- 论坛徽章:
- 0
|
本帖最后由 king_819 于 2012-03-08 16:45 编辑
iptables防护脚本,编译内核的时候要加上iptables的相关模块,如connlimit、recent- #echo "Starting kerryhu-iptables rules..."
- #!/bin/bash
- #this is a common firewall created by 2010-3-27
-
- #define some variable
- IPT=/sbin/iptables
- CONNECTION_TRACKING="1"
- INTERNET="eth0"
- CLASS_A="10.0.0.0/8"
- CLASS_B="172.16.0.0/12"
- CLASS_C="192.168.0.0/16"
- CLASS_D_MULTICAST="224.0.0.0/4"
- CLASS_E_RESERVED_NET="240.0.0.0/5"
- BROADCAST_SRC="0.0.0.0"
- BROADCAST_DEST="255.255.255.255"
- LOOPBACK_INTERFACE="lo"
-
- #Remove any existing rules
- $IPT -F
- $IPT -X
-
- #setting default firewall policy
- $IPT --policy OUTPUT ACCEPT
- $IPT --policy FORWARD DROP
- $IPT -P INPUT DROP
-
-
- #stop firewall
- if [ "$1" = "stop" ]
- then
- echo "Filewall completely stopped!no firewall running!"
- exit 0
- fi
-
- #setting for loopback interface
- $IPT -A INPUT -i lo -j ACCEPT
- $IPT -A OUTPUT -o lo -j ACCEPT
-
- # Stealth Scans and TCP State Flags
- # All of the bits are cleared
- $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
- # SYN and FIN are both set
- $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- # SYN and RST are both set
- $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- # FIN and RST are both set
- $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- # FIN is the only bit set, without the expected accompanying ACK
- $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
- # PSH is the only bit set, without the expected accompanying ACK
- $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
- # URG is the only bit set, without the expected accompanying ACK
- $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
-
- # Using Connection State to By-pass Rule Checking
- if [ "$CONNECTION_TRACKING" = "1" ]; then
- $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPT -A INPUT -m state --state INVALID -j DROP
- $IPT -A OUTPUT -m state --state INVALID -j DROP
- fi
-
- ##################################################################
- # Source Address Spoofing and Other Bad Addresses
-
- # Refuse spoofed packets pretending to be from
- # the external interface.s IP address
-
- # Refuse packets claiming to be from a Class A private network
- $IPT -A INPUT -i $INTERNET -s $CLASS_A -j DROP
-
- # Refuse packets claiming to be from a Class B private network
- $IPT -A INPUT -i $INTERNET -s $CLASS_B -j DROP
-
- # Refuse packets claiming to be from a Class C private network
- $IPT -A INPUT -i $INTERNET -s $CLASS_C -j DROP
-
- $IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
- $IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
- $IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
- ###################################################################
- #setting access rules
-
- #也可以对出站的诅求做一些严格的控制
- #时钟同步
- #$IPT -A OUTPUT -d 192.43.244.18 -j ACCEPT
- #允许ping出
- #$IPT -A OUTPUT -p icmp -j ACCEPT
- #$IPT -A OUTPUT -o $INTERNET -p udp --dport 53 -j ACCEPT
- #$IPT -A OUTPUT -o $INTERNET -p tcp --dport 80 -j ACCEPT
- #$IPT -A INPUT -i $INTERNET -p tcp -m mac --mac-source 00:02:3F:EB:E2:01 --dport 22 -j ACCEPT
- $IPT -A INPUT -i $INTERNET -p tcp -s 192.168.9.201 --dport 65535 -j ACCEPT
- $IPT -A INPUT -i $INTERNET -p tcp --dport 443 -j ACCEPT
- $IPT -A INPUT -i $INTERNET -p tcp --dport 80 -j ACCEPT
- #限制连往本机的web服务,单个IP的并发连接不超过30个,超过的被拒绝
- #$IPT -A INPUT -i $INTERNET -p tcp --dport 80 -m connlimit --connlimit-above 30 -j REJECT
- #限制连往本机的web服务,单个IP在60秒内只允许最多新建30个连接,超过的被拒绝
- #$IPT -A INPUT -i $INTERNET -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 30 -j REJECT
- #$IPT -A INPUT -i $INTERNET -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --set -j ACCEPT
- #限制连往本机的web服务,1个C段的IP的并发连接不超过100个,超过的被拒绝
- #$IPT -A INPUT -i $INTERNET -p tcp --dport 80 -m iplimit --iplimit-above 100 --iplimit-mask 24 -j REJECT
- #$IPT -A INPUT -i $INTERNET -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
- #$IPT -A INPUT -i $INTERNET -p udp --dport 123 -j ACCEPT
复制代码 |
|