Of Stack

linux vps servers commonly serve iptables policies

  • 2020-05-30 21:45:47
  • OfStack

vps server running naked on the public network, always feel a bit unsafe, no way to have to take the hour measures to strengthen the next server ah, security first. linux system with a firewall must be good use, but I have more than 1 year did not write a firewall strategy, should forget forget, should not forget also forget almost, look at the notes, find the feeling.
Currently, the services opened on this vps are ssh, ftp, pptpd, shadowsocks and so on.
The firewall policy is that the default policy is DROP.
Firewall policy configuration: 


[root@vultr scripts]# cat iptables.sh 
#/bin/bash
#date:2017-04-10
#author:xjh
# Debug tracking 
#set -x
# Clear rules 
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Set default rules 
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow established connections 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Turn on the loop back network 
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# open DNS parsing 
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# open shadowsocks The proxy port 
iptables -A INPUT -p tcp -m multiport --dports 8080,8081,8082 -m state --state NEW -j ACCEPT
#OUTPUT The default chain DROP . shadowsocks Service random port to connect the external network, no good way to temporarily open the destination address 80 . 443
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
# open ftp Service port port (write ftp strategy iptables Need to add module) 
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT
# open ssh Service port and limit login frequency 
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 5 -j DROP
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Open port forwarding 
iptables -A INPUT -p gre -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -m state --state NEW -j ACCEPT
iptables -A FORWARD -s 10.0.1.0/24 -o eth0 -j ACCEPT
iptables -A FORWARD -d 10.0.1.0/24 -i eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j SNAT --to-source 45.76.210.222
# Compatible with windows system pptp The client MTU value 
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -s 10.0.1.0/24 -j TCPMSS --set-mss 1400
# Save the configuration 
/etc/init.d/iptables save

Continuous excavation pit fill pit, seems to have found a bit of feeling, the follow-up will be changed, perfect.

Related articles: