#init
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT DROP #we can use another method to instead it
iptables -A INPUT -i ! ppp0 -j ACCEPT
# define ruler so that some data can come in.
for Port in "$Allow_ports" ; do
iptables -A INPUT -i ppp0 -p tcp -sport $Port -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -sport $Port -j ACCEPT
done
for Port in "$Open_ports" ; do
iptables -A INPUT -i ppp0 -p tcp -dport $Port -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -dport $Port -j ACCEPT
done
1)#!/bin/bash
#chkconfig: 345 85 15
#description: my iptables rules, which can auto run when system start
# This is a script
# Edit by liwei, cnscn
# establish a static firewall
#网络接口
interdevice="eth0"
#端口
#21 ftp
#22 sshd
#25 smtp
#53 named
#80 http
#110 pop3
#外界可以访问的端口
Open_ports="21 22 80 25 110"
#可以外出的端口
Allow_ports="20 21 22 53 80 2401 8080 20121 20122 23621 23622 "
#清除所有以前设置的规则
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
#接受所有的,来源不是网络接口$interdevice的数据
# iptables -P INPUT DROP
for eths in $interdevice ; do
iptables -A INPUT -i ! $eths -j ACCEPT
done
#定义外界可以访问的端口规则
for eths in $interdevice ; do
for Port in $Open_ports ; do
iptables -A INPUT -i $eths -p tcp --dport $Port -j ACCEPT
iptables -A INPUT -i $eths -p udp --dport $Port -j ACCEPT
done
done
#定义可以外出的端口规则
for eths in $interdevice ; do
for Port in $Allow_ports ; do
iptables -A INPUT -i $eths -p tcp --sport $Port -j ACCEPT
iptables -A INPUT -i $eths -p udp --sport $Port -j ACCEPT
done
done
#给不应该进入我们机器的数据,一个欺骗性的回答
for eths in $interdevice ; do
iptables -A INPUT -i $eths -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i $eths -p udp -j REJECT --reject-with icmp-port-unreachable
done
================================================================
2)#!/bin/bash
#chkconfig: 345 85 15
#description: my iptables rules, which can auto run when system start
# This is a script
# Edit by liwei, cnscn
# establish a static firewall
#网络接口
interdevice="eth0 vmnet1 vmnet8"
#端口
#21 ftp
#22 sshd
#25 smtp
#53 named
#80 http
#110 pop3
#外界可以访问的端口
Open_ports="21 22 80 25 110"
#不可以外出的端口,其它端口都可以外出
Allow_ports="106 2999"
#清除所有以前设置的规则
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
#接受所有的,来源不是网络接口$interdevice的数据
# iptables -P INPUT DROP
for eths in $interdevice ; do
iptables -A INPUT -i ! $eths -j ACCEPT
done
#定义外界可以访问的端口规则
for eths in $interdevice ; do
for Port in $Open_ports ; do
iptables -A INPUT -i $eths -p tcp --dport $Port -j ACCEPT
iptables -A INPUT -i $eths -p udp --dport $Port -j ACCEPT
done
done
#定义不可以外出的端口规则
for eths in $interdevice ; do
for Port in $Allow_ports ; do
iptables -A INPUT -i $eths -p tcp ! --sport $Port -j ACCEPT
iptables -A INPUT -i $eths -p udp ! --sport $Port -j ACCEPT
done
done
#给不应该进入我们机器的数据,一个欺骗性的回答
for eths in $interdevice ; do
iptables -A INPUT -i $eths -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i $eths -p udp -j REJECT --reject-with icmp-port-unreachable
done
#End of Script
------------------------------------------------------------
3)#!/bin/bash
#chkconfig: 345 85 15
#description: my iptables rules, which can auto run when system start
# This is a script
# Edit by liwei, cnscn
# establish a static firewall
#网络接口
interdevice="eth0 vmnet1 vmnet8"
#端口
#21 ftp
#22 sshd
#25 smtp
#53 named
#80 http
#110 pop3
#外界可以访问的端口
Open_ports="21 22 80 25 110"
#可以外出的端口
Allow_ports="20 21 22 53 80 2401 8080 20121 20122 23621 23622 "
#清除所有以前设置的规则
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
#定义每一个网络接口规则
for eths in $interdevice ; do
#接受所有的,来源不是网络接口$interdevice的数据
#iptables -P INPUT DROP
iptables -A INPUT -i ! $eths -j ACCEPT
#定义外界可以访问的端口规则
for Port in $Open_ports ; do
iptables -A INPUT -i $eths -p tcp --dport $Port -j ACCEPT
iptables -A INPUT -i $eths -p udp --dport $Port -j ACCEPT
done
#定义可以外出的端口规则
for Port in $Allow_ports ; do
iptables -A INPUT -i $eths -p tcp --sport $Port -j ACCEPT
iptables -A INPUT -i $eths -p udp --sport $Port -j ACCEPT
done
#给不应该进入我们机器的数据,一个欺骗性的回答
iptables -A INPUT -i $eths -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i $eths -p udp -j REJECT --reject-with icmp-port-unreachable
done
#End of Script
------------------------------------------------------------
4)#!/bin/bash
#chkconfig: 345 85 15
#description: my iptables rules, which can auto run when system start
# This is a script
# Edit by liwei, cnscn
# establish a static firewall
#网络接口
interdevice="eth0 vmnet1 vmnet8"
#端口
#21 ftp
#22 sshd
#25 smtp
#53 named
#80 http
#110 pop3
#外界可以访问的端口
Open_ports="21 22 80 25 110"
#不可以外出的端口,其它端口都可以外出
Allow_ports="106 2999"
#清除所有以前设置的规则
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
#定义每一个网络接口规则
for eths in $interdevice ; do
#接受所有的,来源不是网络接口$interdevice的数据
#iptables -P INPUT DROP
iptables -A INPUT -i ! $eths -j ACCEPT
#定义外界可以访问的端口规则
for Port in $Open_ports ; do
iptables -A INPUT -i $eths -p tcp --dport $Port -j ACCEPT
iptables -A INPUT -i $eths -p udp --dport $Port -j ACCEPT
done
#定义不可以外出的端口规则
for Port in $Allow_ports ; do
iptables -A INPUT -i $eths -p tcp ! --sport $Port -j ACCEPT
iptables -A INPUT -i $eths -p udp ! --sport $Port -j ACCEPT
done
#给不应该进入我们机器的数据,一个欺骗性的回答
iptables -A INPUT -i $eths -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i $eths -p udp -j REJECT --reject-with icmp-port-unreachable
done
#End of Script
when I use:
# This is the last ruler , it can make you firewall better
iptables -A INPUT -i ppp0 -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i ppp0 -p udp -j REJECT --reject-with icmp-port-unreachable
on my computer, I connected to my computer through 21, but when I carry on the command ls, I got the error:
ftp> ls
227 Entering Passive Mode (192,168,0,103,226,70)
ftp: connect: No route to host
when I remove
# This is the last ruler , it can make you firewall better
iptables -A INPUT -i ppp0 -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i ppp0 -p udp -j REJECT --reject-with icmp-port-unreachable
I got the right result:
ftp> ls
227 Entering Passive Mode (192,168,0,103,78,7)
150 Here comes the directory listing.
drwxrwxr-x 2 500 500 4096 Mar 02 08:10 bin
-rw-r--r-- 1 500 500 291 Mar 07 07:07 config.inc.php
-rw-r--r-- 1 500 500 16385595 Mar 02 09:14 setup.exe
drwxrwxr-x 4 500 500 4096 Mar 02 08:10 winetools
-rw-r--r-- 1 500 500 21074 Mar 01 09:55 winxp_decor_config.tgz
226 Directory send OK.
ftp> ls
I want your help. What can I do?
=========================================
Here is my iptable:
[root@localhost desktop-softs]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
...
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT udp -- anywhere anywhere udp dpt:ftp
...
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT udp -- anywhere anywhere udp spt:ftp
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
Here you must allow the port 20 input, and carray on ftp> passive
.... [ok]
==============================================
[root@192.168.0.89 ~]$ ftp 192.168.0.103 2121
Connected to 192.168.0.103.
..
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,0,103,145,115)
ftp: connect: Connection refused