- 论坛徽章:
- 0
|
帮我看看下面的设置好不好? 都是怎么回事儿,我这么做的,为什么会出现下面的信息————
声明 我是中国人,Linux系统语言选择的日文,应为我电脑是日本的。
请大家帮忙
————————设定后的执行结果————————————————
[root@linux ~]# ./iptables.sh
使用法: grep [オプション]‥‥ 文字列パターン [ファイル]‥‥
詳しくは`grep --help'を実行してください。
grep: 255.0.0.0: そのようなファイルやディレクトリはありません
ファイアウォールルールを適用中: [ OK ]
チェインポリシーを ACCEPT に設定中filter [ OK ]
iptables モジュールを取り外し中 [ OK ]
Bad argument `255.0.0.0'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `255.0.0.0'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `255.0.0.0'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `255.0.0.0'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `255.0.0.0'
Try `iptables -h' or 'iptables --help' for more information.
[root@linux ~]# chkconfig iptables on
————————设置例子——————————
[root@fedora ~]# vi iptables.sh #!/bin/bash
LAN=eth0
LOCALNET_MASK=`ifconfig $LAN|sed -e 's/^.*Mask:\([^ ]*\)$/\1/p' -e d`
LOCALNET_ADDR=`netstat -rn|grep $LAN|grep $LOCALNET_MASK|cut -f1 -d' '`
LOCALNET=$LOCALNET_ADDR/$LOCALNET_MASK
sed -i '/IPTABLES_MODULES/d' /etc/sysconfig/iptables-config
echo "IPTABLES_MODULES=\"ip_conntrack_ftp\"" >> /etc/sysconfig/iptables-config
/etc/rc.d/init.d/iptables stop
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
sysctl -w net.ipv4.tcp_syncookies=1 > /dev/null
sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 > /dev/null
sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf
sed -i '/net.ipv4.conf.*.accept_redirects/d' /etc/sysctl.conf
for dev in `ls /proc/sys/net/ipv4/conf/`
do
sysctl -w net.ipv4.conf.$dev.accept_redirects=0 > /dev/null
echo "net.ipv4.conf.$dev.accept_redirects=0" >> /etc/sysctl.conf
done
sed -i '/net.ipv4.conf.*.accept_source_route/d' /etc/sysctl.conf
for dev in `ls /proc/sys/net/ipv4/conf/`
do
sysctl -w net.ipv4.conf.$dev.accept_source_route=0 > /dev/null
echo "net.ipv4.conf.$dev.accept_source_route=0" >> /etc/sysctl.conf
done
iptables -N LOG_FRAGMENT
iptables -A LOG_FRAGMENT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FRAGMENT] : '
iptables -A LOG_FRAGMENT -j DROP
iptables -A INPUT -f -j LOG_FRAGMENT
iptables -A INPUT -s ! $LOCALNET -p tcp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A INPUT -s ! $LOCALNET -p udp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A OUTPUT -d ! $LOCALNET -p tcp -m multiport --sports 135,137,138,139,445 -j DROP
iptables -A OUTPUT -d ! $LOCALNET -p udp -m multiport --sports 135,137,138,139,445 -j DROP
iptables -N LOG_PINGDEATH
iptables -A LOG_PINGDEATH -m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A LOG_PINGDEATH -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES PINGDEATH] : '
iptables -A LOG_PINGDEATH -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j LOG_PINGDEATH
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s $LOCALNET -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 60000:60030 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 465 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
# (/root/deny_ip)
iptables -N LOG_DENYHOST
iptables -A LOG_DENYHOST -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DENY_HOST] : '
iptables -A LOG_DENYHOST -j DROP
if [ -s /root/deny_ip ]; then
for ip in `cat /root/deny_ip`
do
iptables -I INPUT -s $ip -j LOG_DENYHOST
done
fi
COUNTRYLIST='CN KR'
wget -q http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
for country in $COUNTRYLIST
do
for ip in `cat delegated-apnic-latest | grep "apnic|$country|ipv4|"`
do
FILTER_ADDR=`echo $ip |cut -d "|" -f 4`
TEMP_CIDR=`echo $ip |cut -d "|" -f 5`
FILTER_CIDR=32
while [ $TEMP_CIDR -ne 1 ];
do
TEMP_CIDR=$((TEMP_CIDR/2))
FILTER_CIDR=$((FILTER_CIDR-1))
done
iptables -I INPUT -s $FILTER_ADDR/$FILTER_CIDR -j LOG_DENYHOST
done
done
rm -f delegated-apnic-latest
iptables -A INPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES INPUT] : '
iptables -A INPUT -j DROP
iptables -A FORWARD -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FORWARD] : '
iptables -A FORWARD -j DROP
/etc/rc.d/init.d/iptables save
/etc/rc.d/init.d/iptables start
[root@fedora ~]# chmod 700 iptables.sh
[root@fedora ~]# vi /etc/cron.daily/otherfilter_check.sh
#!/bin/bash
COUNTRYLIST='CN KR'
cd /tmp
wget -q -N http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
switch=0
for country in $COUNTRYLIST
do
grep "apnic|$country|ipv4|" delegated-apnic-latest > $country.new
diff -q $country $country.new > /dev/null 2>&1
if [ $? -ne 0 ]; then
switch=1
/bin/mv $country.new $country
else
rm -f $country.new
fi
done
cd
[ $switch -eq 1 ] && /root/iptables.sh > /dev/null
[root@fedora ~]# chmod +x /etc/cron.daily/otherfilter_check.sh |
|
免费注册
发表于 2006-07-31 08:05