[root@manifold ~]# cat /etc/redhat-release
CentOS release 5.2 (Final)
[root@manifold ~]# uname -a
Linux manifold.com 2.6.18-92.el5PAE #1 SMP Tue Jun 10 19:22:41 EDT 2008 i686 i686 i386 GNU/Linux
[root@manifold ~]# lsb_release
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
[root@manifold ~]# cat /usr/local/virus/iptables/iptables.rule.real
#!/bin/bash
#Written by manifold.
#Readme:This script is used to abandon attack.
#Date:2009-07-19
#Change first:2009-08-15
#Change:2009-08-24
#Set the network parameters.
INIF=""
INNET=""
SOURCEIP="219.136.241.35"
export INIF INNET
#Abondon the DOS attack.
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#Ignore the "ping" package.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Open the reverse direction filter.
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $i
done
#Record some problems packets.
#..................martian source 192.168.0.200 from 192.168.0.222, on dev eth0
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo "0" > $i
done
#Set the environment and clean the default iptables policy.
export PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#Warnning:This policy "lo accept" must be add!If not add,something about the run_server.sh will be error.Firstly the Game's login page can't work properly.
#And if add the policy to iptables chains.The result of "iptables -L -n" will perform a accept list like "ACCEPT all -- 0.0.0.0/0 0.0.0.0/0".
#Don't be confused by it.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
#Abondon the host that write in iptables.deny
if [ -f /usr/local/virus/iptables/iptables.deny ]; then
for ip in `/bin/cat /usr/local/virus/iptables/iptables.deny`
do
/sbin/iptables -I INPUT -s $ip -j DROP
done
fi
#Abondon the host that write in iptables.adve
if [ -f /usr/local/virus/iptables/iptables.adve ]; then
for ip in `/bin/cat /usr/local/virus/iptables/iptables.adve|/bin/awk '{print $1}'`
do
/sbin/iptables -I INPUT -s $ip -j DROP
done
fi
#Accept the host that write in iptables.allow.
if [ -f /usr/local/virus/iptables/iptables.allow ]; then
for ip2 in `/bin/cat /usr/local/virus/iptables/iptables.allow`
do
/sbin/iptables -I INPUT -s $ip2 -j ACCEPT
done
fi
#Some policy to reject the www.
if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
sh /usr/local/virus/httpd-err/iptables.http
fi
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
#Allow some services' data input.
#Check the Port of the ssh services and add a iptables policy.
#SSH_PORT=`cat /etc/ssh/sshd_config|grep -w Port | awk '{print $2}'`
iptables -A INPUT -p TCP --dport 80 -j ACCEPT
iptables -A INPUT -p TCP --dport 443 -j ACCEPT
iptables -A INPUT -p TCP --dport 3306 -j ACCEPT
iptables -A INPUT -p TCP --dport 843 -j ACCEPT
iptables -A INPUT -p TCP --dport 14410 -j ACCEPT
iptables -A INPUT -p TCP --dport 8000 -j ACCEPT
iptables -A INPUT -p TCP --dport 63572 -j ACCEPT
iptables -A INPUT -p TCP -s "$SOURCEIP" --dport 5666 -j ACCEPT
#Allow some types of ICMP.
#If you want to allow the ping package,so as the syn signal,you must add the ICMP package type 8 to AICMP to accept list.
AICMP="0 3 3/4 4 8 11 12 14 16 18"
for tyicmp in $AICMP
do
iptables -A INPUT -p icmp --icmp-type $tyicmp -j ACCEPT
done
#About MTU limit.
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
if [ -f /usr/local/virus/iptables/iptables.rule.add ];then
/bin/sh /usr/local/virus/iptables/iptables.rule.add
fi
免费注册
发表于 2009-09-07 14:55
发表于 2009-09-07 14:57
