IPTABLES!!! RULES, Разгавор о iptables

sergleo · Отправлено: **11:55, 24-02-2006** | #10

Код:

#------------------------------------------------------------
# ftp (TCP Ports 21, 20)
# Outgoing Local Client Requests to Remote Servers
# Outgoing Control Connection to Port 21
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport ftp -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport ftp -d x.x.x.x --dport 1024:65535 -j ACCEPT
# Incoming Port Mode Data Channel Connection from Port 20
-A INPUT  -i eth1 -p tcp --sport ftp-data -d x.x.x.x --dport 1024:65535 -j ACCEPT
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport 1024:65535 --dport ftp-data -j ACCEPT
# Outgoing Passive Mode Data Channel Connection Between Unprivileveg Ports
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport 1024:65535 -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport 1024:65535 -d x.x.x.x --dport 1024:65535 -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
# Incoming Control Connection to Port 21
-A INPUT  -i eth1 -p tcp --sport 1024:65535 -d x.x.x.x --dport ftp -j ACCEPT
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport ftp --dport 1024:65535 -j ACCEPT
# Outgoing Port Mode Data Channel Connection to Port 20
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport ftp-data --dport 1024:65535 -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport 1024:65535 -d x.x.x.x --dport ftp-data -j ACCEPT
# Incoming Passive Mode Data Channel Connection Between Unprivileved Ports
-A INPUT  -i eth1 -p tcp --sport 1024:65535 -d x.x.x.x --dport 1024:65535 -j ACCEPT
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport 1024:65535 --dport 1024:65535 -j ACCEPT

#------------------------------------------------------------
# Accessing Usenet News Services (TCP NNTP Port 119)
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport nntp -j ACCEPT
-A INPUT  -i eth1 -p tcp ! --syn --sport nntp -d x.x.x.x --dport 1024:65535 -j ACCEPT
#............................................................
# Hosting a Usenet News Server for Remote Clients
-A INPUT  -i eth1 -p tcp --sport 1024:65535 -d x.x.x.x --dport nntp -j REJECT --reject-with tcp-reset
-A OUTPUT -o eth1 -p tcp ! --syn -s x.x.x.x --sport nntp --dport 1024:65535 -j REJECT --reject-with tcp-reset
#............................................................
# Allowing Peer News Feeds for a Local Usenet Server
-A OUTPUT -o eth1 -p tcp -s x.x.x.x --sport 1024:65535 --dport nntp -j REJECT --reject-with tcp-reset
-A INPUT  -i eth1 -p tcp ! --syn --sport nntp -d x.x.x.x --dport 1024:65535 -j REJECT --reject-with tcp-reset

#------------------------------------------------------------
# Accessing Remote Network Time Servers (UDP 123)
# Note: some client and servers use source port 123
# when querying a remote server on destination port 123.
# Use $TIME_SERVER x.x.x.x only MY net
-A OUTPUT -o eth1 -p udp -s x.x.x.x --sport 1024:65535 -d any/0 --dport ntp -j ACCEPT
-A INPUT  -i eth1 -p udp -s any/0 --sport ntp -d x.x.x.x --dport 1024:65535 -j ACCEPT
#...............................................................
# Accessing a Remote Client to Local Time Server
-A INPUT  -i eth1 -p udp --sport 1024:65535 -d x.x.x.x --dport ntp -j ACCEPT
-A OUTPUT -o eth1 -p udp -s x.x.x.x --sport ntp --dport 1024:65535 -j ACCEPT
-A INPUT  -i eth1 -p udp --sport ntp -d x.x.x.x --dport ntp -j ACCEPT
-A OUTPUT -o eth1 -p udp -s x.x.x.x --sport ntp --dport ntp -j ACCEPT

#------------------------------------------------------------
# SYSLOG client (514)
# Use $SYSLOG_SERVER = x.x.x.x
-A OUTPUT -o eth1 -p udp -s x.x.x.x --source-port 514 -d y.y.y.y --destination-port 1024:65535 -j ACCEPT
#...............................................................
# Accessing a Remote Client to SYSLOG Server
-A INPUT -i eth0 -p udp --sport 1024:65535 -d x.x.x.x --dport 514 -j ACCEPT
-A INPUT -i eth0 -p udp --sport 514 -d x.x.x.x --dport 514 -j ACCEPT

#------------------------------------------------------------
# TRACEROUTE - usually uses -S 32769:65535 -D 33434:33523
# Enabling Outgoing traceroute Requests
-A OUTPUT -o eth1 -p udp -s x.x.x.x --sport 32769:65535 -d any/0 --dport 33434:33523 -j ACCEPT
#...............................................................
# incoming query from the ISP. All others are denied by default.
-A INPUT -i eth1 -p udp -s any/0 --sport 32769:65535 -d x.x.x.x --dport 33434:33523 -j ACCEPT