LinuxSEE

#!/bin/sh
#####
##name:iptables_firewall
##author:www.linuxsee.com
##date:2011.4.22
#####

iptables -F
iptables -X
iptables -Z
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F

###安全策略###
###禁止用nmap扫描服务器端口
iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP                  # NMAP FIN/URG/PSH
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP                      # Xmas Tree
iptables -A INPUT -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP              # Another Xmas Tree
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP                       # Null Scan(possibly)
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP                          # SYN/RST
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP                         # SYN/FIN — Scan(possibly)

###防止 synflood 攻击的设定
iptables -N synfoold
iptables -A synfoold -p tcp –syn -m limit –limit 1/s –limit-burst 4 -j RETURN        #每秒最多４个syn联机封包进入
iptables -A synfoold -p tcp -j REJECT –reject-with tcp-reset
iptables -A INPUT -p tcp -m state –state NEW -j synfoold

###防止 Ping of Death
iptables -N bad-ping
iptables -A bad-ping -p icmp –icmp-type echo-request -m limit –limit 1/s -j RETURN
iptables -A bad-ping -p icmp -j REJECT
iptables -I INPUT -p icmp –icmp-type echo-request -m state –state NEW -j bad-ping

###进入本机包
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p udp –sport 53 -j ACCEPT     ###允许dns query
iptables -A INPUT -p tcp –dport 22 -j ACCEPT     ###进入本机ssh
iptables -A INPUT -p tcp -m multiport –destination-port 53,80,22,3306 -j ACCEPT

###定义默认策略
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t nat -vnL
iptables -t mangle -vnL
iptables -t filter -vnL

转载请注明来自：LinuxSEE