iptables-rules

Минимальный набор правил iptables для роутера. В этом примере eth0 - интерфейс в интернет, 172.23.0.0/24 - локальная сеть. Ip 123.123.123.123 требуется заменить на ваш реальный ip адрес, настроенный на интерфейсе, смотрящем в интернет.

iptables.rules
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.23.0.0/24 -o eth0 -m comment --comment "Localnet to internet" -j SNAT --to-source 123.123.123.123
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p all -m conntrack --ctstate INVALID -j DROP
-A INPUT -i eth+ -p tcp ! --syn -m conntrack --ctstate NEW -m comment --comment "NEW without syn" -j REJECT --reject-with tcp-reset
-A INPUT -i eth+ -f -m comment --comment "Drop fragments" -j DROP
-A INPUT -s 127.0.0.1/8 ! -i lo -m comment --comment "Drop spoofed packets (START)" -j DROP
-A INPUT -s 10.0.0.0/8 -j DROP 
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 192.168.0.0/16 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -m comment --comment "Drop spoofed packets (END)" -j DROP
-A INPUT ! -i lo -p udp -m udp --dport 123 -m comment --comment "NTP only for me" -j DROP
-A FORWARD -s 127.0.0.1/8 ! -i lo -m comment --comment "Drop spoofed packets (START)" -j DROP
-A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
-A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
-A FORWARD -i eth0 -s 169.254.0.0/16 -j DROP
-A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
-A FORWARD -i eth0 -s 224.0.0.0/4 -j DROP
-A FORWARD -i eth0 -d 224.0.0.0/4 -j DROP
-A FORWARD -i eth0 -s 240.0.0.0/5 -j DROP
-A FORWARD -i eth0 -d 240.0.0.0/5 -j DROP
-A FORWARD -i eth0 -s 0.0.0.0/8 -j DROP
-A FORWARD -i eth0 -d 0.0.0.0/8 -j DROP
-A FORWARD -i eth0 -d 239.255.255.0/24 -j DROP
-A FORWARD -i eth0 -d 255.255.255.255 -m comment --comment "Drop spoofed packets (END)" -j DROP
-A FORWARD -i eth0 -p tcp -m multiport --dports 0:1,13,98,111,123,137:139,161:162,445,512:515,517:518 -m comment --comment "Unwanted ports from world <1000" -j DROP
-A FORWARD -i eth0 -p udp -m multiport --dports 0:1,13,98,111,123,137:139,161:162,445,512:515,517:518 -m comment --comment "Unwanted ports from world <1000" -j DROP
-A FORWARD -i eth0 -p tcp -m multiport --dports 1080,1427,3128,3389,6000:6009,6112,8006,9000,10000,12345,65535 -m comment --comment "Unwanted ports from world >1000" -j DROP
-A FORWARD -i eth0 -p udp -m multiport --dports 1080,1427,3128,3389,6000:6009,6112,8006,9000,10000,12345,65535 -m comment --comment "Unwanted ports from world >1000" -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
  • iptables-rules.txt
  • Последнее изменение: 2020/03/10 16:39
  • (внешнее изменение)