# Reject spoofed packets
/sbin/iptables -A INPUT -i $EXTIF -s 169.254.0.0/16 -j DROP
/sbin/iptables -A INPUT -i $EXTIF -s 172.16.0.0/12 -j DROP
/sbin/iptables -A INPUT -i $EXTIF -s 127.0.0.0/8 -j DROP
#Multicast-adresses.
/sbin/iptables -A INPUT -i $EXTIF -s 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -i $EXTIF -d 224.0.0.0/4 -j DROP
/sbin/iptables -A INPUT -i $EXTIF -s 240.0.0.0/5 -j DROP
/sbin/iptables -A INPUT -i $EXTIF -d 240.0.0.0/5 -j DROP
/sbin/iptables -A INPUT -i $EXTIF -s 0.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -i $EXTIF -d 0.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -i $EXTIF -d 239.255.255.0/24 -j DROP
/sbin/iptables -A INPUT -i $EXTIF -d 255.255.255.255 -j DROP
# SYN Flood Protection
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
/sbin/iptables -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
/sbin/iptables -A syn_flood -j DROP
##^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# Allow HTTP to this Router
/sbin/iptables -A INPUT -i $INTIF -p tcp --dport 80 -j ACCEPT -m comment --comment "Accept HTTP from LAN"
# Allow SSH with brute-force attack protection from WAN
/sbin/iptables -A INPUT -i $EXTIF -p tcp -m tcp --dport $SSHPORT -m state --state NEW -m recent --set --name SSH_LIMIT --rsource
/sbin/iptables -A INPUT -i $EXTIF -p tcp --dport $SSHPORT -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --name SSH_LIMIT --rsource -j DROP
/sbin/iptables -A INPUT -p tcp -m tcp --dport $SSHPORT -j ACCEPT -m comment --comment "Accept ssh from both WAN and LAN"
# DHCP client requests - accept from LAN
/sbin/iptables -A INPUT -i $INTIF -p udp --dport 67:68 -j ACCEPT -m comment --comment "Accept DHCP requests from LAN"
# Allow ping from LAN
iptables -A INPUT -i $INTIF -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Accept Ping request from LAN"
iptables -A OUTPUT -o $INTIF -p icmp --icmp-type echo-reply -j ACCEPT -m comment --comment "Accept Ping reply to LAN"
if-up.d 部分,创建
/etc/network/if-up.d/my-post-up :
#!/bin/sh
EXTIF=eth0
if [ "$IFACE" = "$EXTIF" ]; then
/bin/sh /usr/myscripts/iptables/post-up-rules
fi
创建
/usr/myscripts/iptables/post-up-rules :
#!/bin/sh
EXTIF=eth0
INTIF=br0
LOG=/tmp/set-rules-router.log
WANIP=$(/sbin/ifconfig $EXTIF | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}')
echo "POST-UP : `date`" | tee -a $LOG
echo "$IFACE post-up, $EXTIF IP : $WANIP" | tee -a $LOG
echo | tee -a $LOG
if [ -z "$WANIP" ]; then
exit;
fi
get_network(){
ip=$1
baseip=$(echo $ip | cut -d"." -f1-3)
echo $baseip".0"
}
LANIP=$(/sbin/ifconfig $INTIF | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}')
NETWORK=$(get_network "$LANIP")
PC2="10.0.1.130"; # Web server internal IP
MAIL="10.0.1.131"; # mail server internal IP
HTTPS_PORT=12310;
IMAPS_PORT=12311;
POP3S_PORT=12312;
## PORT FORWARDING vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
# HTTPS to Web Server
/sbin/iptables -t nat -A PREROUTING -d $WANIP -p tcp --dport $HTTPS_PORT -j DNAT --to-destination $PC2:$HTTPS_PORT -m comment --comment "Port Forwarding to PC2"
/sbin/iptables -A FORWARD -p tcp -d $PC2 --dport $HTTPS_PORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A POSTROUTING -t nat -s $NETWORK/24 -d $PC2/32 -p tcp -m tcp --dport $HTTPS_PORT -j SNAT --to-source $LANIP
# Mail Server
/sbin/iptables -t nat -A PREROUTING -d $WANIP -p tcp --dport 25 -j DNAT --to-destination $MAIL:25 -m comment --comment "Port Forwarding SMTP"
/sbin/iptables -t nat -A PREROUTING -d $WANIP -p tcp --dport 465 -j DNAT --to-destination $MAIL:465 -m comment --comment "Port Forwarding SMTPs"
/sbin/iptables -t nat -A PREROUTING -d $WANIP -p tcp --dport 587 -j DNAT --to-destination $MAIL:587 -m comment --comment "Port Forwarding Submission"
/sbin/iptables -t nat -A PREROUTING -d $WANIP -p tcp --dport $IMAPS_PORT -j DNAT --to-destination $MAIL:993 -m comment --comment "Port Forwarding IMAPs"
/sbin/iptables -t nat -A PREROUTING -d $WANIP -p tcp --dport $POP3S_PORT -j DNAT --to-destination $MAIL:995 -m comment --comment "Port Forwarding POP3s"
/sbin/iptables -A FORWARD -p tcp -d $MAIL -m multiport --dport 25,465,587,993,995 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
推荐阅读
![[预告片]又一良心悬疑网剧官宣,张铎出演男主角,预告太精彩看不过瘾啦!](http://img88.010lm.com/img.php?https://image.uc.cn/s/wemedia/s/2020/c8c5158d3a365e3a529b521e3ebba8db.jpg)
- 怀孕七个月肚子隐隐痛
- 抖音位置怎么设置自己店铺名字 抖音怎么加自己的店铺
- 眼霜|别“看不起”国货!赵柯用了多年的眼霜,实力媲美小棕瓶,高质价低太良心
- 淘宝投诉有用什么?卖家被投诉后有什么影响呢? 投诉淘宝卖家,卖家是什么后果
- 开通抖音蓝v认证有用吗 抖音蓝v认证的坏处
- 3年脂溢性脱发恢复了,分享自己的生发成功心得
- 政工夫茶,政和工夫茶功效与作用
- 捞叶作用功效,松针保健茶的作用和加工流程
- 抹茶功效作用,教你分辨绿茶粉和抹茶
- 台灯用几瓦的灯泡合适,台灯用黄灯好还是白灯好