由 battosai 在 05-24-2004 17:15 发表:
请大家一起帮忙改进优化iptables脚本
>
> 源码:
>
> * * *
>
> #!/bin/sh
> >
> #
> >
>
> >
> ###############################################################################
> >
> #
> >
> # Local Settings
> >
> #
> >
>
> >
> # IPTables Location - adjust if needed
> >
>
> >
> IPT="/sbin/iptables"
> >
>
> >
> # Internet Interface
> >
> INET_IFACE="ppp0"
> >
>
> >
> # Local Interface Information
> >
> LOCAL_IFACE="eth0"
> >
> LOCAL_IP="172.18.123.5"
> >
> LOCAL_NET="172.16.0.0/12"
> >
> LOCAL_BCAST="172.18.123.255"
> >
>
> >
> # Localhost Interface
> >
>
> >
> LO_IFACE="lo"
> >
> LO_IP="127.0.0.1"
> >
>
> >
>
> >
> ###############################################################################
> >
> #
> >
> # Load Modules
> >
> #
> >
>
> >
> echo "Loading kernel modules ..."
> >
>
> >
> /sbin/depmod -a
> >
>
> >
> /sbin/modprobe ip_tables
> >
> /sbin/modprobe ip_conntrack
> >
> /sbin/modprobe iptable_filter
> >
> /sbin/modprobe iptable_nat
> >
> /sbin/modprobe ipt_LOG
> >
> /sbin/modprobe ipt_limit
> >
> /sbin/modprobe ipt_MASQUERADE
> >
> /sbin/modprobe ipt_REJECT
> >
> /sbin/modprobe multiport
> >
> /sbin/modprobe ipt_state
> >
> /sbin/modprobe ip_nat_ftp
> >
> /sbin/modprobe ip_conntrack_ftp
> >
>
> >
> ###############################################################################
> >
> #
> >
> # Kernel Parameter Configuration
> >
> #
> >
>
> >
> echo "1" > /proc/sys/net/ipv4/ip_forward
> >
>
> >
> ###############################################################################
> >
> #
> >
> # Flush Any Existing Rules or Chains
> >
> #
> >
>
> >
> echo "Flushing Tables ..."
> >
>
> >
> # Reset Default Policies
> >
> $IPT -P INPUT ACCEPT
> >
> $IPT -P FORWARD ACCEPT
> >
> $IPT -P OUTPUT ACCEPT
> >
> $IPT -t nat -P PREROUTING ACCEPT
> >
> $IPT -t nat -P POSTROUTING ACCEPT
> >
> $IPT -t nat -P OUTPUT ACCEPT
> >
> $IPT -t mangle -P PREROUTING ACCEPT
> >
> $IPT -t mangle -P OUTPUT ACCEPT
> >
>
> >
> # Flush all rules
> >
> $IPT -F
> >
> $IPT -t nat -F
> >
> $IPT -t mangle -F
> >
>
> >
> # Erase all non-default chains
> >
> $IPT -X
> >
> $IPT -t nat -X
> >
> $IPT -t mangle -X
> >
>
> >
> ###############################################################################
> >
> #
> >
> # Rules Configuration
> >
> #
> >
>
> >
> ###############################################################################
> >
> #
> >
> # Filter Table
> >
> #
> >
> ###############################################################################
> >
>
> >
> # Set Policies
> >
>
> >
> $IPT -P INPUT DROP
> >
> $IPT -P OUTPUT DROP
> >
> $IPT -P FORWARD DROP
> >
>
> >
> ###############################################################################
> >
> #
> >
> # INPUT Chain
> >
> #
> >
>
> >
> echo "Process INPUT chain ..."
> >
>
> >
> # Drop bad packets
> >
> $IPT -A INPUT -p ALL -m state --state INVALID -j DROP
> >
> $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> >
>
> >
> #------------------------------------------------------------------------------#
> >
> # Syn-flood INPUT protection
> >
> $IPT -A INPUT -i ppp0 -p tcp --syn -m limit --limit 10/h \
> >
> -j LOG --log-prefix 'Syn-flood INP attack??? '
> >
> $IPT -A INPUT -i ppp0 -p tcp --syn -m limit --limit 1/s -j ACCEPT
> >
>
> >
> # Port Scanner INPUT protection
> >
> $IPT -A INPUT -i ppp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> >
> -m limit --limit 10/h -j LOG --log-prefix 'Port Scanner INP attack??? '
> >
> $IPT -A INPUT -i ppp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> >
> -m limit --limit 1/s -j ACCEPT
> >
>
> >
> # Pingu of Death INPUT protection
> >
> $IPT -A INPUT -i ppp0 -p icmp --icmp-type echo-request \
> >
> -m limit --limit 10/h -j LOG --log-prefix 'Ping of Death INP attack??? '
> >
> $IPT -A INPUT -i ppp0 -p icmp --icmp-type echo-request \
> >
> -m limit --limit 1/s -j ACCEPT
> >
> #------------------------------------------------------------------------------#
> >
>
> >
> # Allow all on localhost interface
> >
> $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
> >
>
> >
> # Rules for the private network (accessing gateway system itself)
> >
> $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
> >
> $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
> >
> $IPT -A INPUT -p TCP -i $LOCAL_IFACE -m multiport --dport 135,136,137,138,445 -j DROP
> >
>
> >
> # Inbound Internet Packet Rules
> >
>
> >
> # Accept Established Connections
> >
> $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
> >
> -j ACCEPT
> >
> $IPT -A INPUT -p TCP -i $INET_IFACE -m multiport --destination-port 80,25,110 -j ACCEPT
> >
> $IPT -A INPUT -p TCP -i $INET_IFACE -j DROP
> >
> $IPT -A INPUT -p UDP -i $INET_IFACE --destination-port 53 -j ACCEPT
> >
> $IPT -A INPUT -p UDP -i $INET_IFACE -j DROP
> >
> $IPT -A INPUT -p ICMP -s $LOCAL_NET --icmp-type 8 -j ACCEPT
> >
> $IPT -A INPUT -p ICMP -s 0/0 -j DROP
> >
>
> >
> $IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP
> >
>
> >
> # Log packets that still don't match
> >
> $IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
> >
>
> >
> ###############################################################################
> >
> #
> >
> # FORWARD Chain
> >
> #
> >
>
> >
> echo "Process FORWARD chain ..."
> >
>
> >
> # Used if forwarding for a private network
> >
>
> >
> # Drop bad packets
> >
> $IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
> >
> $IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
> >
>
> >
> #------------------------------------------------------------------------------#
> >
> # Syn-flood FORWARDing protection
> >
> $IPT -A FORWARD -p tcp --syn -m limit --limit 10/h \
> >
> -j LOG --log-prefix 'Syn-flood FWD attack??? '
> >
> $IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
> >
>
> >
> # Port Scanner FORWARDing protection
> >
> $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> >
> -m limit --limit 10/h -j LOG --log-prefix 'Port Scanner FWD attack??? '
> >
> $IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
> >
> -m limit --limit 1/s -j ACCEPT
> >
>
> >
> # Ping of Death FORWARDing protection
> >
> $IPT -A FORWARD -p icmp --icmp-type echo-request \
> >
> -m limit --limit 10/h -j LOG --log-prefix 'Ping of Death FWD attack??? '
> >
> $IPT -A FORWARD -p icmp --icmp-type echo-request \
> >
> -m limit --limit 1/s -j ACCEPT
> >
> #------------------------------------------------------------------------------#
> >
>
> >
> # If not blocked, accept any other packets from the internal interface
> >
> $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
> >
>
> >
> # Deal with responses from the internet
> >
> $IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
> >
> -j ACCEPT
> >
> $IPT -A FORWARD -i $INET_IFACE -p tcp -m multiport --dport 20,21,22,23,69,135,136,137,138,139,445,593,4444 -j DROP
> >
> $IPT -A FORWARD -i $INET_IFACE -p udp -m multiport --dport 20,21,22,23,69,135,136,137,138,139,445,593,4444 -j DROP
> >
> $IPT -A FORWARD -p tcp -m multiport --dport 69,135,136,137,138,445,593,4444 -j DROP
> >
> $IPT -A FORWARD -p udp -m multiport --dport 69,135,136,137,138,445,593,4444 -j DROP
> >
>
> >
> # Log packets that still don't match
> >
> $IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
> >
>
> >
> ###############################################################################
> >
> #
> >
> # OUTPUT Chain
> >
> #
> >
>
> >
> echo "Process OUTPUT chain ..."
> >
>
> >
> # G