请大家一起帮忙改进优化iptables脚本

由 battosai 在 05-24-2004 17:15 发表:

请大家一起帮忙改进优化iptables脚本

> > 源码: >
> * * * >
> #!/bin/sh
> > > #
> > >
> > > ###############################################################################
> > > #
> > > # Local Settings
> > > #
> > >
> > > # IPTables Location - adjust if needed
> > >
> > > IPT="/sbin/iptables"
> > >
> > > # Internet Interface
> > > INET_IFACE="ppp0"
> > >
> > > # Local Interface Information
> > > LOCAL_IFACE="eth0"
> > > LOCAL_IP="172.18.123.5"
> > > LOCAL_NET="172.16.0.0/12"
> > > LOCAL_BCAST="172.18.123.255"
> > >
> > > # Localhost Interface
> > >
> > > LO_IFACE="lo"
> > > LO_IP="127.0.0.1"
> > >
> > >
> > > ###############################################################################
> > > #
> > > # Load Modules
> > > #
> > >
> > > echo "Loading kernel modules ..."
> > >
> > > /sbin/depmod -a
> > >
> > > /sbin/modprobe ip_tables
> > > /sbin/modprobe ip_conntrack
> > > /sbin/modprobe iptable_filter
> > > /sbin/modprobe iptable_nat
> > > /sbin/modprobe ipt_LOG
> > > /sbin/modprobe ipt_limit
> > > /sbin/modprobe ipt_MASQUERADE
> > > /sbin/modprobe ipt_REJECT
> > > /sbin/modprobe multiport
> > > /sbin/modprobe ipt_state
> > > /sbin/modprobe ip_nat_ftp
> > > /sbin/modprobe ip_conntrack_ftp
> > >
> > > ###############################################################################
> > > #
> > > # Kernel Parameter Configuration
> > > #
> > >
> > > echo "1" > /proc/sys/net/ipv4/ip_forward
> > >
> > > ###############################################################################
> > > #
> > > # Flush Any Existing Rules or Chains
> > > #
> > >
> > > echo "Flushing Tables ..."
> > >
> > > # Reset Default Policies
> > > $IPT -P INPUT ACCEPT
> > > $IPT -P FORWARD ACCEPT
> > > $IPT -P OUTPUT ACCEPT
> > > $IPT -t nat -P PREROUTING ACCEPT
> > > $IPT -t nat -P POSTROUTING ACCEPT
> > > $IPT -t nat -P OUTPUT ACCEPT
> > > $IPT -t mangle -P PREROUTING ACCEPT
> > > $IPT -t mangle -P OUTPUT ACCEPT
> > >
> > > # Flush all rules
> > > $IPT -F
> > > $IPT -t nat -F
> > > $IPT -t mangle -F
> > >
> > > # Erase all non-default chains
> > > $IPT -X
> > > $IPT -t nat -X
> > > $IPT -t mangle -X
> > >
> > > ###############################################################################
> > > #
> > > # Rules Configuration
> > > #
> > >
> > > ###############################################################################
> > > #
> > > # Filter Table
> > > #
> > > ###############################################################################
> > >
> > > # Set Policies
> > >
> > > $IPT -P INPUT DROP
> > > $IPT -P OUTPUT DROP
> > > $IPT -P FORWARD DROP
> > >
> > > ###############################################################################
> > > #
> > > # INPUT Chain
> > > #
> > >
> > > echo "Process INPUT chain ..."
> > >
> > > # Drop bad packets
> > > $IPT -A INPUT -p ALL -m state --state INVALID -j DROP
> > > $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> > >
> > > #------------------------------------------------------------------------------#
> > > # Syn-flood INPUT protection
> > > $IPT -A INPUT -i ppp0 -p tcp --syn -m limit --limit 10/h \
> > > -j LOG --log-prefix 'Syn-flood INP attack??? '
> > > $IPT -A INPUT -i ppp0 -p tcp --syn -m limit --limit 1/s -j ACCEPT
> > >
> > > # Port Scanner INPUT protection
> > > $IPT -A INPUT -i ppp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> > > -m limit --limit 10/h -j LOG --log-prefix 'Port Scanner INP attack??? '
> > > $IPT -A INPUT -i ppp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> > > -m limit --limit 1/s -j ACCEPT
> > >
> > > # Pingu of Death INPUT protection
> > > $IPT -A INPUT -i ppp0 -p icmp --icmp-type echo-request \
> > > -m limit --limit 10/h -j LOG --log-prefix 'Ping of Death INP attack??? '
> > > $IPT -A INPUT -i ppp0 -p icmp --icmp-type echo-request \
> > > -m limit --limit 1/s -j ACCEPT
> > > #------------------------------------------------------------------------------#
> > >
> > > # Allow all on localhost interface
> > > $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
> > >
> > > # Rules for the private network (accessing gateway system itself)
> > > $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
> > > $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
> > > $IPT -A INPUT -p TCP -i $LOCAL_IFACE -m multiport --dport 135,136,137,138,445 -j DROP
> > >
> > > # Inbound Internet Packet Rules
> > >
> > > # Accept Established Connections
> > > $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
> > > -j ACCEPT
> > > $IPT -A INPUT -p TCP -i $INET_IFACE -m multiport --destination-port 80,25,110 -j ACCEPT
> > > $IPT -A INPUT -p TCP -i $INET_IFACE -j DROP
> > > $IPT -A INPUT -p UDP -i $INET_IFACE --destination-port 53 -j ACCEPT
> > > $IPT -A INPUT -p UDP -i $INET_IFACE -j DROP
> > > $IPT -A INPUT -p ICMP -s $LOCAL_NET --icmp-type 8 -j ACCEPT
> > > $IPT -A INPUT -p ICMP -s 0/0 -j DROP
> > >
> > > $IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP
> > >
> > > # Log packets that still don't match
> > > $IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
> > >
> > > ###############################################################################
> > > #
> > > # FORWARD Chain
> > > #
> > >
> > > echo "Process FORWARD chain ..."
> > >
> > > # Used if forwarding for a private network
> > >
> > > # Drop bad packets
> > > $IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
> > > $IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
> > >
> > > #------------------------------------------------------------------------------#
> > > # Syn-flood FORWARDing protection
> > > $IPT -A FORWARD -p tcp --syn -m limit --limit 10/h \
> > > -j LOG --log-prefix 'Syn-flood FWD attack??? '
> > > $IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
> > >
> > > # Port Scanner FORWARDing protection
> > > $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> > > -m limit --limit 10/h -j LOG --log-prefix 'Port Scanner FWD attack??? '
> > > $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> > > -m limit --limit 1/s -j ACCEPT
> > >
> > > # Ping of Death FORWARDing protection
> > > $IPT -A FORWARD -p icmp --icmp-type echo-request \
> > > -m limit --limit 10/h -j LOG --log-prefix 'Ping of Death FWD attack??? '
> > > $IPT -A FORWARD -p icmp --icmp-type echo-request \
> > > -m limit --limit 1/s -j ACCEPT
> > > #------------------------------------------------------------------------------#
> > >
> > > # If not blocked, accept any other packets from the internal interface
> > > $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
> > >
> > > # Deal with responses from the internet
> > > $IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
> > > -j ACCEPT
> > > $IPT -A FORWARD -i $INET_IFACE -p tcp -m multiport --dport 20,21,22,23,69,135,136,137,138,139,445,593,4444 -j DROP
> > > $IPT -A FORWARD -i $INET_IFACE -p udp -m multiport --dport 20,21,22,23,69,135,136,137,138,139,445,593,4444 -j DROP
> > > $IPT -A FORWARD -p tcp -m multiport --dport 69,135,136,137,138,445,593,4444 -j DROP
> > > $IPT -A FORWARD -p udp -m multiport --dport 69,135,136,137,138,445,593,4444 -j DROP
> > >
> > > # Log packets that still don't match
> > > $IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
> > >
> > > ###############################################################################
> > > #
> > > # OUTPUT Chain
> > > #
> > >
> > > echo "Process OUTPUT chain ..."
> > >
> > > # G

Published At
Categories with 服务器类
Tagged with
comments powered by Disqus