超强的iptables防护脚本
作者 佚名技术
来源 Linux系统
浏览
发布时间 2012-04-22
| vi /root/iptables.sh
#echo "Starting kerryhu-iptables rules..." #!/bin/bash # BY kerryhu # QQ:263205768 # MAIL:king_819@163.com # BLOG:http://kerry.blog.51cto.com #this is a common firewall created by 2010-3-27 IPT="/sbin/iptables" CONNECTION_TRACKING="1" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" LOOPBACK_INTERFACE="lo" #Remove any existing rules $IPT -F $IPT -X #setting default firewall policy $IPT -P FORWARD DROP $IPT -P INPUT DROP $IPT -P OUTPUT DROP #setting for loopback interface $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Stealth Scans and TCP State Flags # All of the bits are cleared $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # SYN and FIN are both set $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # SYN and RST are both set $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # FIN and RST are both set $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP # FIN is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP # PSH is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP # URG is the only bit set, without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP # Using Connection State to By-pass Rule Checking if [ "$CONNECTION_TRACKING" = "1" ]; then $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 拥有帝国一切,皆有可能。欢迎访问phome.net $IPT -A INPUT -m state --state INVALID -j DROP $IPT -A OUTPUT -m state --state INVALID -j DROP fi ################################################################## # Source Address Spoofing and Other Bad Addresses # Refuse spoofed packets pretending to be from # the external interface.s IP address # Refuse packets claiming to be from a Class A private network $IPT -A INPUT -s $CLASS_A -j DROP # Refuse packets claiming to be from a Class B private network $IPT -A INPUT -s $CLASS_B -j DROP # Refuse packets claiming to be from a Class C private network $IPT -A INPUT -s $CLASS_C -j DROP $IPT -A INPUT -s 0.0.0.0/8 -j DROP $IPT -A INPUT -s 169.254.0.0/16 -j DROP $IPT -A INPUT -s 192.0.2.0/24 -j DROP ################################################################### #setting access rules #允许出站域名解析 $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT #$IPT -A OUTPUT -p tcp -d 61.177.7.1 --dport 53 -j ACCEPT #$IPT -A OUTPUT -p udp -d 61.177.7.1 --dport 53 -j ACCEPT #时钟同步 $IPT -A OUTPUT -d 192.43.244.18 -j ACCEPT #$IPT -A OUTPUT -p udp -d 192.43.244.18 --dport 123 -j ACCEPT #允许ping出 $IPT -A OUTPUT -p icmp -j ACCEPT #允许ftp备份 #$IPT -A OUTPUT -p tcp -d 222.102.153.191 --dport 21 -j ACCEPT #$IPT -A OUTPUT -p tcp -d 222.102.153.191 --dport 20 -j ACCEPT $IPT -A OUTPUT -d 222.102.153.191 -j ACCEPT #允许出站http $IPT -A OUTPUT -p tcp |
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |
你可能对下面的文章感兴趣
上一篇: vi常用命令下一篇: Linux scp命令复制文件到其它服务器上
关于超强的iptables防护脚本的所有评论
