« Отговор #5 -: Nov 26, 2013, 13:04 »
Махни празните редове, и действай с линукски редактор. Виж нещо дето работи как изглежда:
# Generated by iptables-save v1.4.8 on Fri Feb 10 07:25:34 2012
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Fri Feb 10 07:25:34 2012
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -o eth1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Generated by iptables-save v1.4.8 on Fri Feb 10 07:25:34 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:syn-flood - [0:0]
:udp-flood - [0:0]
##:SSH_WHITELIST - [0:0]
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 9 --connlimit-mask 32 -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
#-A SSH_WHITELIST -s TRUSTED_HOST_IP -m recent --remove --name SSH -j ACCEPT
##-A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSH
##-A INPUT -p tcp --dport 2222 -m state --state NEW -j SSH_WHITELIST
##-A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --update --seconds 10 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
##-A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --update --seconds 10 --hitcount 3 --rttl --name SSH -j DROP
-A INPUT -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/s -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 13 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
##-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 3000:3001 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 4129 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 8887 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 29999 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000 -j ACCEPT
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m pkttype --pkt-type multicast -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -i eth1 -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -i eth1 -p udp -j udp-flood
-A INPUT -i eth1 -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth1 -p icmp -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth1 -p tcp ! --syn -m state --state NEW -j DROP
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p tcp --syn -j syn-flood
-A FORWARD -i eth1 -p udp -j udp-flood
-A OUTPUT -m state --state INVALID -j DROP
-A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
-A syn-flood -j DROP
-A udp-flood -m limit --limit 3/s -j RETURN
-A udp-flood -j DROP
COMMIT
# Completed on Fri Feb 10 07:25:34 2012
а при теб май това дето си писал има грешка
-A INPUT -p tcp --dport 3306 --src 87.97.174.16 -j ACCEPT трябва да е
-A INPUT -p tcp --dport 3306 -s 87.97.174.16 -j ACCEPT или
-A INPUT -p tcp --dport 3306 --source 87.97.174.16 -j ACCEPT
и виж над него пак имаш същата грешка