iptables防火墙只允许指定ip连接指定端口、访问指定网站iptables只允许指定ip访问本机的指定端口

需要开80端口，指定IP和局域网

下面三行的意思：

先关闭所有的80端口

开启ip段192.168.1.0/24端的80口

开启ip段211.123.16.123/24端ip段的80口

#iptables-IINPUT-ptcp--dport80-jDROP
#iptables-IINPUT-s192.168.1.0/24-ptcp--dport80-jACCEPT
#iptables-IINPUT-s211.123.16.123/24-ptcp--dport80-jACCEPT

以上是临时设置。

1.先备份iptables

#cp/etc/sysconfig/iptables/var/tmp

2.然后保存iptables

#serviceiptablessave

3.重启防火墙

#serviceiptablesrestart

以下是端口，先全部封再开某些的IP

iptables-IINPUT-ptcp--dport9889-jDROP
iptables-IINPUT-s192.168.1.0/24-ptcp--dport9889-jACCEPT
如果用了NAT转发记得配合以下才能生效

iptables-IFORWARD-ptcp--dport80-jDROP
iptables-IFORWARD-s192.168.1.0/24-ptcp--dport80-jACCEPT

常用的IPTABLES规则如下：

只能收发邮件，别的都关闭
iptables-IFilter-mmac--mac-source00:0F:EA:25:51:37-jDROP
iptables-IFilter-mmac--mac-source00:0F:EA:25:51:37-pudp--dport53-jACCEPT
iptables-IFilter-mmac--mac-source00:0F:EA:25:51:37-ptcp--dport25-jACCEPT
iptables-IFilter-mmac--mac-source00:0F:EA:25:51:37-ptcp--dport110-jACCEPT

IPSECNAT策略
iptables-IPFWanPriv-d192.168.100.2-jACCEPT
iptables-tnat-APREROUTING-ptcp--dport80-d$INTERNET_ADDR-jDNAT--to-destination192.168.100.2:80

iptables-tnat-APREROUTING-ptcp--dport1723-d$INTERNET_ADDR-jDNAT--to-destination192.168.100.2:1723

iptables-tnat-APREROUTING-pudp--dport1723-d$INTERNET_ADDR-jDNAT--to-destination192.168.100.2:1723

iptables-tnat-APREROUTING-pudp--dport500-d$INTERNET_ADDR-jDNAT--to-destination192.168.100.2:500

iptables-tnat-APREROUTING-pudp--dport4500-d$INTERNET_ADDR-jDNAT--to-destination192.168.100.2:4500

FTP服务器的NAT
iptables-IPFWanPriv-ptcp--dport21-d192.168.100.200-jACCEPT
iptables-tnat-APREROUTING-ptcp--dport21-d$INTERNET_ADDR-jDNAT--to-destination192.168.100.200:21

只允许访问指定网址
iptables-AFilter-pudp--dport53-jACCEPT
iptables-AFilter-ptcp--dport53-jACCEPT
iptables-AFilter-dwww.3322.org-jACCEPT
iptables-AFilter-dimg.cn99.com-jACCEPT
iptables-AFilter-jDROP

开放一个IP的一些端口，其它都封闭
iptables-AFilter-ptcp--dport80-s192.168.100.200-dwww.pconline.com.cn-jACCEPT
iptables-AFilter-ptcp--dport25-s192.168.100.200-jACCEPT
iptables-AFilter-ptcp--dport109-s192.168.100.200-jACCEPT
iptables-AFilter-ptcp--dport110-s192.168.100.200-jACCEPT
iptables-AFilter-ptcp--dport53-jACCEPT
iptables-AFilter-pudp--dport53-jACCEPT
iptables-AFilter-jDROP

多个端口
iptables-AFilter-ptcp-mmultiport--destination-port22,53,80,110-s192.168.20.3-jREJECT

连续端口
iptables-AFilter-ptcp-mmultiport--source-port22,53,80,110-s192.168.20.3-jREJECTiptables-AFilter-ptcp--source-port2:80-s192.168.20.3-jREJECT

指定时间上网
iptables-AFilter-s10.10.10.253-mtime--timestart6:00--timestop11:00--daysMon,Tue,Wed,Thu,Fri,Sat,Sun-jDROP
iptables-AFilter-mtime--timestart12:00--timestop13:00--daysMon,Tue,Wed,Thu,Fri,Sat,Sun-jACCEPT
iptables-AFilter-mtime--timestart17:30--timestop8:30--daysMon,Tue,Wed,Thu,Fri,Sat,Sun-jACCEPT

禁止多个端口服务
iptables-AFilter-mmultiport-ptcp--dport21,23,80-jACCEPT

将WAN口NAT到PC
iptables-tnat-APREROUTING-i$INTERNET_IF-d$INTERNET_ADDR-jDNAT--to-destination192.168.0.1

将WAN口8000端口NAT到192。168。100。200的80端口
iptables-tnat-APREROUTING-ptcp--dport8000-d$INTERNET_ADDR-jDNAT--to-destination192.168.100.200:80

MAIL服务器要转的端口
iptables-tnat-APREROUTING-ptcp--dport110-d$INTERNET_ADDR-jDNAT--to-destination192.168.100.200:110
iptables-tnat-APREROUTING-ptcp--dport25-d$INTERNET_ADDR-jDNAT--to-destination192.168.100.200:25

只允许PING202。96。134。133,别的服务都禁止
iptables-AFilter-picmp-s192.168.100.200-d202.96.134.133-jACCEPT
iptables-AFilter-jDROP

禁用BT配置
iptables–AFilter–ptcp–dport6000:20000–jDROP

禁用QQ防火墙配置
iptables-AFilter-pudp--dport!53-jDROP
iptables-AFilter-d218.17.209.0/24-jDROP
iptables-AFilter-d218.18.95.0/24-jDROP
iptables-AFilter-d219.133.40.177-jDROP

基于MAC，只能收发邮件，其它都拒绝
iptables-IFilter-mmac--mac-source00:0A:EB:97:79:A1-jDROP
iptables-IFilter-mmac--mac-source00:0A:EB:97:79:A1-ptcp--dport25-jACCEPT
iptables-IFilter-mmac--mac-source00:0A:EB:97:79:A1-ptcp--dport110-jACCEPT

禁用MSN配置
iptables-AFilter-pudp--dport9-jDROP
iptables-AFilter-ptcp--dport1863-jDROP
iptables-AFilter-ptcp--dport80-d207.68.178.238-jDROP
iptables-AFilter-ptcp--dport80-d207.46.110.0/24-jDROP

只允许PING202。96。134。133其它公网IP都不许PING
iptables-AFilter-picmp-s192.168.100.200-d202.96.134.133-jACCEPT
iptables-AFilter-picmp-jDROP

禁止某个MAC地址访问internet:
iptables-IFilter-mmac--mac-source00:20:18:8F:72:F8-jDROP

禁止某个IP地址的PING:
iptables–AFilter–picmp–s192.168.0.1–jDROP

禁止某个IP地址服务：
iptables–AFilter-ptcp-s192.168.0.1--dport80-jDROP
iptables–AFilter-pudp-s192.168.0.1--dport53-jDROP

只允许某些服务，其他都拒绝(2条规则)
iptables-AFilter-ptcp-s192.168.0.1--dport1000-jACCEPT
iptables-AFilter-jDROP

禁止某个IP地址的某个端口服务
iptables-AFilter-ptcp-s10.10.10.253--dport80-jACCEPT
iptables-AFilter-ptcp-s10.10.10.253--dport80-jDROP

禁止某个MAC地址的某个端口服务

iptables-IFilter-ptcp-mmac--mac-source00:20:18:8F:72:F8--dport80-jDROP

禁止某个MAC地址访问internet:
iptables-IFilter-mmac--mac-source00:11:22:33:44:55-jDROP

禁止某个IP地址的PING:
iptables–AFilter–picmp–s192.168.0.1–jDROP