Contents

修改iptables設定筆記

Contents

最近想在動物機加上https協定
所以必須在iptables加上443 的port
但是…iptables早就忘了

原本設定

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
iptables -F
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT



#taiwan ip input http:80
iptables -A INPUT -s 61.216.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 218.160.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.62.248.0/21 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.20.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.72.128.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.72.0.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.242.0.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.71.128.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 203.75.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 202.39.128.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 103.25.236.0/22 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 1.160.0.0/12 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 114.32.0.0/12 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 122.120.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 60.249.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 60.250.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 59.124.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.128.0.0/18 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 114.30.32.0/20 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 61.217.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 61.228.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.22.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.21.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.75.0.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.242.128.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.61.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 203.74.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 203.66.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 43.255.92.0/22 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 1.34.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 114.24.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 118.160.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 122.116.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 125.224.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 60.248.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 175.111.192.0/18 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 61.218.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 61.220.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.23.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 59.112.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.75.128.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.241.224.0/19 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.59.128.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.65.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 203.69.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 36.224.0.0/12 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 111.240.0.0/12 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 118.168.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 122.118.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 125.232.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 168.95.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 59.120.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 218.168.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 61.224.0.0/14 -p tcp --dport 80 -j ACCEPT
#dai taipei 61.70.239.206
iptables -A INPUT -s 115.43.78.0/24 -p tcp --dport 80 -j ACCEPT


#3 ip-prefix split
iptables -A INPUT -s 202.39.0.0/18 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 202.39.64.0/19 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.129.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.137.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.141.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.143.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.128.64.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.128.192.0/18 -p tcp --dport 80 -j ACCEPT


#emonme ip-prefix
iptables -A INPUT -s 211.79.32.0/20 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 221.120.0.0/18 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 221.120.64.0/19 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 116.59.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 114.136.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 111.70.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 111.80.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 223.136.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 42.64.0.0/12 -p tcp --dport 80 -j ACCEPT


#ALL INTO 80 port
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT

#tranmission
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 9091  -j ACCEPT
iptables -A INPUT -p tcp --dport 59999:61000 -j ACCEPT

最近在COSCUP 2017聽到iptables設定

1
2
3
4
5
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
....
iptables -A INPUT -j DROP

所以要改一下,還要開放443 port
iptables -A INPUT -s 61.216.0.0/16 -p tcp --dport 80 -j ACCEPT
-A 是增加iptable條件。如果iptable已經有4個。打下一個指令會變成有5個

-s 來源
-p port
iptables -A INPUT -s 0/0 -p tcp --dport 443 -j ACCEPT

修改後

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT



#taiwan ip input http:80
iptables -A INPUT -s 61.216.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 218.160.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.62.248.0/21 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.20.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.72.128.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.72.0.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.242.0.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.71.128.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 203.75.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 202.39.128.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 103.25.236.0/22 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 1.160.0.0/12 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 114.32.0.0/12 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 122.120.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 60.249.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 60.250.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 59.124.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.128.0.0/18 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 114.30.32.0/20 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 61.217.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 61.228.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.22.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.21.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.75.0.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.242.128.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.61.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 203.74.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 203.66.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 43.255.92.0/22 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 1.34.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 114.24.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 118.160.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 122.116.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 125.224.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 60.248.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 175.111.192.0/18 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 61.218.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 61.220.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.23.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 59.112.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 211.75.128.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.241.224.0/19 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.59.128.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 210.65.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 203.69.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 36.224.0.0/12 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 111.240.0.0/12 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 118.168.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 122.118.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 125.232.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 168.95.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 59.120.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 218.168.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 61.224.0.0/14 -p tcp --dport 80 -j ACCEPT
#dai taipei 61.70.239.206
iptables -A INPUT -s 115.43.78.0/24 -p tcp --dport 80 -j ACCEPT


#3 ip-prefix split
iptables -A INPUT -s 202.39.0.0/18 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 202.39.64.0/19 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.129.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.137.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.141.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.143.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.128.64.0/17 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 220.128.192.0/18 -p tcp --dport 80 -j ACCEPT


#emonme ip-prefix
iptables -A INPUT -s 211.79.32.0/20 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 221.120.0.0/18 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 221.120.64.0/19 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 116.59.0.0/16 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 114.136.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 111.70.0.0/15 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 111.80.0.0/14 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 223.136.0.0/13 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 42.64.0.0/12 -p tcp --dport 80 -j ACCEPT


#ALL INTO 80 port
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT

#tranmission
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 9091  -j ACCEPT
iptables -A INPUT -p tcp --dport 59999:61000 -j ACCEPT

# https 443
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -j DROP

設定完了