کد PHP:
#flush tables /usr/sbin/iptables -F # DUMP /usr/sbin/iptables -N DUMP > /dev/null /usr/sbin/iptables -F DUMP /usr/sbin/iptables -A DUMP -p tcp -j LOG /usr/sbin/iptables -A DUMP -p udp -j LOG /usr/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset /usr/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable /usr/sbin/iptables -A DUMP -j DROP # Stateful table /sbin/iptables -N STATEFUL > /dev/null /sbin/iptables -F STATEFUL /sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A STATEFUL -m state --state NEW -i ! eth0 -j ACCEPT /sbin/iptables -A STATEFUL -j DUMP # loopback rules /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # drop reserved addresses incoming (these are reserved addresses # but may change soon /sbin/iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 1.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 2.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 5.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 7.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 23.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 27.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 31.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 36.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 39.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 41.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 42.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 58.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 59.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 60.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 197.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 224.0.0.0/3 -j DUMP /sbin/iptables -A INPUT -i eth0 -s 240.0.0.0/8 -j DUMP #set iptables to allow everything from my work network /usr/sbin/iptables -A INPUT -i eth1 -p all -s 160.86.0.0/16 -j ACCEPT /usr/sbin/iptables -A INPUT -i eth1 -p all -j DROP # allow certain inbound ICMP types (ping, traceroute..) /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT # Drop all packets to port 111 except those from localhost /usr/sbin/iptables -A INPUT -s !127.0.0.0/8 -p tcp --dport 111 -j DROP # kill off identd quick /sbin/iptables -A INPUT -p tcp -i eth0 --dport 113 -j REJECT --reject-with tcp-reset # sfs /sbin/iptables -A INPUT -p tcp -i eth0 --dport 4 -j ACCEPT # ftp /sbin/iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT /sbin/iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT # ssh /sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT /sbin/iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT # www /sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT # https /sbin/iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT /sbin/iptables -A INPUT -p udp -i eth0 --dport 443 -j ACCEPT # Don't log route packets coming from routers - too much logging /sbin/iptables -A INPUT -p udp -i eth0 --dport 520 -j REJECT # Don't log smb/windows sharing packets - too much logging /sbin/iptables -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT /sbin/iptables -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
پاسخ : مشکل iptables به kernel
