ก่อนหน้านี้เราเคยพูดถึงเรื่อง iptables กันไปแล้วว่ามีอะไรยังไงบ้าง มาตอนนี้มาดูกันดีกว่าว่า iptables rule ที่น่าใช้มันมีอะไรบ้าง
Allow Loopback interface
|
1 2 |
-A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT |
Allow Ping
|
1 2 3 |
-A INPUT -i eth0 -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -o eth0 -p icmp -j ACCEPT |
Allow web usage
|
1 2 3 4 5 |
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED --sport 80 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED --sport 443 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT |
Allow DNS Usage
|
1 2 |
-A INPUT -i ens3 -s 192.168.1.1 -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -o ens3 -d 192.168.1.1 -p udp --dport 53 -m udp -j ACCEPT |
Allow NTP
|
1 2 |
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED,RELATED --dport 123 -j ACCEPT -A OUTPUT -o eth0 -p udp -m udp --sport 123 -j ACCEPT |
Allow Printing
|
1 2 3 4 |
-A INPUT -p udp -m udp --dport 631 -j ACCEPT -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A OUTPUT -p udp -m udp --sport 631 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 631 -j ACCEPT |
Allow Email Usage
|
1 2 3 4 5 6 7 8 9 10 11 |
# IMAP -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED --sport 993 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --dport 993 -j ACCEPT # POP3 -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED --sport 995 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --dport 995 -j ACCEPT # SMTP -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED --sport 465 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m tcp --dport 465 -j ACCEPT |
Allow SSH
|
1 2 3 4 5 6 |
# Input -A INPUT -i ens3 -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT -A OUTPUT -o ens3 -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT # Output -A OUTPUT -o ens3 -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT -A INPUT -i ens3 -p tcp -m state --state ESTABLISHED --sport 22 -j ACCEPT |
Allow DHCP
|
1 2 |
-A INPUT -i eth0 -p udp -m state --state ESTABLISHED,RELATED --sport 67:68 -j ACCEPT -A OUTPUT -o eth0 -p udp -m udp --dport 67:68 -j ACCEPT |
จากนั้นก็ REJECT ทั้งหมด
|
1 2 3 |
-A INPUT -j REJECT -A FORWARD -j REJECT -A OUTPUT -j REJECT |
|
1 2 3 4 5 |
iptables -A FORWARD -i enp0s5 -o docker0 -p tcp --syn --dport 80:10000 -m conntrack --ctstate NEW -j ACCEPT iptables -A FORWARD -i enp0s5 -o docker0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i docker0 -o enp0s5 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -i enp0s5 -p tcp --dport 80:10000 -j DNAT --to-destination 172.17.0.2 iptables -t nat -A POSTROUTING -o docker0 -p tcp --dport 80 -d 172.17.0.2 -j SNAT --to-source 10.211.55.22 |
|
1 |
iptables -nvL |
LINE@Techsuii.com
