iptables安全标准配置

外网ip a.x 内ip c.x
内网ip b.x

# Generated by iptables-save v1.4.7
* nat
:PREROUTING ACCEPT [ 240124 : 15466097 ]
:POSTROUTING ACCEPT [ 12190495 : 633906308 ]
:OUTPUT ACCEPT [ 12190519 : 633907556 ]
- A PREROUTING  - d a.x / 32  - p tcp  - m tcp  - - dport  3310  - j DNAT  - - to - destination b.x: 3306
- A PREROUTING  - p tcp  - m tcp  - - dport  2222  - j DNAT  - - to - destination b.x: 22
- A POSTROUTING  - d b.x. 1 / 32  - p tcp  - m tcp  - - dport  22  - j SNAT  - - to - source a.x
- A POSTROUTING  - d b.x. 2 / 32  - p tcp  - m tcp  - - dport  3306  - j SNAT  - - to - source a.x
- A POSTROUTING  - d b.x. 3 / 32  - p tcp  - m tcp  - - dport  22  - j SNAT  - - to - source a.x
- A POSTROUTING  - d b.x. 4 / 32  - p tcp  - m tcp  - - dport  22  - j SNAT  - - to - source a.x
- A POSTROUTING  - d b.x. 5 / 32  - p tcp  - m tcp  - - dport  22  - j SNAT  - - to - source a.x
- A POSTROUTING  - d b.x. 6 / 32  - p tcp  - m tcp  - - dport  22  - j SNAT  - - to - source a.x
COMMIT
# Completed on Fri Apr 21 17:18:20 2017
# Generated by iptables-save v1.4.7
* filter
: INPUT  ACCEPT [ 180932 : 11563176 ]
:FORWARD ACCEPT [ 280525 : 60883714 ]
:OUTPUT ACCEPT [ 24489274 : 1959801503 ]
:syn - flood  -  [ 0 : 0 ]
- A  INPUT  - s  10.0 . 0.0 / 8  - j ACCEPT
- A  INPUT  - d  10.0 . 0.0 / 8  - j ACCEPT
- A  INPUT  - p tcp  - m tcp  - - dport  80  - j ACCEPT
- A  INPUT  - p icmp  - j ACCEPT
- A  INPUT  - i lo  - j ACCEPT
- A  INPUT  - p tcp  - m state  - - state NEW  - m tcp  - - dport  22  - j ACCEPT
- A  INPUT  - p tcp  - m tcp  - - dport  80  - m connlimit  - - connlimit - above  50  - - connlimit - mask  32  - j REJECT  - - reject - with icmp - port - unreachable
- A  INPUT  - p tcp  - m tcp  - - tcp - flags FIN,SYN,RST,ACK SYN  - j syn - flood
- A  INPUT  - i eth1  - p tcp  - m tcp  - - tcp - flags FIN,SYN,RST,ACK SYN  - m connlimit  - - connlimit - above  30  - - connlimit - mask  32  - j DROP
- A  INPUT  - p tcp  - m state  - - state RELATED,ESTABLISHED  - j ACCEPT
- A  INPUT  - p tcp  - m tcp  - - dport  80  - m recent  - - update  - - seconds  60  - - hitcount  30  - - name BAD_HTTP_ACCESS  - - rsource  - j REJECT  - - reject - with icmp - port - unreachable
- A  INPUT  - p tcp  - m tcp  - - dport  80  - m recent  - - set  - - name BAD_HTTP_ACCESS  - - rsource  - j ACCEPT
- A syn - flood  - p tcp  - m limit  - - limit  10 / sec  - - limit - burst  20  - j RETURN
- A syn - flood  - j REJECT  - - reject - with icmp - port - unreachable
COMMIT
# Completed on Fri Apr 21 17:18:20 2017

最好用上fail2ban-0.9.0限制ssh

本文转自 liqius 51CTO博客，原文链接：http://blog.51cto.com/szgb17/1918295，如需转载请自行联系原作者