日志标签:iptables

非常实用的iptables脚本

分类:IPTABLES, LINUX杂记评论:19条作者:雨尚日期:2011-04-22 

#!/bin/sh
#####
##name:iptables_firewall
##author:www.linuxsee.com
##date:2011.4.22
#####

iptables -F
iptables -X
iptables -Z
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F

###安全策略###
###禁止用nmap扫描服务器端口
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP                  # NMAP FIN/URG/PSH
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP                      # Xmas Tree
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP              # Another Xmas Tree
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP                       # Null Scan(possibly)
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP                          # SYN/RST
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP                         # SYN/FIN -- Scan(possibly)

###防止 synflood 攻击的设定
iptables -N synfoold
iptables -A synfoold -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j RETURN        #每秒最多4个syn联机封包进入
iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -j synfoold

###防止 Ping of Death
iptables -N bad-ping
iptables -A bad-ping -p icmp --icmp-type echo-request -m limit --limit 1/s -j RETURN
iptables -A bad-ping -p icmp -j REJECT
iptables -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j bad-ping

###进入本机包
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT     ###允许dns query
iptables -A INPUT -p tcp --dport 22 -j ACCEPT     ###进入本机ssh
iptables -A INPUT -p tcp -m multiport --destination-port 53,80,22,3306 -j ACCEPT

###定义默认策略
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t nat -vnL
iptables -t mangle -vnL
iptables -t filter -vnL

转载请注明来自:LinuxSEE

Tags: ,