由 sbrd 在 05-18-2004 11:38 发表:
请问如何禁止BT下载
公司用的是1Madsl拨号,代理服务器是redhat9,用iptables+squid做的透明代理,最近公司局域网内有人利用BT下载,搞的网速奇慢无比,内存占用率经常是60%,cpu占用率99.9%都是家常便饭,请问怎么样才能让他们无法用bt下载。谢谢。
由 Snoopy 在 05-18-2004 18:42 发表:
bt可以自定义端口吧, ?
And then in the evening light, when the bars of freedom fall
I watch the two of you in the shadows on the wall
How in the darkness steals some of the choices from my hand
Then will I begin to under
由 szkingrose 在 05-20-2004 11:22 发表:
用squid控制不让其下载.torrent不就成了。
由 sbrd 在 05-20-2004 13:12 发表:
禁止不让下载.torrent,但是bt的种子文件也可以通过别的途径传播呀,我看有人说先关掉所有端口,然后在开放需要的端口,这种途径可以,请问谁能告诉我用iptables怎么写这段代码?谢谢
由 7dehao 在 05-20-2004 13:29 发表:
那要看你公司的这台服务器要提供什么服务了。如果不提供服务的话,把所有端口连进来的方向(tcp/udp)都封闭掉,只允许出,这样应该也可以。
提问时,请你附上相关硬件的型号或牌子,linux发行版、软件的名称和版本。
提问前,如果有可能的话,你最需要做的就是把出错信息和相关的日志信息贴上来。
当然,我们十分期望你能浏览一下置顶贴里的内容。
由 dancingpig 在 05-20-2004 13:48 发表:
老生长谈了
反关端口啊
这不更简单啊
由 sbrd 在 05-20-2004 14:14 发表:
所谓会者不难,难者不会,我就是,我对iptables不是很熟悉,还望哪位大哥能告诉我怎么写这段代码。谢谢。
由 7dehao 在 05-20-2004 15:02 发表:
找到一个很好的脚本,你可以略加修改,运行之:
http://www.linux-firewall-tools.com...lone.firewall.1
>
> 源码:
>
> * * *
>
>
> >
> #!/bin/bash
> >
>
> >
> modprobe ip_conntrack_ftp
> >
>
> >
> CONNECTION_TRACKING="1"
> >
> ACCEPT_AUTH="0"
> >
> SSH_SERVER="0"
> >
> FTP_SERVER="0"
> >
> WEB_SERVER="0"
> >
> SSL_SERVER="0"
> >
> DHCP_CLIENT="1"
> >
>
> >
> INTERNET="eth0" # Internet-connected interface
> >
> LOOPBACK_INTERFACE="lo" # however your system names it
> >
> IPADDR="my.ip.address" # your IP address
> >
> SUBNET_BASE="network.address" # ISP network segment base address
> >
> SUBNET_BROADCAST="directed.broadcast" # network segment broadcast address
> >
> MY_ISP="my.isp.address.range" # ISP server & NOC address range
> >
>
> >
> NAMESERVER="isp.name.server.1" # address of a remote name server
> >
> POP_SERVER="isp.pop.server" # address of a remote pop server
> >
> MAIL_SERVER="isp.mail.server" # address of a remote mail gateway
> >
> NEWS_SERVER="isp.news.server" # address of a remote news server
> >
> TIME_SERVER="some.timne.server" # address of a remote time server
> >
> DHCP_SERVER="isp.dhcp.server" # address of your ISP dhcp server
> >
>
> >
> LOOPBACK="127.0.0.0/8" # reserved loopback address range
> >
> CLASS_A="10.0.0.0/8" # class A private networks
> >
> CLASS_B="172.16.0.0/12" # class B private networks
> >
> CLASS_C="192.168.0.0/16" # class C private networks
> >
> CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
> >
> CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
> >
> BROADCAST_SRC="0.0.0.0" # broadcast source address
> >
> BROADCAST_DEST="255.255.255.255" # broadcast destination address
> >
>
> >
> PRIVPORTS="0:1023" # well-known, privileged port range
> >
> UNPRIVPORTS="1024:65535" # unprivileged port range
> >
>
> >
> SSH_PORTS="1024:65535"
> >
>
> >
> NFS_PORT="2049"
> >
> LOCKD_PORT="4045"
> >
> SOCKS_PORT="1080"
> >
> OPENWINDOWS_PORT="2000"
> >
> XWINDOW_PORTS="6000:6063"
> >
> SQUID_PORT="3128"
> >
>
> >
> ###############################################################
> >
>
> >
> # Enable broadcast echo Protection
> >
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> >
>
> >
> # Disable Source Routed Packets
> >
> for f in /proc/sys/net/ipv4/conf//accept_source_route; do
> >
> echo 0 > $f
> >
> done
> >
>
> >
> # Enable TCP SYN Cookie Protection
> >
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> >
>
> >
> # Disable ICMP Redirect Acceptance
> >
> for f in /proc/sys/net/ipv4/conf//accept_redirects; do
> >
> echo 0 > $f
> >
> done
> >
>
> >
> # Don¹t send Redirect Messages
> >
> for f in /proc/sys/net/ipv4/conf//send_redirects; do
> >
> echo 0 > $f
> >
> done
> >
>
> >
> # Drop Spoofed Packets coming in on an interface, which if replied to,
> >
> # would result in the reply going out a different interface.
> >
> for f in /proc/sys/net/ipv4/conf//rp_filter; do
> >
> echo 1 > $f
> >
> done
> >
>
> >
> # Log packets with impossible addresses.
> >
> for f in /proc/sys/net/ipv4/conf//log_martians; do
> >
> echo 1 > $f
> >
> done
> >
>
> >
> ###############################################################
> >
>
> >
> # Remove any existing rules from all chains
> >
> iptables --flush
> >
> iptables -t nat --flush
> >
> iptables -t mangle --flush
> >
>
> >
> # Unlimited traffic on the loopback interface
> >
> iptables -A INPUT -i lo -j ACCEPT
> >
> iptables -A OUTPUT -o lo -j ACCEPT
> >
>
> >
> # Set the default policy to drop
> >
> iptables --policy INPUT DROP
> >
> iptables --policy OUTPUT DROP
> >
> iptables --policy FORWARD DROP
> >
>
> >
> # A bug that showed up as of the Red Hat 7.2 release results
> >
> # in the following 5 default policies breaking the firewall
> >
> # initialization:
> >
>
> >
> # iptables -t nat --policy PREROUTING DROP
> >
> # iptables -t nat --policy OUTPUT DROP
> >
> # iptables -t nat --policy POSTROUTING DROP
> >
>
> >
> # iptables -t mangle --policy PREROUTING DROP
> >
> # iptables -t mangle --policy OUTPUT DROP
> >
>
> >
> # Remove any pre-existing user-defined chains
> >
> iptables --delete-chain
> >
> iptables -t nat --delete-chain
> >
> iptables -t mangle --delete-chain
> >
>
> >
> ###############################################################
> >
> # Stealth Scans and TCP State Flags
> >
>
> >
> # All of the bits are cleared
> >
> iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> >
>
> >
> # SYN and FIN are both set
> >
> iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
> >
>
> >
> # SYN and RST are both set
> >
> iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
> >
>
> >
> # FIN and RST are both set
> >
> iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
> >
>
> >
> # FIN is the only bit set, without the expected accompanying ACK
> >
> iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
> >
>
> >
> # PSH is the only bit set, without the expected accompanying ACK
> >
> iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
> >
>
> >
> # URG is the only bit set, without the expected accompanying ACK
> >
> iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
> >
>
> >
> ###############################################################
> >
> # Using Connection State to By-pass Rule Checking
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
>
> >
> # Using the state module alone, INVALID will break protocols that use
> >
> # bi-directional connections or multiple connections or exchanges,
> >
> # unless an ALG is provided for the protocol. At this time, FTP and is
> >
> # IRC are the only protocols with ALG support.
> >
>
> >
> iptables -A INPUT -m state --state INVALID -j LOG \
> >
> --log-prefix "INVALID input: "
> >
> iptables -A INPUT -m state --state INVALID -j DROP
> >
>
> >
> iptables -A OUTPUT -m state --state INVALID -j LOG \
> >
> --log-prefix "INVALID ouput: "
> >
> iptables -A OUTPUT -m state --state INVALID -j DROP
> >
> fi
> >
>
> >
> ###############################################################
> >
> # Source Address Spoofing and Other Bad Addresses
> >
>
> >
> # Refuse spoofed packets pretending to be from
> >
> # the external interface's IP address
> >
> iptables -A INPUT -i $INTERNET -s $IPADDR -j DROP
> >
>
> >
> # Refuse packets claiming to be from a Class A private network
> >
> iptables -A INPUT -i $INTERNET -s $CLASS_A -j DROP
> >
>
> >
> # Refuse packets claiming to be from a Class B private network
> >
> iptables -A INPUT -i $INTERNET -s $CLASS_B -j DROP
> >
>
> >
> # Refuse packets claiming to be from a Class C private network
> >
> iptables -A INPUT -i $INTERNET -s $CLASS_C -j DROP
> >
>
> >
> # Refuse packets claiming to be from the loopback interface
> >
> iptables -A INPUT -i $INTERNET -s $LOOPBACK -j DROP
> >
>
> >
> # Refuse malformed broadcast packets
> >
> iptables -A INPUT -i $INTERNET -s $BROADCAST_DEST -j LOG
> >
> iptables -A INPUT -i $INTERNET -s $BROADCAST_DEST -j DROP
> >
>
> >
> iptables -A INPUT -i $INTERNET -d $BROADCAST_SRC -j LOG
> >
> iptables -A INPUT -i $INTERNET -d $BROADCAST_SRC -j DROP
> >
>
> >
> if [ "$DHCP_CLIENT" = "0" ]; then
> >
> # Refuse directed broadcasts
> >
> # Used to map networks and in Denial of Service attacks
> >
> iptables -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP
> >
> iptables -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP
> >
>
> >
> # Refuse limited broadcasts
> >
> iptables -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP
> >
> fi
> >
>
> >
> # Refuse Class D multicast addresses
> >
> # illegal as a source address
> >
> iptables -A INPUT -i $INTERNET -s $CLASS_D_MULTICAST -j DROP
> >
>
> >
> iptables -A INPUT -i $INTERNET -p ! udp -d $CLASS_D_MULTICAST -j DROP
> >
>
> >
> iptables -A INPUT -i $INTERNET -p udp -d $CLASS_D_MULTICAST -j ACCEPT
> >
>
> >
> # Refuse Class E reserved IP addresses
> >
> iptables -A INPUT -i $INTERNET -s $CLASS_E_RESERVED_NET -j DROP
> >
>
> >
> # refuse addresses defined as reserved by the IANA
> >
> # 0... - Can¹t be blocked unilaterally with DHCP
> >
> # 169.254.0.0/16 - Link Local Networks
> >
> # 192.0.2.0/24 - TEST-NET
> >
>
> >
> if [ "$DHCP_CLIENT" = "1" ]; then
> >
> iptables -A INPUT -i $INTERNET -p udp \
> >
> -s $BROADCAST_SRC --sport 67 \
> >
> -d $BROADCAST_DEST --dport 68 -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
> >
> iptables -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
> >
> iptables -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
> >
>
> >
> ###############################################################
> >
> # Disallowing Connections to Common TCP Unprivileged Server Ports
> >
>
> >
> # X Window connection establishment
> >
> iptables -A OUTPUT -o $INTERNET -p tcp --syn \
> >
> --destination-port $XWINDOW_PORTS -j REJECT
> >
>
> >
> # X Window: incoming connection attempt
> >
> iptables -A INPUT -i $INTERNET -p tcp --syn \
> >
> --destination-port $XWINDOW_PORTS -j DROP
> >
>
> >
> # Establishing a connection over TCP to NFS, OpenWindows, SOCKS or squid
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -m multiport --destination-port \
> >
> $NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PORT \
> >
> --syn -j REJECT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> -m multiport --destination-port \
> >
> $NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PORT \
> >
> --syn -j DROP
> >
>
> >
> ###############################################################
> >
> # Disallowing Connections to Common UDP Unprivileged Server Ports
> >
>
> >
> # NFS and lockd
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p udp \
> >
> -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \
> >
> -m state --state NEW -j REJECT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p udp \
> >
> -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \
> >
> -m state --state NEW -j DROP
> >
> else
> >
> iptables -A OUTPUT -o $INTERNET -p udp \
> >
> -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \
> >
> -j REJECT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p udp \
> >
> -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \
> >
> -j DROP
> >
> fi
> >
>
> >
> ###############################################################
> >
> # DNS Name Server
> >
>
> >
> # DNS Fowarding Name Server or client requests
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p udp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> -d $NAMESERVER --dport 53 \
> >
> -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p udp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> -d $NAMESERVER --dport 53 -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p udp \
> >
> -s $NAMESERVER --sport 53 \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> #...............................................................
> >
> # TCP is used for large responses
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> -d $NAMESERVER --dport 53 \
> >
> -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> -d $NAMESERVER --dport 53 -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp ! --syn \
> >
> -s $NAMESERVER --sport 53 \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> #...............................................................
> >
> # DNS Caching Name Server (local server to primary server)
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p udp \
> >
> -s $IPADDR --sport 53 \
> >
> -d $NAMESERVER --dport 53 \
> >
> -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p udp \
> >
> -s $IPADDR --sport 53 \
> >
> -d $NAMESERVER --dport 53 -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p udp \
> >
> -s $NAMESERVER --sport 53 \
> >
> -d $IPADDR --dport 53 -j ACCEPT
> >
>
> >
> ###############################################################
> >
> # Filtering the AUTH User Identification Service (TCP Port 113)
> >
>
> >
> # Outgoing Local Client Requests to Remote Servers
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 113 -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 113 -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp ! --syn \
> >
> --sport 113 \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> #...............................................................
> >
> # Incoming Remote Client Requests to Local Servers
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport 113 \
> >
> -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> if [ "$ACCEPT_AUTH" = "1" ]; then
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport 113 \
> >
> -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport 113 -j ACCEPT
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
> >
> -s $IPADDR --sport 113 \
> >
> --dport $UNPRIVPORTS -j ACCEPT
> >
> else
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport 113 -j REJECT --reject-with tcp-reset
> >
> fi
> >
>
> >
> ###############################################################
> >
> # Sending Mail to Any External Mail Server
> >
> # Use "-d $MAIL_SERVER" if an ISP mail gateway is used instead
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 25 -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 25 -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp ! --syn \
> >
> --sport 25 \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> ###############################################################
> >
> # Retrieving Mail as a POP Client (TCP Port 110)
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> -d $POP_SERVER --dport 110 -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> -d $POP_SERVER --dport 110 -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp ! --syn \
> >
> -s $POP_SERVER --sport 110 \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> ###############################################################
> >
> # Accessing Usenet News Services (TCP NNTP Port 119)
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> -d $NEWS_SERVER --dport 119 -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> -d $NEWS_SERVER --dport 119 -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp ! --syn \
> >
> -s $NEWS_SERVER --sport 119 \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> ###############################################################
> >
> # ssh (TCP Port 22)
> >
>
> >
> # Outgoing Local Client Requests to Remote Servers
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $SSH_PORTS \
> >
> --dport 22 -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $SSH_PORTS \
> >
> --dport 22 -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp ! --syn \
> >
> --source-port 22 \
> >
> -d $IPADDR --dport $SSH_PORTS -j ACCEPT
> >
>
> >
> #...............................................................
> >
> # Incoming Remote Client Requests to Local Servers
> >
>
> >
> if [ "$SSH_SERVER" = "1" ]; then
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $SSH_PORTS \
> >
> -d $IPADDR --dport 22 \
> >
> -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $SSH_PORTS \
> >
> -d $IPADDR --dport 22 -j ACCEPT
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
> >
> -s $IPADDR --sport 22 \
> >
> --dport $SSH_PORTS -j ACCEPT
> >
> fi
> >
>
> >
> ###############################################################
> >
> # ftp (TCP Ports 21, 20)
> >
>
> >
> # Outgoing Local Client Requests to Remote Servers
> >
>
> >
> # Outgoing Control Connection to Port 21
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 21 -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 21 -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp ! --syn \
> >
> --sport 21 \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> # Incoming Port Mode Data Channel Connection from Port 20
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> # This rule is not necessary if the ip_conntrack_ftp
> >
> # module is used.
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport 20 \
> >
> -d $IPADDR --dport $UNPRIVPORTS \
> >
> -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport 20 \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 20 -j ACCEPT
> >
>
> >
> # Outgoing Passive Mode Data Channel Connection Between Unprivileveg Ports
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> # This rule is not necessary if the ip_conntrack_ftp
> >
> # module is used.
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport $UNPRIVPORTS -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp ! --syn \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> #...............................................................
> >
> # Incoming Remote Client Requests to Local Servers
> >
>
> >
> if [ "$FTP_SERVER" = "1" ]; then
> >
>
> >
> # Incoming Control Connection to Port 21
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport 21 \
> >
> -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport 21 -j ACCEPT
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
> >
> -s $IPADDR --sport 21 \
> >
> --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> # Outgoing Port Mode Data Channel Connection to Port 20
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport 20\
> >
> --dport $UNPRIVPORTS -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport 20 \
> >
> --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp ! --syn \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport 20 -j ACCEPT
> >
>
> >
> # Incoming Passive Mode Data Channel Connection Between Unprivileved Ports
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport $UNPRIVPORTS \
> >
> -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport $UNPRIVPORTS -j ACCEPT
> >
> fi
> >
> ###############################################################
> >
> # HTTP Web Traffic (TCP Port 80)
> >
>
> >
> # Outgoing Local Client Requests to Remote Servers
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 80 -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 80 -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp ! --syn \
> >
> --sport 80 \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> #...............................................................
> >
> # Incoming Remote Client Requests to Local Servers
> >
>
> >
> if [ "$WEB_SERVER" = "1" ]; then
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport 80 \
> >
> -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport 80 -j ACCEPT
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
> >
> -s $IPADDR --sport 80 \
> >
> --dport $UNPRIVPORTS -j ACCEPT
> >
> fi
> >
>
> >
> ###############################################################
> >
> # SSL Web Traffic (TCP Port 443)
> >
>
> >
> # Outgoing Local Client Requests to Remote Servers
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 443 -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 443 -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp ! --syn \
> >
> --sport 443 \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> #...............................................................
> >
> # Incoming Remote Client Requests to Local Servers
> >
>
> >
> if [ "$SSL_SERVER" = "1" ]; then
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport 443 \
> >
> -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp \
> >
> --sport $UNPRIVPORTS \
> >
> -d $IPADDR --dport 443 -j ACCEPT
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
> >
> -s $IPADDR --sport 443 \
> >
> --dport $UNPRIVPORTS -j ACCEPT
> >
> fi
> >
>
> >
> ###############################################################
> >
> # whois (TCP Port 43)
> >
>
> >
> # Outgoing Local Client Requests to Remote Servers
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 43 -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p tcp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> --dport 43 -j ACCEPT
> >
>
> >
> iptables -A INPUT -i $INTERNET -p tcp ! --syn \
> >
> --sport 43 \
> >
> -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
> >
>
> >
> ###############################################################
> >
> # Accessing Remote Network Time Servers (UDP 123)
> >
> # Note: some client and servers use source port 123
> >
> # when querying a remote server on destination port 123.
> >
>
> >
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> >
> iptables -A OUTPUT -o $INTERNET -p udp \
> >
> -s $IPADDR --sport $UNPRIVPORTS \
> >
> -d $TIME_SERVER --dport 123 \
> >
> -m state --state NEW -j ACCEPT
> >
> fi
> >
>
> >
> iptables -A OUTPUT -o $INTERNET -p udp \
> >
> -s $IPADDR --sport $UN