firewall-cmd --zone=public --add-masquerade
firewalld MASQUERADE
Leave a reply
Tag Archives: iptables
openvz limit smtp connection
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s xx.xx.xx.xx/32-p tcp -m multiport --dports 25,587,465 -j LOG --log-prefix "FORWARD:DROP:" --log-level 6
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 465 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 587 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 25 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 465 -j DROP
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 587 -j DROP
-A FORWARD -s xx.xx.xx.xx/32 -p tcp -m tcp --dport 25 -j DROP
masquerade iptables
iptables -t nat -A POSTROUTING -j MASQUERADE
csf enable port
vi /etc/csf/csf.conf
check TCP_IN and TCP_OUT port list and restart csf -r
csf whitelist ip command line
csf -a IP
csf -a IP/24
iptables block user-agent: wordpress
iptables -A INPUT -p tcp –dport 80 -m string –string ‘WordPress’ –algo kmp -j DROP
or
iptables -N WordPress-PingVerify
iptables -I INPUT -p tcp –dport 80 -m string –to 70 –algo bm –string ‘GET /’ -j WordPress-PingVerify
iptables -A WordPress-PingVerify -p tcp –dport 80 -m string –to 80 –algo bm ! –string ‘User-Agent: WordPress/’ -j RETURN
iptables -A WordPress-PingVerify -p tcp –dport 80 -m string –to 300 –algo bm –string ‘verifying pingback from’ -j DROP
iptables -A WordPress-PingVerify -j RETURN
or
iptables -N WordPress-PingBacks
iptables -I INPUT -p tcp –dport 80 -m string –to 70 –algo bm –string ‘GET /’ -j WordPress-PingBacks
iptables -A WordPress-PingBacks -p tcp –dport 80 -m string –to 80 –algo bm ! –string ‘User-Agent: WordPress/’ -j RETURN
iptables -A WordPress-PingBacks -p tcp –dport 80 -j DROP
iptables -A WordPress-PingBacks -j RETURN
SMTP Mail protection has been disabled. All users may make smtp connections.
/scripts/smtpmailgidonly on
SMTP Mail protection has been disabled. All users may make smtp connections.
There was a problem setting up iptables. You either have an older kernel or a broken iptables install, or ipt_owner could not be loaded.
cat /proc/net/ip_tables_matches | grep owner
modprobe xt_owner
/scripts/smtpmailgidonly on
SMTP Mail protection has been enabled.
All outbound SMTP connections will be redirected to localhost except:
uid is root (ports: 25,26,465,587)
uid is cpanel (ports: 25,26,465,587)
gid is mail (ports: 25,26,465,587)
gid is mailman (ports: 25,26,465,587)
iptables block ranges
iptables -A INPUT -s 192.100.165.0/24 -j DROP
iptables -A INPUT -s 192.10.0.0/16 -j DROP
iptables -A INPUT -s 192.0.0.0/8 -j DROP
linux secure smtp
iptables -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mailman -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
iptables save centos 7
/usr/libexec/iptables/iptables.init save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
iptables block outgoing smtp
iptables -I OUTPUT 1 -p tcp --dport 25 -j DROP
iptables -I OUTPUT 1 -p tcp --dport 587 -j DROP
logging iptables packets with ulogd
sudo apt-get install ulogd
If you want log dropped packets, lets do this:
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -j ULOG
-A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -j DROP
iptables redirect outgoing traffic to local port
iptables -t nat -A OUTPUT -p tcp –dport 80 -j DNAT –to-destination IP:80
apache syn flood
iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
also nginx can help as proxy.
centos iptables save rules
iptables-save > /etc/sysconfig/iptables
iptables-restore