Shadowsocks经常被人滥发垃圾邮件之类的而被暂停服务。我们仅需保留SSH,SQL,DNS,HTTP和HTTPS这些主要端口,其它的用iptables做下限制,这样就高枕无忧了。
环回网络
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
DNS
iptables -A OUTPUT -p udp –sport 53 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
网页-SQL
iptables -A OUTPUT -p tcp -m multiport –dport 80,443,3306 -j ACCEPT
iptables -A INPUT -p tcp -m multiport –sport 80,443,3306 -j ACCEPT
代理-SSH
iptables -A OUTPUT -p tcp -m multiport –sport 1080,22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport –dport 1080,22 -j ACCEPT
用户
iptables -A OUTPUT -p tcp –sport 50000:60000 -j ACCEPT
iptables -A OUTPUT -p udp –sport 50000:60000 -j ACCEPT
iptables -A INPUT -p tcp –dport 50000:60000 -j ACCEPT
iptables -A INPUT -p udp –dport 50000:60000 -j ACCEPT
连接数
iptables -A OUTPUT -p tcp –sport 50000:60000 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
iptables -A INPUT -p tcp –dport 50000:60000 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
其他
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
禁止
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
请把你的SSH22端口改了
=====================================
屏蔽其他端口
iptables -A OUTPUT -p tcp -m multiport –dport 21,22,23 -j REJECT –reject-with tcp-reset
iptables -A OUTPUT -p udp -m multiport –dport 21,22,23 -j DROP
=======================================
屏蔽邮箱端口
iptables -A OUTPUT -p tcp -m multiport –dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j REJECT –reject-with tcp-reset
iptables -A OUTPUT -p tcp -m multiport –dport 993,995,1109,24554,60177,60179 -j REJECT –reject-with tcp-reset
iptables -A OUTPUT -p udp -m multiport –dport 24,25,50,57,105,106,109,110,143,158,209,218,220,465,587 -j DROP
iptables -A OUTPUT -p udp -m multiport –dport 993,995,1109,24554,60177,60179 -j DROP
