基于目的的,可以让外网的访问自己,DNAT----iptables -t nat -I PREROUTING -d 192.168.1.142/24 -p tcp -dport 80 -j DNAT --to 192.168.142.2:80
基于源的,可以访问外网,,,,,,SNAT----iptables -t nat -A POSTROUTING -s 192.168.142.0/24 -j SNAT --to 192.168.1.142
内网管控
禁一个ip
iptables -I FORWARD -s 192.168.142.2/32 -j DROP
iptables -D FORWARD -s 192.168.142.2/32 -j DROP
禁一组ip
iptables -A FORWARD -p tcp -m iprange --src-range 192.168.142.2-192.168.142.3 -j DROP
iptables -D FORWARD -p tcp -m iprange --src-range 192.168.142.2-192.168.142.3 -j DROP
禁关键字
iptables -A FORWARD -p tcp -m string --string "baidu" --algo kmp --dport 80 -j DROP
iptables -D FORWARD -p tcp -m string --string "baidu" --algo kmp --dport 80 -j DROP
禁mac
iptables -A FORWARD -m mac --mac-source 00:0c:29:70:73:cb -j DROP
iptables -D FORWARD -m mac --mac-source 00:0c:29:70:73:cb -j DROP
允许时间
iptables -t nat -A POSTROUTING -s 192.168.142.0/24 -m time --timestart 15:35 --timestop 15:40 -j SNAT --to 192.168.1.142
iptables -t nat -D POSTROUTING -s 192.168.142.0/24 -m time --timestart 15:35 --timestop 15:40 -j SNAT --to 192.168.1.142
禁ping
iptables -A INPUT -p icmp -j DROP
iptables -D INPUT -p icmp -j DROP
ping www.baidu.com
iptables -A INPUT -p icmp --icmp-type Echo-Request -j DROP
ping www.baidu.com
保存防火墙规则
iptables-save > /opt/iptables0217
恢复
iptables-restore < /opt/iptables0217
开机自动恢复
echo "/usr/sbin/iptables-restore < /opt/iptables0217" >>/etc/rc.local
372 chmod +x /etc/rc.local