由 Omak 在 12-28-2003 16:39 发表:
iptables的一个脚本(从knoppix.net上弄来的,希望对大家有用)
#!/bin/sh
Use ipreset to clearall
This allows nmap localhost but not from any other machine 
Debug:
##tcpdump -i eth0 not port 22 # Everything but ssh
Trace, exit at 1st err
set -x -e
Flush 1st
iptables -F
Deletes any tables that you've created, and leaves the
default (input, output, forward, etc.)
iptables -X
Allow loopback access. This rule must come before the rules denying
port access!!
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
##iptables -A INPUT -i lo -j ACCEPT
#This allows all data that has been sent out for the computer running the
firewall to come back (for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
Allow outside ping
iptables -A INPUT -p icmp -j ACCEPT
#These lines add rules (-A) to the OUTPUT and INPUT tables
that match state as well. However, this time it only matches
packets that are related to packets that have already been
passed, or packets that are a part of an already-established
connection (-m state --state RELATED,ESTABLISHED) and allows
them to be accepted (-j ACCEPT). Think of this as a
combination of yahoo sending its web page to you and you
asking for a second one.
#/* You would need to load at least the ip_conntrack, iptable_filter and
#ipt_state modules, and would probably want to load the ip_conntrack_ftp
#module too.
#These rules should block incoming traffic which isn't associated to a
#connection which you've initiated from your machine.
#*/
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Allow ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Well, crap - we got rid of 8 rules in favor of 1 
#Allow incoming FTP requests - xxx uncomment
iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 20 -j REJECT
iptables -A INPUT -p tcp -i ppp0 --dport 21 -j REJECT
Allow Squid from local net
iptables -A INPUT -s 0/0 -p tcp --dport 8080 -j REJECT
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 0/0 -p tcp --dport 3128 -j REJECT
Allow BitTorrent connections
xxx 2003.1012 modified for only 3 ports (was 6881:6889)
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6881:6883 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6969 -j ACCEPT
Allow 1 VNC
iptables -A INPUT -i eth0 -p tcp --dport 5902 -j ACCEPT
BLOCKING
#Example: Block all ports, besides port 22 to allow sshd:
##/sbin/iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
###/sbin/iptables -A INPUT -p tcp --syn -j DROP
#Block all ports,besides port 22, and only allow predefined IP to access that
#port.
##/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT
##/sbin/iptables -A INPUT -p tcp --syn -j DROP
#/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT
#allow connection to sshd from IP 192.168.1.100
#/sbin/iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
#allow httpd server to be accessed by world
#/sbin/iptables -A INPUT -p tcp --syn -j DROP
#block all ports (besides the limitations of above)
#More elaborate rules can be created that control access to specific subnets,
#or even specific nodes, within a LAN. You can also restrict certain dubious
#services such as trojans, worms, and other client/server viruses from
#contacting their server. For example, there are some trojans that scan
#networks for services on ports from 31337 to 31340 (called the elite ports
#in cracking lingo). Since there are no legitimate services that communicate
#via these non-standard ports, blocking it can effectively diminish the
#chances that potentially infected nodes on your network independently
#communicate with their remote master servers. Note that the following rule
#is only useful if your default OUTPUT policy is set to ACCEPT. If you set
#OUTPUT policy to DROP, then this rule is not needed.
#iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
Remember, dport can only be used with -ptcp or -pudp specific.
iptables -A INPUT -i ppp0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A OUTPUT -o ppp0 -p tcp --dport 31337 --sport 31337 -j DROP
#FORWARD rules can be implemented to restrict certain types of traffic to the
#LAN only, such as local network file shares through NFS or Samba. The
#following rules reject outside connections to Samba shares:
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
remote interface, claiming to be local machines, IP spoofing, get lost
This turns out to be same as non-routable IPs
##iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j DROP
New way:
Block nonroutable IPs
iptables -A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -i ppp0 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP
#"A" for append, "INPUT" to specify the state for the condition (coming,
#going, or forwarding), and "sport" for source port.
Block common Windoze ports / specific ports
iptables -A INPUT -s 0/0 -p tcp --sport 69 -j DROP
iptables -A INPUT -s 0/0 -p tcp --sport 135 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 139 -j REJECT # Block Windows file sharing
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 445 -j REJECT # Block Windows file sharing
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 1214 -j REJECT # Block Kazaa
iptables -A INPUT -s 0/0 -p tcp --sport 4444 -j DROP
Block incoming Blaster Worm traffic on ports 153 and 707
Chgd eth0 to ppp0, added -p tcp and got it to work 
iptables -A INPUT -i ppp0 -p tcp --dport 153 -j DROP
iptables -A INPUT -i ppp0 -p tcp --dport 707 -j DROP
Block infected machines from spreading Blaster Worm on 153 and 707
##/sbin/iptables -A OUTPUT -o ppp0 --dport 153 -j DROP
##/sbin/iptables -A OUTPUT -o ppp0 --dport 707 -j DROP
!! Consider dropping all traffic to port 25 (mail)
Block ports 127, 137, 138 and 139 (Sambe/windows) - blocked in FORWARD, above
Fallthru
Default rule
Sets the default policy (-P) for INPUT packets to DROP. If a
packet comes into your interface and doesn't match any other
rules, the default policy takes effect and the packet is dropped.
iptables -P INPUT DROP
Default rule
Sets the default policy (-P) for FORWARD packets to DROP. If
a packet needs to be routed from one interface to another
(such as a firewall/router with two network cards) and
doesn't match any other rules, the default policy takes
effect and the packet is dropped.
iptables -P FORWARD DROP
Final rule (stopgap)
iptables -A INPUT -p tcp --tcp-flags ALL SYN -j DROP
exit;
References:
http://nekohako.xware.cx/tech/adsl-2.4.html
http://www.redhat.com/docs/manuals/...uide/ch-fw.html
http://uug.byu.edu/pipermail/uug-li...ril/002060.html
http://www.linuxchix.org/pipermail/...ust/016116.html
http://linuxwiki.de/FlorianWoegerer/Notizen
http://www.linuxforum.com/forums/in...&#entry5637
http://www.ltsp.org/contrib/vnc.html
Orig ssh mess:
Allow ssh
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p udp --sport 22 -j ACCEPT
XXX added below
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p udp --dport 22 -j ACCEPT
#(Orig 
##iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
##iptables -A OUTPUT -p udp --sport 22 -j ACCEPT
Added more
##iptables -A INPUT -i eth0 -p udp --dport 22 -j ACCEPT
##iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
##iptables -A OUTPUT -o eth0 -p udp --dport 22 -j ACCEPT
##iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
UNUSED:
#To take the restrictions a step further, block all outside connections that
#attempt to spoof private IP address ranges to infiltrate your LAN. If a LAN
#uses the 192.168.1.0/24 range, a rule can set the Internet facing network
#device (for example, eth0) to drop any packets to that device with an
#address in your LAN IP range. Because it is recommended to reject forwarded
#packets as a default policy, any other spoofed IP address to the
#external-facing device (eth0) will be rejected automatically.
##iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i eth