- 论坛徽章:
- 0
|
在网上找了很久,精华文章看了不少。对iptables防火墙的设置还是不怎么样。
根据下面的文章整理了一个iptables 防火墙设置脚本
http://www.frozentux.net/iptables-tutorial/cn/iptables-tutorial-cn-1.1.19.html
http://www.linux.org/lessons/advanced/x313.html
http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
服务器提供:WWW, DNS, FTP, EMAIL, SSH服务,各位大侠们帮忙指点一下,
帮忙我整理的iptables 防火墙设置脚本是否有问题,需要怎么样优化和改正一下。
谢谢。
- ##################################################################
- #!/bin/sh
- # Needed to initially load modules
- /sbin/depmod -a
- ## Required modules
- /sbin/modprobe ip_tables
- /sbin/modprobe iptable_filter
- /sbin/modprobe ip_conntrack
- /sbin/modprobe ip_conntrack_ftp
- /sbin/modprobe ip_nat_ftp
- /sbin/modprobe ipt_limit
- /sbin/modprobe ipt_connlimit
- /sbin/modprobe ipt_LOG
- /sbin/modprobe ipt_state
- # Required proc configuration
- echo "1" > /proc/sys/net/ipv4/ip_forward
- IPTABLES="/sbin/iptables"
- ## 清除所有防火墙规则
- $IPTABLES -F ## 清除预设表 filter 中,所有规则链中的规则
- $IPTABLES -X ## 清除预设表 filter 中,使用者自订链中的规则
- $IPTABLES -Z
- ##$IPTABLES -F -t nat ## 清除nat表中,所有规则链中的规则
- ##$IPTABLES -X -t nat ## 清除nat表中,使用者自订链中的规则
- ##$IPTABLES -Z -t nat
- ##Default policy(预设策略)
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -P FORWARD DROP
- ##$IPTABLES -t nat -P PREROUTING ACCEPT
- ##$IPTABLES -t nat -P POSTROUTING ACCEPT
- ##$IPTABLES -t nat -P OUTPUT ACCEPT
- $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- # Create chain for bad tcp packets
- $IPTABLES -N bad_tcp_packets
- $IPTABLES -N allowed
- $IPTABLES -N tcp_packets
- $IPTABLES -N udp_packets
- $IPTABLES -N icmp_packets
- $IPTABLES -N syn_flood
- $IPTABLES -N ping_flood
- ##防止同步包洪水(Sync Flood) SYN攻击
- $IPTABLES -A syn_flood -p tcp --syn -m limit --limit 1/s --limit-burst 2 -j RETURN
- $IPTABLES -A syn_flood -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 30/m --limit-burst 2 -j RETURN
- $IPTABLES -A syn_flood -p tcp -j REJECT --reject-with tcp-reset
- ##Ping洪水攻击(Ping of Death)
- $IPTABLES -A ping_flood -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
- $IPTABLES -A ping_flood -p icmp -j REJECT
- # bad_tcp_packets chain
- $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
- $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
- $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
- # stop bad packets
- $IPTABLES -A bad_tcp_packets -p tcp -m state --state INVALID -j DROP
- # NMAP FIN/URG/PSH
- $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- # stop Xmas Tree type scanning
- $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
- $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- # stop null scanning
- $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
- # allowed chain
- $IPTABLES -A allowed -p TCP --syn -j ACCEPT
- $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A allowed -p TCP -j DROP
- # TCP rules
- ##添加远程ssh端口
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
- ##添加WWWP端口
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
- ##HTTPS
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed
- # smtp
- $IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 25 -j ACCEPT
- # pop3
- $IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 110 -j ACCEPT
- # imap
- $IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 143 -j ACCEPT
- # smtp over SSL
- $IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 465 -j ACCEPT
- ##添加FTP端口
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
- ## Enable active ftp transfers
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed
- ## Enable passive ftp transfers
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 30000:31000 -j allowed
- # UDP ports
- ## DNS
- $IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
- # ICMP rules
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
- $IPTABLES -A icmp_packets -p icmp -j DROP
- #########################
- # INPUT chain
- #########################
- #check syn flood
- $IPTABLES -A INPUT -p tcp -m state --state NEW -j syn_flood
- #check ping flood
- $IPTABLES -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ping_flood
- # Bad TCP packets we don't want.
- $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
- # Rules for special networks not part of the Internet
- $IPTABLES -A INPUT -p ALL -i lo -j ACCEPT
- $IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p TCP -j tcp_packets
- $IPTABLES -A INPUT -p UDP -j udp_packets
- $IPTABLES -A INPUT -p ICMP -j icmp_packets
- #########################
- # FORWARD chain
- #########################
- # Bad TCP packets we don't want
- $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
- # Accept the packets we actually want to forward
- $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- #########################
- # OUTPUT chain
- #########################
- # Bad TCP packets we don't want.
- $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
- # Special OUTPUT rules to decide which IP's to allow.
- $IPTABLES -A OUTPUT -p ALL -j ACCEPT
- ##每次重启自动启动
- chkconfig --level 235 iptables on
- ##保存
- service iptables save
- ##重新启动
- service iptables restart
复制代码 |
|