- 论坛徽章:
- 0
|
#! /bin/sh
sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
echo "1"> /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
sysctl -w net.ipv4.tcp_max_syn_backlog = 2048
sysctl -w net.ipv4.tcp_syncookies = 1
sysctl -w net.ipv4.tcp_synack_retries = 3
sysctl -w net.ipv4.tcp_syn_retries = 3
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -j DROP
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
iptables -A syn-flood -j REJECT
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to 外网
大家帮我分析下,我以上的策略能否全部成功运行,另外在安全方面怎么样。。谢谢了 :) |
|