免得变成垃圾邮件发送者等VPS运营商讨厌的替罪羊。
只留SSH,SQL,DNS,HTTP,HTTPS端口
环回网络
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
DNS
iptables -A OUTPUT -p udp –sport 53 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
网页-SQL
iptables -A OUTPUT -p tcp -m multiport –dport 80,443,3306 -j ACCEPT
iptables -A INPUT -p tcp -m multiport –sport 80,443,3306 -j ACCEPT
代理-SSH
iptables -A OUTPUT -p tcp -m multiport –sport 1080,22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport –dport 1080,22 -j ACCEPT
用户
iptables -A OUTPUT -p tcp –sport50000:60000 -j ACCEPT
iptables -A OUTPUT -p udp –sport50000:60000 -j ACCEPT
iptables -A INPUT -p tcp –dport50000:60000 -j ACCEPT
iptables -A INPUT -p udp –dport50000:60000 -j ACCEPT
连接数
iptables -A OUTPUT -p tcp –sport50000:60000 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
iptables -A INPUT -p tcp –dport50000:60000 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
其他
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
禁止
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
请把你的SSH22端口改了
=====================================
屏蔽其他端口
iptables -A OUTPUT -p tcp -m multiport –dport 21,22,23 -j REJECT –reject-with tcp-reset
iptables -A OUTPUT -p udp -m multiport –dport 21,22,23 -j DROP
=======================================
屏蔽邮箱端口
iptables -A OUTPUT -p tcp -m multiport –dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j REJECT –reject-with tcp-reset
iptables -A OUTPUT -p tcp -m multiport –dport 993,995,1109,24554,60177,60179 -j REJECT –reject-with tcp-reset
iptables -A OUTPUT -p udp -m multiport –dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j DROP
iptables -A OUTPUT -p udp -m multiport –dport 993,995,1109,24554,60177,60179 -j DROP
======================================
限制白名单网站访问
https://github.com/fifilyu/module-http-whitelist
至于限制用户的带宽,用TC控制!
还有个防止被用来CC和敏感词的,可以安装nginx添加个其他端口的规则,用iptables nat把80端口转发到你所设置端口处理内容,然后安装云锁(对nginx检测),就有所提防了.
只留SSH,SQL,DNS,HTTP,HTTPS端口
环回网络
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
DNS
iptables -A OUTPUT -p udp –sport 53 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
网页-SQL
iptables -A OUTPUT -p tcp -m multiport –dport 80,443,3306 -j ACCEPT
iptables -A INPUT -p tcp -m multiport –sport 80,443,3306 -j ACCEPT
代理-SSH
iptables -A OUTPUT -p tcp -m multiport –sport 1080,22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport –dport 1080,22 -j ACCEPT
用户
iptables -A OUTPUT -p tcp –sport50000:60000 -j ACCEPT
iptables -A OUTPUT -p udp –sport50000:60000 -j ACCEPT
iptables -A INPUT -p tcp –dport50000:60000 -j ACCEPT
iptables -A INPUT -p udp –dport50000:60000 -j ACCEPT
连接数
iptables -A OUTPUT -p tcp –sport50000:60000 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
iptables -A INPUT -p tcp –dport50000:60000 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
其他
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
禁止
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
请把你的SSH22端口改了
=====================================
屏蔽其他端口
iptables -A OUTPUT -p tcp -m multiport –dport 21,22,23 -j REJECT –reject-with tcp-reset
iptables -A OUTPUT -p udp -m multiport –dport 21,22,23 -j DROP
=======================================
屏蔽邮箱端口
iptables -A OUTPUT -p tcp -m multiport –dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j REJECT –reject-with tcp-reset
iptables -A OUTPUT -p tcp -m multiport –dport 993,995,1109,24554,60177,60179 -j REJECT –reject-with tcp-reset
iptables -A OUTPUT -p udp -m multiport –dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j DROP
iptables -A OUTPUT -p udp -m multiport –dport 993,995,1109,24554,60177,60179 -j DROP
======================================
限制白名单网站访问
https://github.com/fifilyu/module-http-whitelist
至于限制用户的带宽,用TC控制!
还有个防止被用来CC和敏感词的,可以安装nginx添加个其他端口的规则,用iptables nat把80端口转发到你所设置端口处理内容,然后安装云锁(对nginx检测),就有所提防了.