iptables的一个脚本(从knoppix.net上弄来的,希望对大家有用)

由 Omak 在 12-28-2003 16:39 发表:

iptables的一个脚本(从knoppix.net上弄来的,希望对大家有用)

#!/bin/sh

Use ipreset to clearall

This allows nmap localhost but not from any other machine

Debug:

##tcpdump -i eth0 not port 22 # Everything but ssh

Trace, exit at 1st err

set -x -e

Flush 1st

iptables -F

Deletes any tables that you've created, and leaves the

default (input, output, forward, etc.)

iptables -X

Allow loopback access. This rule must come before the rules denying

port access!!

iptables -A INPUT -i lo -p all -j ACCEPT

iptables -A OUTPUT -o lo -p all -j ACCEPT

##iptables -A INPUT -i lo -j ACCEPT

#This allows all data that has been sent out for the computer running the

firewall to come back (for all of ICMP/TCP/UDP).

#For example, if a ping request is made it will allow the reply back

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp

Allow outside ping

iptables -A INPUT -p icmp -j ACCEPT

#These lines add rules (-A) to the OUTPUT and INPUT tables

that match state as well. However, this time it only matches

packets that are related to packets that have already been

passed, or packets that are a part of an already-established

connection (-m state --state RELATED,ESTABLISHED) and allows

them to be accepted (-j ACCEPT). Think of this as a

combination of yahoo sending its web page to you and you

asking for a second one.

#/* You would need to load at least the ip_conntrack, iptable_filter and

#ipt_state modules, and would probably want to load the ip_conntrack_ftp

#module too.

#These rules should block incoming traffic which isn't associated to a

#connection which you've initiated from your machine.

#*/

iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Allow ssh

iptables -A INPUT -p tcp --dport ssh -j ACCEPT

Well, crap - we got rid of 8 rules in favor of 1

#Allow incoming FTP requests - xxx uncomment

iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT

iptables -A INPUT -p tcp -i ppp0 --dport 20 -j REJECT

iptables -A INPUT -p tcp -i ppp0 --dport 21 -j REJECT

Allow Squid from local net

iptables -A INPUT -s 0/0 -p tcp --dport 8080 -j REJECT

iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3128 -j ACCEPT

iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 3128 -j ACCEPT

iptables -A INPUT -s 0/0 -p tcp --dport 3128 -j REJECT

Allow BitTorrent connections

xxx 2003.1012 modified for only 3 ports (was 6881:6889)

iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6881:6883 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6969 -j ACCEPT

Allow 1 VNC

iptables -A INPUT -i eth0 -p tcp --dport 5902 -j ACCEPT

BLOCKING

#Example: Block all ports, besides port 22 to allow sshd:

##/sbin/iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT

###/sbin/iptables -A INPUT -p tcp --syn -j DROP

#Block all ports,besides port 22, and only allow predefined IP to access that

#port.

##/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT

##/sbin/iptables -A INPUT -p tcp --syn -j DROP

#/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT

#allow connection to sshd from IP 192.168.1.100

#/sbin/iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT

#allow httpd server to be accessed by world

#/sbin/iptables -A INPUT -p tcp --syn -j DROP

#block all ports (besides the limitations of above)

#More elaborate rules can be created that control access to specific subnets,

#or even specific nodes, within a LAN. You can also restrict certain dubious

#services such as trojans, worms, and other client/server viruses from

#contacting their server. For example, there are some trojans that scan

#networks for services on ports from 31337 to 31340 (called the elite ports

#in cracking lingo). Since there are no legitimate services that communicate

#via these non-standard ports, blocking it can effectively diminish the

#chances that potentially infected nodes on your network independently

#communicate with their remote master servers. Note that the following rule

#is only useful if your default OUTPUT policy is set to ACCEPT. If you set

#OUTPUT policy to DROP, then this rule is not needed.

#iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP

Remember, dport can only be used with -ptcp or -pudp specific.

iptables -A INPUT -i ppp0 -p tcp --dport 31337 --sport 31337 -j DROP

iptables -A OUTPUT -o ppp0 -p tcp --dport 31337 --sport 31337 -j DROP

#FORWARD rules can be implemented to restrict certain types of traffic to the

#LAN only, such as local network file shares through NFS or Samba. The

#following rules reject outside connections to Samba shares:

iptables -A FORWARD -p tcp --sport 137:139 -j DROP

iptables -A FORWARD -p udp --sport 137:139 -j DROP

remote interface, claiming to be local machines, IP spoofing, get lost

This turns out to be same as non-routable IPs

##iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j DROP

New way:

Block nonroutable IPs

iptables -A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP

iptables -A INPUT -s 127.0.0.0/8 -i ppp0 -j DROP

iptables -A INPUT -s 172.16.0.0/12 -i ppp0 -j DROP

iptables -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP

#"A" for append, "INPUT" to specify the state for the condition (coming,

#going, or forwarding), and "sport" for source port.

Block common Windoze ports / specific ports

iptables -A INPUT -s 0/0 -p tcp --sport 69 -j DROP

iptables -A INPUT -s 0/0 -p tcp --sport 135 -j DROP

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 139 -j REJECT # Block Windows file sharing

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 445 -j REJECT # Block Windows file sharing

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 1214 -j REJECT # Block Kazaa

iptables -A INPUT -s 0/0 -p tcp --sport 4444 -j DROP

Block incoming Blaster Worm traffic on ports 153 and 707

Chgd eth0 to ppp0, added -p tcp and got it to work

iptables -A INPUT -i ppp0 -p tcp --dport 153 -j DROP

iptables -A INPUT -i ppp0 -p tcp --dport 707 -j DROP

Block infected machines from spreading Blaster Worm on 153 and 707

##/sbin/iptables -A OUTPUT -o ppp0 --dport 153 -j DROP

##/sbin/iptables -A OUTPUT -o ppp0 --dport 707 -j DROP

!! Consider dropping all traffic to port 25 (mail)

Block ports 127, 137, 138 and 139 (Sambe/windows) - blocked in FORWARD, above

Fallthru

Default rule

Sets the default policy (-P) for INPUT packets to DROP. If a

packet comes into your interface and doesn't match any other

rules, the default policy takes effect and the packet is dropped.

iptables -P INPUT DROP

Default rule

Sets the default policy (-P) for FORWARD packets to DROP. If

a packet needs to be routed from one interface to another

(such as a firewall/router with two network cards) and

doesn't match any other rules, the default policy takes

effect and the packet is dropped.

iptables -P FORWARD DROP

Final rule (stopgap)

iptables -A INPUT -p tcp --tcp-flags ALL SYN -j DROP

exit;

References:

http://nekohako.xware.cx/tech/adsl-2.4.html

http://www.redhat.com/docs/manuals/...uide/ch-fw.html

http://uug.byu.edu/pipermail/uug-li...ril/002060.html

http://www.linuxchix.org/pipermail/...ust/016116.html

http://linuxwiki.de/FlorianWoegerer/Notizen

http://www.linuxforum.com/forums/in...&#entry5637

http://www.ltsp.org/contrib/vnc.html

Orig ssh mess:

Allow ssh

iptables -A INPUT -p tcp --sport 22 -j ACCEPT

iptables -A INPUT -p udp --sport 22 -j ACCEPT

XXX added below

iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT

iptables -A OUTPUT -p udp --dport 22 -j ACCEPT

#(Orig

##iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

##iptables -A OUTPUT -p udp --sport 22 -j ACCEPT

Added more

##iptables -A INPUT -i eth0 -p udp --dport 22 -j ACCEPT

##iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

##iptables -A OUTPUT -o eth0 -p udp --dport 22 -j ACCEPT

##iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT

UNUSED:

#To take the restrictions a step further, block all outside connections that

#attempt to spoof private IP address ranges to infiltrate your LAN. If a LAN

#uses the 192.168.1.0/24 range, a rule can set the Internet facing network

#device (for example, eth0) to drop any packets to that device with an

#address in your LAN IP range. Because it is recommended to reject forwarded

#packets as a default policy, any other spoofed IP address to the

#external-facing device (eth0) will be rejected automatically.

##iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i eth

Published At
Categories with 服务器类
Tagged with
comments powered by Disqus