Below mentioned iptables rules should present as template for making tailored iptables rules to increase your linux dedicated server security. You can make your firewall much stronger using these iptables rule.
下面提到的iptables规则应作为模板制作,以制定定制的iptables规则以提高Linux 专用服务器的安全性。 使用这些iptables规则,可以使防火墙更加强大。
Note: Do not consider this iptables as an inclusive guide. Kindly familiarize yourself with iptables before using below mentioned rules. Aware yourself before using any rule.
注意:请勿将此iptables作为全面指南。 使用下面提到的规则之前,请先熟悉iptables。 在使用任何规则之前,请先意识到自己。
iptables规则拒绝传入流量 (Iptables rule for refusing the incoming traffic)
The second row of the following rules permits existing incoming traffic. This is helpful when logging via Telnet or SSH to your server.
以下规则的第二行允许现有的传入流量。 通过Telnet或SSH登录到服务器时,这很有用。
# iptables -F INPUT # iptables -A INPUT -m state \ –state ESTABLISHED -j ACCEPT # iptables -A INPUT -j REJECT
#iptables -F输入#iptables -A输入-m状态\ –已建立状态-j接受#iptables -A输入-j拒绝
拒绝所有传出流量的规则 (Rule for refusing all outgoing traffic)
The second row of the below iptables rule permits existing outgoing traffic. It is very helpful when logging via Telnet or SSH to your server.
以下iptables规则的第二行允许现有的传出流量。 通过Telnet或SSH登录到服务器时,这非常有用。
# iptables -F OUTPUT # iptables -A OUTPUT -m state \ –state ESTABLISHED -j ACCEPT # iptables -A OUTPUT -j REJECT
#iptables -F输出#iptables -A输出-m状态\ –已建立状态-j接受#iptables -A输出-j拒绝
拒绝传入和传出流量的规则 (Rule for refusing incoming and outgoing traffic)
This is a rule to block or refuse all the network traffic (ie. Incoming and outgoing), including your existing established connection.
这是禁止或拒绝所有网络流量(即传入和传出)(包括现有的已建立连接)的规则。
# iptables -F # iptables -A INPUT -j REJECT # iptables -A OUTPUT -j REJECT # iptables -A FORWARD -j REJECT
#iptables -F#iptables -A输入-j拒绝#iptables -A输出-j拒绝#iptables -A转发-j拒绝
删除传入的ping请求的规则 (Rule for dropping incoming ping requests)
In this rule, you can use REJECT rather using DROP, the only thing will be changed is that REJECT will result as an ICMP error and the DROP will discard the incoming package very silently.
在此规则中,您可以使用REJECT而不是DROP,唯一的变化是REJECT将导致ICMP错误,而DROP将非常安静地丢弃传入的数据包。
# iptables -A INPUT -p icmp –icmp-type echo-request -j DROP
#iptables -A INPUT -p icmp –icmp类型的echo-request -j DROP
丢弃传出Telnet流量的规则 (Rule for dropping outgoing Telnet traffic)
The following iptables rule will refuse all the outgoing connections to any host having port 23 (ie. Telnet)
以下iptables规则将拒绝与具有端口23的任何主机的所有传出连接(即Telnet)
# iptables -A OUTPUT -p tcp –dport telnet -j REJECT
#iptables -A输出-p tcp –dport telnet -j拒绝
拒绝传入telnet流量的规则 (Rule for rejecting incoming telnet Traffic)
The following iptables rule will reject all incoming traffic requests to a local port 23.
以下iptables规则将拒绝所有到本地端口23的传入流量请求。
# iptables -A INPUT -p tcp –dport telnet -j REJECT
#iptables -A INPUT -p tcp –dport telnet -j拒绝
拒绝传出ssh连接的规则 (Rule for refusing outgoing ssh connections)
The following rule will refuse the outgoing connections to any SSH host.
以下规则将拒绝与任何SSH主机的传出连接。
# iptables -A OUTPUT -p tcp –dport ssh -j REJECT
#iptables -A输出-p tcp –dport ssh -j拒绝
拒绝传入的ssh连接的规则 (Rule for refusing incoming ssh connections)
The following rule will refuse the incoming connections to to a local port 22 (ie. SSH).
以下规则将拒绝与本地端口22(即SSH)的传入连接。
# iptables -A INPUT -p tcp –dport ssh -j REJECT
#iptables -A INPUT -p tcp –dport ssh -j REJECT
拒绝所有传入连接以消除ssh和本地连接的规则 (Rule for refusing all incoming connections eliminating ssh and local connections)
# iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -p tcp –dport ssh -j ACCEPT # iptables -A INPUT -j REJECT
#iptables -A输入-i lo -j接受#iptables -A输入-p tcp -dport ssh -j ACCEPT#iptables -A输入-j拒绝
允许来自特定IP地址的ssh流量的规则 (Rule for allowing incoming ssh traffic from particular IP address)
The following rule will refuse all the incoming traffic to port 22 (ie. ssh) excluding host having a specific IP address. It means the host having the specific IP address will be allowed to ssh.
以下规则将拒绝所有进入端口22(即ssh)的流量,但不包括具有特定IP地址的主机。 这意味着具有特定IP地址的主机将被允许ssh。
# iptables -A INPUT -p tcp -s 72.65.53.48 –dport ssh -j ACCEPT # iptables -A INPUT -p tcp –dport ssh -j REJECT
#iptables -A输入-p tcp -s 72.65.53.48 –dport ssh -j接受#iptables -A输入-p tcp -dport ssh -j拒绝
拒绝特定TCP端口上的传入连接的规则 (Rule for refusing incoming connections on a particular TCP port)
Using the below iptables rule will refuse all the incoming connections on TCP port 3333.
使用以下iptables规则将拒绝TCP端口3333上的所有传入连接。
# iptables -A INPUT -p tcp –dport 3333 -j REJECT
#iptables -A INPUT -p tcp –dport 3333 -j REJECT
拒绝进入特定网络接口的所有传入连接的规则 (Rule for refusing all incoming connections coming to a particular network interface)
Using the below iptables rule will drop the incoming connections from a particular network interface coming from a specific subnet.
使用以下iptables规则将删除来自特定子网的特定网络接口的传入连接。
# iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
#iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
创建普通IP伪装的规则 (Rule for creating a plain IP Masquerading)
Using the below iptables rule a plain IP Masquerading will be created allowing all hosts to access Internet on the same subnet.
使用以下iptables规则,将创建简单的IP伪装,允许所有主机访问同一子网上的Internet。
# echo “1” > /proc/sys/net/ipv4/ip_forward # iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
#echo“ 1”> / proc / sys / net / ipv4 / ip_forward#iptables -t nat -A POSTROUTING -o $ EXT_IFACE -j MASQUERADE
拒绝所有传入的telnet连接以消除特定IP地址的规则 (Rule for refusing all incoming telnet connections eliminating specific IP address)
The below rule will refuse all the incoming telnet connections eliminating requests from the specific IP.
以下规则将拒绝所有传入的telnet连接,从而消除来自特定IP的请求。
# iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp –dport 23 -j REJECT
#iptables -A INPUT -t过滤器! -s 222.111.111.222 -p tcp –dport 23 -j拒绝
拒绝除特定IP地址范围外的所有传入ssh连接的规则 (Rule for refusing all incoming ssh connections excluding specific IP address range)
Using the below rule will refuse all the incoming ssh connections excluding requests from a specific IP range. Be careful, on removal of the negator (!) from the iptables rule will refuse all the traffic coming from the specified ip address range.
使用以下规则将拒绝所有传入的ssh连接,但不包括来自特定IP范围的请求。 注意,从iptables规则中删除否定符(!)时,将拒绝来自指定ip地址范围的所有流量。
iptables -A INPUT -t filter -m iprange ! –src-range 10.1.1.90-10.1.1.100 -p tcp –dport 22 -j REJECT
iptables -A输入-t过滤器-m iprange! –src范围10.1.1.90-10.1.1.100 -p tcp –dport 22 -j拒绝
拒绝到特定远程主机的所有传出连接的规则 (Rule for refusing all outgoing connections to a specific remote host)
Using the below rule you can refuse all the outgoing connections to a remote host having a specific ip address.
使用以下规则,您可以拒绝与具有特定IP地址的远程主机的所有传出连接。
# iptables -A OUTPUT -d 222.111.111.222 -j REJECT
#iptables -A输出-d 222.111.111.222 -j拒绝
禁止访问特定网站的规则 (Rule for blocking an access to a specific website)
Using the below rule will block all the incoming connections from a specific website, where the source port is 80.
使用以下规则将阻止来自特定网站的所有传入连接,该网站的源端口为80。
# iptables -A INPUT -s twitter.com -p tcp –sport www -j DROP
#iptables -A INPUT -s twitter.com -p tcp –sport www -j DROP
The above rule will block all the access to twitter.com and www.twitter.com as well.
上面的规则也将阻止所有对twitter.com和www.twitter.com的访问。
—
—
Like this post ?
喜欢这个职位吗?
Share on your Social Networking Profile ( Facebook, Twitter & Google+ ) and get a flat 10% Recurring discount on our VPS Hosting and Dedicated Servers.
在您的社交网络配置文件(Facebook,Twitter和Google+)上共享,并在我们的VPS托管和专用服务器上获得10%的固定定期折扣。
Email us the shared link at : [email protected] or speak to our live chat operator now, by clicking on the “Live Chat” Scroller on the left-hand side of this page and we will provide you with the discount Coupon right away!
通过以下电子邮件将共享链接发送给我们: [受电子邮件保护],或通过单击此页面左侧的“实时聊天”滚动条立即与我们的实时聊天操作员联系,我们将立即为您提供折扣优惠券!
翻译自: https://www.eukhost.com/blog/webhosting/increase-linux-server-security-with-iptables/
7320
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
