请问如何禁止BT下载

sbrd

公司用的是1Madsl拨号，代理服务器是redhat9，用iptables+squid做的透明代理，最近公司局域网内有人利用BT下载，搞的网速奇慢无比，内存占用率经常是60%，cpu占用率99.9%都是家常便饭，请问怎么样才能让他们无法用bt下载。谢谢。

Snoopy

bt可以自定义端口吧, ?

szkingrose

用squid控制不让其下载.torrent不就成了。

sbrd

禁止不让下载.torrent，但是bt的种子文件也可以通过别的途径传播呀，我看有人说先关掉所有端口，然后在开放需要的端口，这种途径可以，请问谁能告诉我用iptables怎么写这段代码？谢谢

7dehao

那要看你公司的这台服务器要提供什么服务了。如果不提供服务的话，把所有端口连进来的方向(tcp/udp)都封闭掉，只允许出，这样应该也可以。

dancingpig

老生长谈了
反关端口啊
这不更简单啊

sbrd

所谓会者不难，难者不会，我就是，我对iptables不是很熟悉，还望哪位大哥能告诉我怎么写这段代码。谢谢。

7dehao

找到一个很好的脚本，你可以略加修改，运行之：

http://www.linux-firewall-tools. ... andalone.firewall.1

1. 
   
2. #!/bin/bash
   
3. 
   
4. modprobe ip_conntrack_ftp
   
5. 
   
6. CONNECTION_TRACKING="1"
   
7. ACCEPT_AUTH="0"
   
8. SSH_SERVER="0"
   
9. FTP_SERVER="0"
   
10. WEB_SERVER="0"
    
11. SSL_SERVER="0"
    
12. DHCP_CLIENT="1"
    
13. 
    
14. INTERNET="eth0"                      # Internet-connected interface
    
15. LOOPBACK_INTERFACE="lo"              # however your system names it
    
16. IPADDR="my.ip.address"               # your IP address
    
17. SUBNET_BASE="network.address"        # ISP network segment base address
    
18. SUBNET_BROADCAST="directed.broadcast" # network segment broadcast address
    
19. MY_ISP="my.isp.address.range"        # ISP server & NOC address range
    
20. 
    
21. NAMESERVER="isp.name.server.1"       # address of a remote name server
    
22. POP_SERVER="isp.pop.server"          # address of a remote pop server
    
23. MAIL_SERVER="isp.mail.server"        # address of a remote mail gateway
    
24. NEWS_SERVER="isp.news.server"        # address of a remote news server
    
25. TIME_SERVER="some.timne.server"      # address of a remote time server
    
26. DHCP_SERVER="isp.dhcp.server"        # address of your ISP dhcp server
    
27. 
    
28. LOOPBACK="127.0.0.0/8"               # reserved loopback address range
    
29. CLASS_A="10.0.0.0/8"                 # class A private networks
    
30. CLASS_B="172.16.0.0/12"              # class B private networks
    
31. CLASS_C="192.168.0.0/16"             # class C private networks
    
32. CLASS_D_MULTICAST="224.0.0.0/4"      # class D multicast addresses
    
33. CLASS_E_RESERVED_NET="240.0.0.0/5"   # class E reserved addresses
    
34. BROADCAST_SRC="0.0.0.0"              # broadcast source address
    
35. BROADCAST_DEST="255.255.255.255"     # broadcast destination address
    
36. 
    
37. PRIVPORTS="0:1023"                   # well-known, privileged port range
    
38. UNPRIVPORTS="1024:65535"             # unprivileged port range
    
39. 
    
40. SSH_PORTS="1024:65535"
    
41. 
    
42. NFS_PORT="2049"
    
43. LOCKD_PORT="4045"
    
44. SOCKS_PORT="1080"
    
45. OPENWINDOWS_PORT="2000"
    
46. XWINDOW_PORTS="6000:6063"
    
47. SQUID_PORT="3128"
    
48. 
    
49. ###############################################################
    
50. 
    
51. # Enable broadcast echo Protection
    
52. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
53. 
    
54. # Disable Source Routed Packets
    
55. for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    
56.     echo 0 > $f
    
57. done
    
58. 
    
59. # Enable TCP SYN Cookie Protection
    
60. echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    
61. 
    
62. # Disable ICMP Redirect Acceptance
    
63. for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    
64.     echo 0 > $f
    
65. done
    
66. 
    
67. # Don¹t send Redirect Messages
    
68. for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    
69.     echo 0 > $f
    
70. done
    
71. 
    
72. # Drop Spoofed Packets coming in on an interface, which if replied to,
    
73. # would result in the reply going out a different interface.
    
74. for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    
75.     echo 1 > $f
    
76. done
    
77. 
    
78. # Log packets with impossible addresses.
    
79. for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    
80.     echo 1 > $f
    
81. done
    
82. 
    
83. ###############################################################
    
84. 
    
85. # Remove any existing rules from all chains
    
86. iptables --flush
    
87. iptables -t nat --flush
    
88. iptables -t mangle --flush
    
89. 
    
90. # Unlimited traffic on the loopback interface
    
91. iptables -A INPUT  -i lo -j ACCEPT
    
92. iptables -A OUTPUT -o lo -j ACCEPT
    
93. 
    
94. # Set the default policy to drop
    
95. iptables --policy INPUT   DROP
    
96. iptables --policy OUTPUT  DROP
    
97. iptables --policy FORWARD DROP
    
98. 
    
99. # A bug that showed up as of the Red Hat 7.2 release results
    
100. # in the following 5 default policies breaking the firewall
     
101. # initialization:
     
102. 
     
103. # iptables -t nat --policy PREROUTING  DROP
     
104. # iptables -t nat --policy OUTPUT DROP
     
105. # iptables -t nat --policy POSTROUTING DROP
     
106. 
     
107. # iptables -t mangle --policy PREROUTING DROP
     
108. # iptables -t mangle --policy OUTPUT DROP
     
109. 
     
110. # Remove any pre-existing user-defined chains
     
111. iptables --delete-chain
     
112. iptables -t nat --delete-chain
     
113. iptables -t mangle --delete-chain
     
114. 
     
115. ###############################################################
     
116. # Stealth Scans and TCP State Flags
     
117. 
     
118. # All of the bits are cleared
     
119. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
     
120. 
     
121. # SYN and FIN are both set
     
122. iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
     
123. 
     
124. # SYN and RST are both set
     
125. iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
     
126. 
     
127. # FIN and RST are both set
     
128. iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
     
129. 
     
130. # FIN is the only bit set, without the expected accompanying ACK
     
131. iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
     
132. 
     
133. # PSH is the only bit set, without the expected accompanying ACK
     
134. iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
     
135. 
     
136. # URG is the only bit set, without the expected accompanying ACK
     
137. iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
     
138. 
     
139. ###############################################################
     
140. # Using Connection State to By-pass Rule Checking
     
141. 
     
142. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
143.     iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
     
144.     iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     
145. 
     
146.     # Using the state module alone, INVALID will break protocols that use
     
147.     # bi-directional connections or multiple connections or exchanges,
     
148.     # unless an ALG is provided for the protocol. At this time, FTP and is
     
149.     # IRC are the only protocols with ALG support.
     
150. 
     
151.     iptables -A INPUT -m state --state INVALID -j LOG \
     
152.              --log-prefix "INVALID input: "
     
153.     iptables -A INPUT -m state --state INVALID -j DROP
     
154. 
     
155.     iptables -A OUTPUT -m state --state INVALID -j LOG \
     
156.              --log-prefix "INVALID ouput: "
     
157.     iptables -A OUTPUT -m state --state INVALID -j DROP
     
158. fi
     
159. 
     
160. ###############################################################
     
161. # Source Address Spoofing and Other Bad Addresses
     
162. 
     
163. # Refuse spoofed packets pretending to be from
     
164. # the external interface's IP address
     
165. iptables -A INPUT  -i $INTERNET -s $IPADDR -j DROP
     
166. 
     
167. # Refuse packets claiming to be from a Class A private network
     
168. iptables -A INPUT  -i $INTERNET -s $CLASS_A -j DROP
     
169. 
     
170. # Refuse packets claiming to be from a Class B private network
     
171. iptables -A INPUT  -i $INTERNET -s $CLASS_B -j DROP
     
172. 
     
173. # Refuse packets claiming to be from a Class C private network
     
174. iptables -A INPUT  -i $INTERNET -s $CLASS_C -j DROP
     
175. 
     
176. # Refuse packets claiming to be from the loopback interface
     
177. iptables -A INPUT  -i $INTERNET -s $LOOPBACK -j DROP
     
178. 
     
179. # Refuse malformed broadcast packets
     
180. iptables -A INPUT  -i $INTERNET -s $BROADCAST_DEST -j LOG
     
181. iptables -A INPUT  -i $INTERNET -s $BROADCAST_DEST -j DROP
     
182. 
     
183. iptables -A INPUT  -i $INTERNET -d $BROADCAST_SRC  -j LOG
     
184. iptables -A INPUT  -i $INTERNET -d $BROADCAST_SRC  -j DROP  
     
185. 
     
186. if [ "$DHCP_CLIENT" = "0" ]; then
     
187.     # Refuse directed broadcasts
     
188.     # Used to map networks and in Denial of Service attacks
     
189.     iptables -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP
     
190.     iptables -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP
     
191. 
     
192.     # Refuse limited broadcasts
     
193.     iptables -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP
     
194. fi
     
195. 
     
196. # Refuse Class D multicast addresses
     
197. # illegal as a source address
     
198. iptables -A INPUT -i $INTERNET -s $CLASS_D_MULTICAST -j DROP
     
199. 
     
200. iptables -A INPUT -i $INTERNET -p ! udp -d $CLASS_D_MULTICAST -j DROP
     
201. 
     
202. iptables -A INPUT  -i $INTERNET -p udp -d $CLASS_D_MULTICAST -j ACCEPT
     
203. 
     
204. # Refuse Class E reserved IP addresses
     
205. iptables -A INPUT  -i $INTERNET -s $CLASS_E_RESERVED_NET -j DROP
     
206. 
     
207. # refuse addresses defined as reserved by the IANA
     
208. # 0.*.*.*          - Can¹t be blocked unilaterally with DHCP
     
209. # 169.254.0.0/16   - Link Local Networks
     
210. # 192.0.2.0/24     - TEST-NET
     
211. 
     
212. if [ "$DHCP_CLIENT" = "1" ]; then
     
213.     iptables -A INPUT  -i $INTERNET -p udp \
     
214.              -s $BROADCAST_SRC --sport 67 \
     
215.              -d $BROADCAST_DEST --dport 68 -j ACCEPT
     
216. fi
     
217. 
     
218. iptables -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
     
219. iptables -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
     
220. iptables -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
     
221. 
     
222. ###############################################################
     
223. # Disallowing Connections to Common TCP Unprivileged Server Ports
     
224. 
     
225. # X Window connection establishment
     
226. iptables -A OUTPUT -o $INTERNET -p tcp --syn \
     
227.          --destination-port $XWINDOW_PORTS -j REJECT
     
228. 
     
229. # X Window: incoming connection attempt
     
230. iptables -A INPUT -i $INTERNET -p tcp --syn \
     
231.          --destination-port $XWINDOW_PORTS -j DROP
     
232. 
     
233. # Establishing a connection over TCP to NFS, OpenWindows, SOCKS or squid
     
234. iptables -A OUTPUT -o $INTERNET -p tcp \
     
235.          -m multiport --destination-port \
     
236.          $NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PORT \
     
237.          --syn -j REJECT
     
238. 
     
239. iptables -A INPUT -i $INTERNET -p tcp \
     
240.          -m multiport --destination-port \
     
241.          $NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PORT \
     
242.          --syn -j DROP
     
243. 
     
244. ###############################################################
     
245. # Disallowing Connections to Common UDP Unprivileged Server Ports
     
246. 
     
247. # NFS and lockd
     
248. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
249.     iptables -A OUTPUT -o $INTERNET -p udp \
     
250.              -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \
     
251.              -m state --state NEW -j REJECT
     
252. 
     
253.     iptables -A INPUT -i $INTERNET -p udp \
     
254.              -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \
     
255.              -m state --state NEW -j DROP
     
256. else
     
257.     iptables -A OUTPUT -o $INTERNET -p udp \
     
258.              -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \
     
259.              -j REJECT
     
260. 
     
261.     iptables -A INPUT -i $INTERNET -p udp \
     
262.              -m multiport --destination-port $NFS_PORT,$LOCKD_PORT \
     
263.              -j DROP
     
264. fi
     
265. 
     
266. ###############################################################
     
267. # DNS Name Server
     
268. 
     
269. # DNS Fowarding Name Server or client requests
     
270. 
     
271. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
272.     iptables -A OUTPUT -o $INTERNET -p udp \
     
273.              -s $IPADDR --sport $UNPRIVPORTS \
     
274.              -d $NAMESERVER --dport 53 \
     
275.              -m state --state NEW -j ACCEPT
     
276. fi
     
277. 
     
278. iptables -A OUTPUT -o $INTERNET -p udp \
     
279.          -s $IPADDR --sport $UNPRIVPORTS \
     
280.          -d $NAMESERVER --dport 53 -j ACCEPT
     
281. 
     
282. iptables -A INPUT  -i $INTERNET -p udp \
     
283.          -s $NAMESERVER --sport 53 \
     
284.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
285. 
     
286. #...............................................................
     
287. # TCP is used for large responses
     
288. 
     
289. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
290.     iptables -A OUTPUT -o $INTERNET -p tcp \
     
291.              -s $IPADDR --sport $UNPRIVPORTS \
     
292.              -d $NAMESERVER --dport 53 \
     
293.              -m state --state NEW -j ACCEPT
     
294. fi
     
295. 
     
296. iptables -A OUTPUT -o $INTERNET -p tcp \
     
297.          -s $IPADDR --sport $UNPRIVPORTS \
     
298.          -d $NAMESERVER --dport 53 -j ACCEPT
     
299. 
     
300. iptables -A INPUT -i $INTERNET -p tcp ! --syn \
     
301.          -s $NAMESERVER --sport 53 \
     
302.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
303. 
     
304. #...............................................................
     
305. # DNS Caching Name Server (local server to primary server)
     
306. 
     
307. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
308.     iptables -A OUTPUT -o $INTERNET -p udp \
     
309.              -s $IPADDR --sport 53 \
     
310.              -d $NAMESERVER --dport 53 \
     
311.              -m state --state NEW -j ACCEPT
     
312. fi
     
313. 
     
314. iptables -A OUTPUT -o $INTERNET -p udp \
     
315.          -s $IPADDR --sport 53 \
     
316.          -d $NAMESERVER --dport 53 -j ACCEPT
     
317. 
     
318. iptables -A INPUT  -i $INTERNET -p udp \
     
319.          -s $NAMESERVER --sport 53 \
     
320.          -d $IPADDR --dport 53 -j ACCEPT
     
321. 
     
322. ###############################################################
     
323. # Filtering the AUTH User Identification Service (TCP Port 113)
     
324. 
     
325. # Outgoing Local Client Requests to Remote Servers
     
326. 
     
327. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
328.     iptables -A OUTPUT -o $INTERNET -p tcp \
     
329.              -s $IPADDR --sport $UNPRIVPORTS \
     
330.              --dport 113 -m state --state NEW -j ACCEPT
     
331. fi
     
332. 
     
333. iptables -A OUTPUT -o $INTERNET -p tcp \
     
334.          -s $IPADDR --sport $UNPRIVPORTS \
     
335.          --dport 113 -j ACCEPT
     
336. 
     
337. iptables -A INPUT -i $INTERNET -p tcp ! --syn \
     
338.          --sport 113 \
     
339.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
340. 
     
341. #...............................................................
     
342. # Incoming Remote Client Requests to Local Servers
     
343. 
     
344. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
345.     iptables -A INPUT  -i $INTERNET -p tcp \
     
346.              --sport $UNPRIVPORTS \
     
347.              -d $IPADDR --dport 113 \
     
348.              -m state --state NEW -j ACCEPT
     
349. fi
     
350. 
     
351. if [ "$ACCEPT_AUTH" = "1" ]; then
     
352.     if [ "$CONNECTION_TRACKING" = "1" ]; then
     
353.         iptables -A INPUT  -i $INTERNET -p tcp \
     
354.                  --sport $UNPRIVPORTS \
     
355.                  -d $IPADDR --dport 113 \
     
356.                  -m state --state NEW -j ACCEPT
     
357.     fi
     
358. 
     
359.     iptables -A INPUT  -i $INTERNET -p tcp \
     
360.              --sport $UNPRIVPORTS \
     
361.              -d $IPADDR --dport 113 -j ACCEPT
     
362. 
     
363.     iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
     
364.              -s $IPADDR --sport 113 \
     
365.              --dport $UNPRIVPORTS -j ACCEPT
     
366. else
     
367.     iptables -A INPUT -i $INTERNET -p tcp \
     
368.              --sport $UNPRIVPORTS \
     
369.              -d $IPADDR --dport 113 -j REJECT --reject-with tcp-reset
     
370. fi
     
371. 
     
372. ###############################################################
     
373. # Sending Mail to Any External Mail Server
     
374. # Use "-d $MAIL_SERVER" if an ISP mail gateway is used instead
     
375. 
     
376. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
377.     iptables -A OUTPUT -o $INTERNET -p tcp \
     
378.              -s $IPADDR --sport $UNPRIVPORTS \
     
379.              --dport 25 -m state --state NEW -j ACCEPT
     
380. fi
     
381. 
     
382. iptables -A OUTPUT -o $INTERNET -p tcp \
     
383.          -s $IPADDR --sport $UNPRIVPORTS \
     
384.          --dport 25 -j ACCEPT
     
385. 
     
386. iptables -A INPUT -i $INTERNET -p tcp ! --syn \
     
387.          --sport 25 \
     
388.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
389. 
     
390. ###############################################################
     
391. # Retrieving Mail as a POP Client (TCP Port 110)
     
392. 
     
393. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
394.     iptables -A OUTPUT -o $INTERNET -p tcp \
     
395.              -s $IPADDR --sport $UNPRIVPORTS \
     
396.              -d $POP_SERVER --dport 110 -m state --state NEW -j ACCEPT
     
397. fi
     
398. 
     
399. iptables -A OUTPUT -o $INTERNET -p tcp \
     
400.          -s $IPADDR --sport $UNPRIVPORTS \
     
401.          -d $POP_SERVER --dport 110 -j ACCEPT
     
402. 
     
403. iptables -A INPUT -i $INTERNET -p tcp ! --syn \
     
404.          -s $POP_SERVER --sport 110 \
     
405.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
406. 
     
407. ###############################################################
     
408. # Accessing Usenet News Services (TCP NNTP Port 119)
     
409. 
     
410. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
411.     iptables -A OUTPUT -o $INTERNET -p tcp \
     
412.              -s $IPADDR --sport $UNPRIVPORTS \
     
413.              -d $NEWS_SERVER --dport 119 -m state --state NEW -j ACCEPT
     
414. fi
     
415. 
     
416. iptables -A OUTPUT -o $INTERNET -p tcp \
     
417.          -s $IPADDR --sport $UNPRIVPORTS \
     
418.          -d $NEWS_SERVER --dport 119 -j ACCEPT
     
419. 
     
420. iptables -A INPUT -i $INTERNET -p tcp ! --syn \
     
421.          -s $NEWS_SERVER --sport 119 \
     
422.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
423. 
     
424. ###############################################################
     
425. # ssh (TCP Port 22)
     
426. 
     
427. # Outgoing Local  Client Requests to Remote Servers
     
428. 
     
429. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
430.     iptables -A OUTPUT -o $INTERNET -p tcp \
     
431.              -s $IPADDR --sport $SSH_PORTS \
     
432.              --dport 22 -m state --state NEW -j ACCEPT
     
433. fi
     
434. 
     
435. iptables -A OUTPUT -o $INTERNET -p tcp \
     
436.          -s $IPADDR --sport $SSH_PORTS \
     
437.          --dport 22 -j ACCEPT
     
438. 
     
439. iptables -A INPUT -i $INTERNET -p tcp ! --syn \
     
440.          --source-port 22 \
     
441.          -d $IPADDR --dport $SSH_PORTS -j ACCEPT
     
442. 
     
443. #...............................................................
     
444. # Incoming Remote Client Requests to Local Servers
     
445. 
     
446. if [ "$SSH_SERVER" = "1" ]; then
     
447.     if [ "$CONNECTION_TRACKING" = "1" ]; then
     
448.         iptables -A INPUT  -i $INTERNET -p tcp \
     
449.                  --sport $SSH_PORTS \
     
450.                  -d $IPADDR --dport 22 \
     
451.                  -m state --state NEW -j ACCEPT
     
452.     fi
     
453. 
     
454.     iptables -A INPUT  -i $INTERNET -p tcp \
     
455.              --sport $SSH_PORTS \
     
456.              -d $IPADDR --dport 22 -j ACCEPT
     
457. 
     
458.     iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
     
459.              -s $IPADDR --sport 22 \
     
460.              --dport $SSH_PORTS -j ACCEPT
     
461. fi
     
462. 
     
463. ###############################################################
     
464. # ftp (TCP Ports 21, 20)
     
465. 
     
466. # Outgoing Local Client Requests to Remote Servers
     
467. 
     
468. # Outgoing Control Connection to Port 21
     
469. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
470.     iptables -A OUTPUT -o $INTERNET -p tcp \
     
471.              -s $IPADDR --sport $UNPRIVPORTS \
     
472.              --dport 21 -m state --state NEW -j ACCEPT
     
473. fi
     
474. 
     
475. iptables -A OUTPUT -o $INTERNET -p tcp \
     
476.          -s $IPADDR --sport $UNPRIVPORTS \
     
477.          --dport 21 -j ACCEPT
     
478. 
     
479. iptables -A INPUT -i $INTERNET -p tcp ! --syn \
     
480.          --sport 21 \
     
481.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
482. 
     
483. # Incoming Port Mode Data Channel Connection from Port 20
     
484. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
485.     # This rule is not necessary if the ip_conntrack_ftp
     
486.     # module is used.
     
487.     iptables -A INPUT  -i $INTERNET -p tcp \
     
488.              --sport 20 \
     
489.              -d $IPADDR --dport $UNPRIVPORTS \
     
490.              -m state --state NEW -j ACCEPT
     
491. fi
     
492. 
     
493. iptables -A INPUT  -i $INTERNET -p tcp \
     
494.          --sport 20 \
     
495.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
496. 
     
497. iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
     
498.          -s $IPADDR --sport $UNPRIVPORTS \
     
499.          --dport 20 -j ACCEPT
     
500. 
     
501. # Outgoing Passive Mode Data Channel Connection Between Unprivileveg Ports
     
502. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
503.     # This rule is not necessary if the ip_conntrack_ftp
     
504.     # module is used.
     
505.     iptables -A OUTPUT -o $INTERNET -p tcp \
     
506.              -s $IPADDR --sport $UNPRIVPORTS \
     
507.              --dport $UNPRIVPORTS -m state --state NEW -j ACCEPT
     
508. fi
     
509. 
     
510. iptables -A OUTPUT -o $INTERNET -p tcp \
     
511.          -s $IPADDR --sport $UNPRIVPORTS \
     
512.          --dport $UNPRIVPORTS -j ACCEPT
     
513. 
     
514. iptables -A INPUT -i $INTERNET -p tcp ! --syn \
     
515.          --sport $UNPRIVPORTS \
     
516.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
517. 
     
518. #...............................................................
     
519. # Incoming Remote Client Requests to Local Servers
     
520. 
     
521. if [ "$FTP_SERVER" = "1" ]; then
     
522. 
     
523.     # Incoming Control Connection to Port 21
     
524.     if [ "$CONNECTION_TRACKING" = "1" ]; then
     
525.         iptables -A INPUT  -i $INTERNET -p tcp \
     
526.                  --sport $UNPRIVPORTS \
     
527.                  -d $IPADDR --dport 21 \
     
528.                  -m state --state NEW -j ACCEPT
     
529.     fi
     
530. 
     
531.     iptables -A INPUT  -i $INTERNET -p tcp \
     
532.              --sport $UNPRIVPORTS \
     
533.              -d $IPADDR --dport 21 -j ACCEPT
     
534. 
     
535.     iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
     
536.              -s $IPADDR --sport 21 \
     
537.              --dport $UNPRIVPORTS -j ACCEPT
     
538. 
     
539.     # Outgoing Port Mode Data Channel Connection to Port 20
     
540.     if [ "$CONNECTION_TRACKING" = "1" ]; then
     
541.         iptables -A OUTPUT -o $INTERNET -p tcp \
     
542.                  -s $IPADDR --sport 20\
     
543.                  --dport $UNPRIVPORTS -m state --state NEW -j ACCEPT
     
544.     fi
     
545. 
     
546.     iptables -A OUTPUT -o $INTERNET -p tcp \
     
547.              -s $IPADDR --sport 20 \
     
548.              --dport $UNPRIVPORTS -j ACCEPT
     
549. 
     
550.     iptables -A INPUT -i $INTERNET -p tcp ! --syn \
     
551.              --sport $UNPRIVPORTS \
     
552.              -d $IPADDR --dport 20 -j ACCEPT
     
553. 
     
554.     # Incoming Passive Mode Data Channel Connection Between Unprivileved Ports
     
555.     if [ "$CONNECTION_TRACKING" = "1" ]; then
     
556.         iptables -A INPUT  -i $INTERNET -p tcp \
     
557.                  --sport $UNPRIVPORTS \
     
558.                  -d $IPADDR --dport $UNPRIVPORTS \
     
559.                  -m state --state NEW -j ACCEPT
     
560.     fi
     
561. 
     
562.     iptables -A INPUT  -i $INTERNET -p tcp \
     
563.              --sport $UNPRIVPORTS \
     
564.              -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
565. 
     
566.     iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
     
567.              -s $IPADDR --sport $UNPRIVPORTS \
     
568.              --dport $UNPRIVPORTS -j ACCEPT
     
569. fi
     
570. ###############################################################
     
571. # HTTP Web Traffic (TCP Port 80)
     
572. 
     
573. # Outgoing Local Client Requests to Remote Servers
     
574. 
     
575. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
576.     iptables -A OUTPUT -o $INTERNET -p tcp \
     
577.              -s $IPADDR --sport $UNPRIVPORTS \
     
578.              --dport 80 -m state --state NEW -j ACCEPT
     
579. fi
     
580. 
     
581. iptables -A OUTPUT -o $INTERNET -p tcp \
     
582.          -s $IPADDR --sport $UNPRIVPORTS \
     
583.          --dport 80 -j ACCEPT
     
584. 
     
585. iptables -A INPUT -i $INTERNET -p tcp ! --syn \
     
586.          --sport 80 \
     
587.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
588. 
     
589. #...............................................................
     
590. # Incoming Remote Client Requests to Local Servers
     
591. 
     
592. if [ "$WEB_SERVER" = "1" ]; then
     
593.     if [ "$CONNECTION_TRACKING" = "1" ]; then
     
594.         iptables -A INPUT  -i $INTERNET -p tcp \
     
595.                  --sport $UNPRIVPORTS \
     
596.                  -d $IPADDR --dport 80 \
     
597.                  -m state --state NEW -j ACCEPT
     
598.     fi
     
599. 
     
600.     iptables -A INPUT  -i $INTERNET -p tcp \
     
601.              --sport $UNPRIVPORTS \
     
602.              -d $IPADDR --dport 80 -j ACCEPT
     
603. 
     
604.     iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
     
605.              -s $IPADDR --sport 80 \
     
606.              --dport $UNPRIVPORTS -j ACCEPT
     
607. fi
     
608. 
     
609. ###############################################################
     
610. # SSL Web Traffic (TCP Port 443)
     
611. 
     
612. # Outgoing Local  Client Requests to Remote Servers
     
613. 
     
614. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
615.     iptables -A OUTPUT -o $INTERNET -p tcp \
     
616.              -s $IPADDR --sport $UNPRIVPORTS \
     
617.              --dport 443 -m state --state NEW -j ACCEPT
     
618. fi
     
619. 
     
620. iptables -A OUTPUT -o $INTERNET -p tcp \
     
621.          -s $IPADDR --sport $UNPRIVPORTS \
     
622.          --dport 443 -j ACCEPT
     
623. 
     
624. iptables -A INPUT -i $INTERNET -p tcp ! --syn \
     
625.          --sport 443 \
     
626.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
627. 
     
628. #...............................................................
     
629. # Incoming Remote Client Requests to Local Servers
     
630. 
     
631. if [ "$SSL_SERVER" = "1" ]; then
     
632.     if [ "$CONNECTION_TRACKING" = "1" ]; then
     
633.         iptables -A INPUT  -i $INTERNET -p tcp \
     
634.                  --sport $UNPRIVPORTS \
     
635.                  -d $IPADDR --dport 443 \
     
636.                  -m state --state NEW -j ACCEPT
     
637.     fi
     
638. 
     
639.     iptables -A INPUT  -i $INTERNET -p tcp \
     
640.              --sport $UNPRIVPORTS \
     
641.              -d $IPADDR --dport 443 -j ACCEPT
     
642. 
     
643.     iptables -A OUTPUT -o $INTERNET -p tcp ! --syn \
     
644.              -s $IPADDR --sport 443 \
     
645.              --dport $UNPRIVPORTS -j ACCEPT
     
646. fi
     
647. 
     
648. ###############################################################
     
649. # whois (TCP Port 43)
     
650. 
     
651. # Outgoing Local  Client Requests to Remote Servers
     
652. 
     
653. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
654.     iptables -A OUTPUT -o $INTERNET -p tcp \
     
655.              -s $IPADDR --sport $UNPRIVPORTS \
     
656.              --dport 43 -m state --state NEW -j ACCEPT
     
657. fi
     
658. 
     
659. iptables -A OUTPUT -o $INTERNET -p tcp \
     
660.          -s $IPADDR --sport $UNPRIVPORTS \
     
661.          --dport 43 -j ACCEPT
     
662. 
     
663. iptables -A INPUT -i $INTERNET -p tcp ! --syn \
     
664.          --sport 43 \
     
665.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
666. 
     
667. ###############################################################
     
668. # Accessing Remote Network Time Servers (UDP 123)
     
669. # Note: some client and servers use source port 123
     
670. # when querying a remote server on destination port 123.
     
671. 
     
672. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
673.     iptables -A OUTPUT -o $INTERNET -p udp \
     
674.              -s $IPADDR --sport $UNPRIVPORTS \
     
675.              -d $TIME_SERVER --dport 123 \
     
676.              -m state --state NEW -j ACCEPT
     
677. fi
     
678. 
     
679. iptables -A OUTPUT -o $INTERNET -p udp \
     
680.          -s $IPADDR --sport $UNPRIVPORTS \
     
681.          -d $TIME_SERVER --dport 123 -j ACCEPT
     
682. 
     
683. iptables -A INPUT  -i $INTERNET -p udp \
     
684.          -s $TIME_SERVER --sport 123 \
     
685.          -d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
     
686. 
     
687. ###############################################################
     
688. # Accessing Your ISP's DHCP Server (UDP Ports 67, 68)
     
689. 
     
690. # Some broadcast packets are explicitly ignored by the firewall.
     
691. # Others are dopped by the default policy.
     
692. # DHCP tests must precede broadcast-related rules, as DHCP relies
     
693. # on broadcast traffic initially.
     
694. 
     
695. if [ "$DHCP_CLIENT" = "1" ]; then
     
696.     # Initialization or rebinding: No lease or Lease time expired.
     
697. 
     
698.     iptables -A OUTPUT -o $INTERNET -p udp \
     
699.              -s $BROADCAST_SRC --sport 68 \
     
700.              -d $BROADCAST_DEST --dport 67 -j ACCEPT
     
701. 
     
702.     # Incoming DHCPOFFER from available DHCP servers
     
703. 
     
704.     iptables -A INPUT  -i $INTERNET -p udp \
     
705.              -s $BROADCAST_SRC --sport 67 \
     
706.              -d $BROADCAST_DEST --dport 68 -j ACCEPT
     
707. 
     
708.     # Fall back to initialization
     
709.     # The client knows its server, but has either lost its lease,
     
710.     # or else needs to reconfirm the IP address after rebooting.
     
711. 
     
712.     iptables -A OUTPUT -o $INTERNET -p udp \
     
713.              -s $BROADCAST_SRC --sport 68 \
     
714.              -d $DHCP_SERVER --dport 67 -j ACCEPT
     
715. 
     
716.     iptables -A INPUT  -i $INTERNET -p udp \
     
717.              -s $DHCP_SERVER --sport 67 \
     
718.              -d $BROADCAST_DEST --dport 68 -j ACCEPT
     
719. 
     
720.     # As a result of the above, we're supposed to change our IP
     
721.     # address with this message, which is addressed to our new
     
722.     # address before the dhcp client has received the update.
     
723.     # Depending on the server implementation, the destination address
     
724.     # can be the new IP address, the subnet address, or the limited
     
725.     # broadcast address.
     
726. 
     
727.     # If the network subnet address is used as the destination,
     
728.     # the next rule must allow incoming packets destined to the
     
729.     # subnet address, and the rule must preceed any general rules
     
730.     # that block such incoming broadcast packets.
     
731. 
     
732.     iptables -A INPUT  -i $INTERNET -p udp \
     
733.              -s $DHCP_SERVER --sport 67 \
     
734.              --dport 68 -j ACCEPT
     
735. 
     
736.     # Lease renewal
     
737. 
     
738.     iptables -A OUTPUT -o $INTERNET -p udp \
     
739.              -s $IPADDR --sport 68 \
     
740.              -d $DHCP_SERVER --dport 67 -j ACCEPT
     
741. 
     
742.     iptables -A INPUT  -i $INTERNET -p udp \
     
743.              -s $DHCP_SERVER --sport 67 \
     
744.              -d $IPADDR --dport 68 -j ACCEPT
     
745. 
     
746.     # Refuse directed broadcasts
     
747.     # Used to map networks and in Denial of Service attacks
     
748.     iptables -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP
     
749.     iptables -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP
     
750. 
     
751.     # Refuse limited broadcasts
     
752.     iptables -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP
     
753. 
     
754. fi
     
755. ###############################################################
     
756. # ICMP Control and Status Messages
     
757. 
     
758. # Log and drop initial ICMP fragments
     
759. iptables -A INPUT  -i $INTERNET --fragment -p icmp -j LOG \
     
760.          --log-prefix "Fragmented incoming ICMP: "
     
761. iptables -A INPUT  -i $INTERNET --fragment -p icmp -j DROP
     
762. 
     
763. iptables -A OUTPUT  -o $INTERNET --fragment -p icmp -j LOG \
     
764.          --log-prefix "Fragmented outgoing ICMP: "
     
765. iptables -A OUTPUT  -o $INTERNET --fragment -p icmp -j DROP
     
766. 
     
767. iptables -A INPUT  -i $INTERNET -p icmp \
     
768.          --icmp-type source-quench -d $IPADDR -j ACCEPT
     
769. 
     
770. iptables -A OUTPUT -o $INTERNET -p icmp \
     
771.          -s $IPADDR --icmp-type source-quench -j ACCEPT
     
772. 
     
773. iptables -A INPUT  -i $INTERNET -p icmp \
     
774.          --icmp-type parameter-problem -d $IPADDR -j ACCEPT
     
775. 
     
776. iptables -A OUTPUT -o $INTERNET -p icmp \
     
777.          -s $IPADDR --icmp-type parameter-problem -j ACCEPT
     
778. 
     
779. iptables -A INPUT  -i $INTERNET -p icmp \
     
780.          --icmp-type destination-unreachable -d $IPADDR -j ACCEPT
     
781. 
     
782. iptables -A OUTPUT -o $INTERNET -p icmp \
     
783.          -s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
     
784. 
     
785. # Don¹t log dropped outgoing ICMP error messages
     
786. iptables -A OUTPUT -o $INTERNET -p icmp \
     
787.          -s $IPADDR --icmp-type destination-unreachable -j DROP
     
788. 
     
789. # Intermediate traceroute responses
     
790. iptables -A INPUT  -i $INTERNET -p icmp \
     
791.          --icmp-type time-exceeded -d $IPADDR -j ACCEPT
     
792. 
     
793. # allow outgoing pings to anywhere
     
794. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
795.     iptables -A OUTPUT -o $INTERNET -p icmp \
     
796.              -s $IPADDR --icmp-type echo-request \
     
797.              -m state --state NEW -j ACCEPT
     
798. fi
     
799. 
     
800. iptables -A OUTPUT -o $INTERNET -p icmp \
     
801.          -s $IPADDR --icmp-type echo-request -j ACCEPT
     
802. 
     
803. iptables -A INPUT  -i $INTERNET -p icmp \
     
804.          --icmp-type echo-reply -d $IPADDR -j ACCEPT
     
805. 
     
806. # allow incoming pings from trusted hosts
     
807. if [ "$CONNECTION_TRACKING" = "1" ]; then
     
808.     iptables -A INPUT  -i $INTERNET -p icmp \
     
809.              -s $MY_ISP --icmp-type echo-request -d $IPADDR \
     
810.              -m state --state NEW -j ACCEPT
     
811. fi
     
812. 
     
813. iptables -A INPUT  -i $INTERNET -p icmp \
     
814.          -s $MY_ISP --icmp-type echo-request -d $IPADDR -j ACCEPT
     
815. 
     
816. iptables -A OUTPUT -o $INTERNET -p icmp \
     
817.          -s $IPADDR --icmp-type echo-reply -d $MY_ISP -j ACCEPT
     
818. 
     
819. ###############################################################
     
820. # Logging Dropped Packets
     
821. 
     
822. # Don't log dropped incoming echo-requests
     
823. iptables -A INPUT -i $INTERNET -p icmp \
     
824.          --icmp-type ! 8 -d $IPADDR -j LOG
     
825. 
     
826. iptables -A INPUT -i $INTERNET -p tcp \
     
827.          -d $IPADDR -j LOG
     
828. 
     
829. iptables -A OUTPUT -o $INTERNET -j LOG
     
830. 
     
831. exit 0
     

复制代码

Snoopy

最初由 sbrd 发表
禁止不让下载.torrent，但是bt的种子文件也可以通过别的途径传播呀，我看有人说先关掉所有端口，然后在开放需要的端口，这种途径可以，请问谁能告诉我用iptables怎么写这段代码？谢谢

你说先关端口再开需要的端口,行不通的

Brain

首先iptable drop all，然后需要用到哪个就开哪个。
除非下BT的能自定义到80，21这样的端口上去。。