正如标题所述,我需要一些帮助来校对我的 iptable 规则,我的规则似乎有效,但我不确定。我的设置如下:ISP ---> 电缆调制解调器 ---> 以太网交换机 ---> 上网本/服务器/防火墙/wifi ---> 无线连接设备。
我的上网本是一台服务器,装有 Ubuntu 13.04 Raring 32 位,运行 OpenVPN、电子邮件和 Iodine (IP-Over-DNS)。这台上网本还用作无线路由器,使用 dhcp、hostapd 连接 wifi,使用 iptables 作为防火墙。
eth0 是 WAN,IP 为 192.168.1.2
wlan0 是 LAN,IP 为 10.0.0.2
dns0 和 dns1 是 Iodine 隧道,IP 为 172.168.0.1(dns0)和 172.16.2.1(dns1)
tun0 是我的 OpenVPN 隧道,IP 为 10.0.2.1
应该发生的是,所有对端口的入站/出站请求都应被阻止进入/来自服务器/路由器本身,但以下情况除外:
用于 Web 浏览的端口 80 和 443
用于各种电子邮件服务的端口 25、587、110、995、143 和 993
用于 ssh 的端口 22
用于 OpenVPN 的端口 1194
应阻止往返于我的 VPN 连接、Iodine 连接和 Wifi 连接的所有入站/出站端口,但以下端口除外:
用于 DNS 请求的端口 53、
用于网页浏览的端口 80 和 443
、用于访问大学服务的端口 8080
、用于 Skype 的
端口 29304、用于 Splashtop Streamer 的端口 6783、6784 和 6785
、用于 CallCentric VOIP 的端口 5060 至 5080 和端口 65535、
端口 19305 至 19309;端口 5228 和 14259 用于各种 Google 服务
端口 80(udp)、6969 和 1337 用于 torrent
端口 25 用于电子邮件
端口 587 用于 iCloud 电子邮件
端口 465、587、993、994 和 995 用于 Gmail
端口 7070、1338、6667 和 6697 用于 IRC
端口 2000、1843 和 843 用于基于文本的在线游戏,例如 MUD
端口 22 用于 SSH
端口 1194 用于 VPN
端口 3478 至 3487、16384 至 16387、16393 至 16402 和 5223 用于 iMessages 和 Facetime
下面是我的 iptables 规则,我将这些规则放在 /etc/default/iptables 中,以便每次启动时都会设置这些规则。
###****FIREWALL PRESETUP****###
*nat
# Wireless devices wlan0
-A POSTROUTING -o eth0 -s 10.0.0.2/24 -j MASQUERADE
# Personal VPN tun0 to this network from my devices
-A POSTROUTING -o eth0 -s 10.0.2.0/24 -j MASQUERADE
# Iodine (IP-over-DNS) dns0 and dns1
-A POSTROUTING -o eth0 -s 172.16.0.1/27 -j MASQUERADE
-A POSTROUTING -o eth0 -s 172.16.2.1/27 -j MASQUERADE
COMMIT
###****BEGIN GLOBAL FIREWALL****###
*filter
# Block unwanted traffic
:FORWARD DROP
:INPUT DROP
# Allow wanted traffic to/from all interfaces
:OUTPUT ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Make sure wanted traffic to/from wlan0 (LAN) is allowed
-A FORWARD -i wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Make sure wanted traffic to/from tun0 (VPN) is allowed
-A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o eth0 -s 10.0.2.0/25 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Also allow traffic to/from tun0 (VPN) to wlan0 (LAN)
-A FORWARD -i tun0 -o wlan0 -s 10.0.2.0/25 -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Also allow traffic to/from tun0 (VPN) to eth0 (WAN)
-A FORWARD -i tun0 -o eth0 -s 10.0.2.0/25 -d 192.168.2.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Make sure wanted traffic to/from dns0 and dns1, Iodine (IP-over-DNS), is allowed
-A FORWARD -i dns0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i dns1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Also allow traffic to/from dns0 and dns1, Iodine (IP-over-DNS), to wlan0 (LAN)
-A FORWARD -i dns0 -o wlan0 -s 172.16.0.1/27 -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i dns1 -o wlan0 -s 172.16.2.1/27 -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Also allow traffic to/from dns0 and dns1, Iodine (IP-over-DNS), to eth0 (WAN)
-A FORWARD -i dns0 -o wlan0 -s 172.16.0.1/27 -d 192.168.2.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i dns1 -o wlan0 -s 172.16.2.1/27 -d 192.168.2.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow wanted traffic into the router itself
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
###****BEGIN WIFI FIREWALL ****###
#Logging
#-A FORWARD -i wlan0 -o eth0 -p tcp --syn -j LOG --log-prefix "syn packet:"
#-I FORWARD 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# dns
-A FORWARD -i wlan0 -o eth0 -p udp --dport 53 -j ACCEPT
# http, https
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 80 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 443 -j ACCEPT
# Los Rios College eServices (and others)
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 8080 -j ACCEPT
# Skype (Outgoing)
-A FORWARD -i wlan0 -o eth0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 29304 -j ACCEPT
# Skype (Incoming)
-A FORWARD -i eth0 -o wlan0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -p tcp --dport 29304 -j ACCEPT
# Splashtop streamer
-A FORWARD -i wlan0 -o eth0 -m multiport -p tcp --dport 6783:6785 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 6783:6785 -j ACCEPT
# CallCentric VOIP
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 5060:5080 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p udp --dport 65535 -j ACCEPT
# Google hangout, voip, and other google services
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 19305:19309 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m multiport -p tcp --dport 19305:19309 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p udp --dport 5228 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 5228 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p udp --dport 14259 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 14259 -j ACCEPT
# Torrent
-A FORWARD -i wlan0 -o eth0 -p udp --dport 80 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p udp --dport 6969 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p udp --dport 1337 -j ACCEPT
# Email
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 25 -j ACCEPT
# iCloud Email
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 587 -j ACCEPT
# Gmail SMTP SSL
-A FORWARD -i wlan0 -o eth0 -p udp --dport 465 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 465 -j ACCEPT
# Gmail SMTP StartTLS
-A FORWARD -i wlan0 -o eth0 -p udp --dport 587 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 587 -j ACCEPT
# Gmail IMAP SSL
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 993:995 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m multiport -p tcp --dport 993:995 -j ACCEPT
# irc
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 7070 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 1338 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 6667 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 6697 -j ACCEPT
# MUD
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 2000 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 1843 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 843 -j ACCEPT
# ssh
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 22 -j ACCEPT
# vpn
-A FORWARD -i wlan0 -o eth0 -p udp --dport 1194 -j ACCEPT
# iOS iMessages, Facetime
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 3478:3487 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -p tcp --dport 5223 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 16384:16387 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -m multiport -p udp --dport 16393:16402 -j ACCEPT
# Allow PING from remote hosts.
-A FORWARD -i wlan0 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
###****BEGIN IODINE (IP-over-DNS, dns0 and dns1) FIREWALL ****###
#Logging
#-A FORWARD -i dns0 -o eth0 -p tcp --syn -j LOG --log-prefix "syn packet:"
# dns
-A FORWARD -i dns0 -o eth0 -p udp --dport 53 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 53 -j ACCEPT
# http, https
-A FORWARD -i dns0 -o eth0 -p tcp --dport 80 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 443 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 80 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 443 -j ACCEPT
# Los Rios College eServices (and others)
-A FORWARD -i dns0 -o eth0 -p tcp --dport 8080 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 8080 -j ACCEPT
# Skype (Outgoing)
-A FORWARD -i dns0 -o eth0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 29304 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 29304 -j ACCEPT
# Skype (Incoming)
-A FORWARD -i eth0 -o dns0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i eth0 -o dns0 -p tcp --dport 29304 -j ACCEPT
-A FORWARD -i eth0 -o dns1 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i eth0 -o dns1 -p tcp --dport 29304 -j ACCEPT
# Splashtop streamer
-A FORWARD -i dns0 -o eth0 -m multiport -p tcp --dport 6783:6785 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 6783:6785 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p tcp --dport 6783:6785 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 6783:6785 -j ACCEPT
# CallCentric VOIP
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 5060:5080 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p udp --dport 65535 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 5060:5080 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 65535 -j ACCEPT
# Google hangout, voip, and other google services
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 19305:19309 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -m multiport -p tcp --dport 19305:19309 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p udp --dport 5228 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 5228 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p udp --dport 14259 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 14259 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 19305:19309 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p tcp --dport 19305:19309 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 5228 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 5228 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 14259 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 14259 -j ACCEPT
# Torrent
-A FORWARD -i dns0 -o eth0 -p udp --dport 80 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p udp --dport 6969 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p udp --dport 1337 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 80 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 6969 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 1337 -j ACCEPT
# Email
-A FORWARD -i dns0 -o eth0 -p tcp --dport 25 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 25 -j ACCEPT
# iCloud Email
-A FORWARD -i dns0 -o eth0 -p tcp --dport 587 -j ACCEPT
-A FORWARD -i dns1 -o eth -p tcp --dport 587 -j ACCEPT
# Gmail SMTP SSL
-A FORWARD -i dns0 -o eth0 -p udp --dport 465 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 465 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 465 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 465 -j ACCEPT
# Gmail SMTP StartTLS
-A FORWARD -i dns0 -o eth0 -p udp --dport 587 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 587 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 587 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 587 -j ACCEPT
# Gmail IMAP SSL
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 993:995 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -m multiport -p tcp --dport 993:995 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 993:995 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p tcp --dport 993:995 -j ACCEPT
# irc
-A FORWARD -i dns0 -o eth0 -p tcp --dport 7070 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 1338 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 6667 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 6697 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 7070 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 1338 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 6667 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 6697 -j ACCEPT
# MUD
-A FORWARD -i dns0 -o eth0 -p tcp --dport 2000 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 1843 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 843 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 2000 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 1843 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 843 -j ACCEPT
# ssh
-A FORWARD -i dns0 -o eth0 -p tcp --dport 22 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 22 -j ACCEPT
# vpn
-A FORWARD -i dns0 -o eth0 -p udp --dport 1194 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p udp --dport 1194 -j ACCEPT
# iOS iMessages, Facetime
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 3478:3487 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -p tcp --dport 5223 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 16384:16387 -j ACCEPT
-A FORWARD -i dns0 -o eth0 -m multiport -p udp --dport 16393:16402 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 3478:3487 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p tcp --dport 5223 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 16384:16387 -j ACCEPT
-A FORWARD -i dns1 -o eth0 -m multiport -p udp --dport 16393:16402 -j ACCEPT
# Allow PING from remote hosts.
-A FORWARD -i dns0 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
-A FORWARD -i dns1 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
###****BEGIN VPN FIREWALL****###
#Logging
#-A FORWARD -i tun0 -o eth0 -p tcp --syn -j LOG --log-prefix "syn packet:"
# dns
-A FORWARD -i tun0 -o eth0 -p udp --dport 53 -j ACCEPT
# http, https
-A FORWARD -i tun0 -o eth0 -p tcp --dport 80 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 443 -j ACCEPT
# Los Rios College eServices (and others)
-A FORWARD -i tun0 -o eth0 -p tcp --dport 8080 -j ACCEPT
# Skype (Outgoing)
-A FORWARD -i tun0 -o eth0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 29304 -j ACCEPT
# Skype (Incoming)
-A FORWARD -i eth0 -o tun0 -p udp --dport 29304 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -p tcp --dport 29304 -j ACCEPT
# Splashtop streamer
-A FORWARD -i tun0 -o eth0 -m multiport -p tcp --dport 6783:6785 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 6783:6785 -j ACCEPT
# CallCentric VOIP
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 5060:5080 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p udp --dport 65535 -j ACCEPT
# Google hangout, voip, and other google services
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 19305:19309 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m multiport -p tcp --dport 19305:19309 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p udp --dport 5228 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 5228 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p udp --dport 14259 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 14259 -j ACCEPT
# Torrent
-A FORWARD -i tun0 -o eth0 -p udp --dport 80 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p udp --dport 6969 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p udp --dport 1337 -j ACCEPT
# Email
-A FORWARD -i tun0 -o eth0 -p tcp --dport 25 -j ACCEPT
# iCloud Email
-A FORWARD -i tun0 -o eth0 -p tcp --dport 587 -j ACCEPT
# Gmail SMTP SSL
-A FORWARD -i tun0 -o eth0 -p udp --dport 465 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 465 -j ACCEPT
# Gmail SMTP StartTLS
-A FORWARD -i tun0 -o eth0 -p udp --dport 587 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 587 -j ACCEPT
# Gmail IMAP SSL
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 993:995 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m multiport -p tcp --dport 993:995 -j ACCEPT
# irc
-A FORWARD -i tun0 -o eth0 -p tcp --dport 7070 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 1338 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 6667 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 6697 -j ACCEPT
# MUD
-A FORWARD -i tun0 -o eth0 -p tcp --dport 2000 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 1843 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 843 -j ACCEPT
# ssh
-A FORWARD -i tun0 -o eth0 -p tcp --dport 22 -j ACCEPT
# vpn
-A FORWARD -i tun0 -o eth0 -p udp --dport 1194 -j ACCEPT
# iOS iMessages, Facetime
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 3478:3487 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -p tcp --dport 5223 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 16384:16387 -j ACCEPT
-A FORWARD -i tun0 -o eth0 -m multiport -p udp --dport 16393:16402 -j ACCEPT
# Allow PING from remote hosts.
-A FORWARD -i tun0 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
###****BEGIN SERVER FIREWALL****###
#Logging
#-A FORWARD -i wlan0 -o eth0 -p tcp --syn -j LOG --log-prefix "syn packet:"
# Loop device.
-A INPUT -i lo -j ACCEPT
# http, https
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# smtp, submission
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
# pop3, pop3s
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
# imap, imaps
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
# ssh
-A INPUT -p tcp --dport 22 -j ACCEPT
# vpn
-A INPUT -p udp --dport 1194 -j ACCEPT
# Allow PING from remote hosts.
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
COMMIT
这是“iptables -nvL”的输出,显示了实际效果,http://pastebin.com/AtZaFDd5那些 fail2ban 行存在是因为我已经安装了 fail2ban。
这是“iptables -S”的输出,显示了实际效果,http://pastebin.com/2aEcZxnQ再次出现那些 fail2ban 行是因为我已经安装了 fail2ban。