF
-A QOSSIZE -m connmark --mark 0x2000/0xff000 -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 524288: -
-A QOSO -p udp --dport 80 -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:524287 -j CONNMARK --set
-A QOSO -p tcp --dport 80 -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:524287 -j CONNMARK --set
-A QOSO -p udp --dport 443 -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:524287 -j CONNMARK --se
-A QOSO -p tcp --dport 443 -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:524287 -j CONNMARK --se
-A QOSO -p tcp --dport 8080 -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:524287 -j CONNMARK --s
MASQUERADE
-A POSTROUTING -o br0 -s 192.168.10.180/255.255.255.0 -d 192.168.10.180/255.255.255.0 -j SNAT --to-source 192.168.10.180
COMMIT
*filter
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-N shlimit
-A shlimit -m recent --set --name shlimit
-A shlimit -m recent --update --hitcount 4 --seconds 60 --name shlimit -j DROP
-A INPUT -p tcp --dport 22 -m state --state NEW -j shlimit
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
:FORWARD DROP [0:0]
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
7in - [0:0]
-A FORWARD -i ppp0 -j L7in
-A L7in -m layer7 --l7dir /etc/l7-protocols --l7proto irc -j RETURN
:wanin - [0:0]
:wanout - [0:0]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp0 -j wanin
-A FORWARD -o ppp0 -j wanout
-A FORWARD -i br0 -o ppp0 -j ACCEPT
COMMIT |
|