iptables 預設安全規則指令碼

wdnmg發表於2011-03-16
指令碼

預設指令碼只開啟常規web伺服器的80,3306,22埠

#vi default_firewall.sh

  1. #!/bin/bash
  2. #########################################################################
  3. #
  4. # File:         default_firewall.sh
  5. # Description: 
  6. # Language:     GNU Bourne-Again SHell
  7. # Version: 1.0
  8. # Date: 2010-6-23
  9. # Corp.: c1gstudio.com
  10. # Author: c1g
  11. # WWW: http://blog.c1gstudio.com
  12. ### END INIT INFO
  13. ###############################################################################
  15. IPTABLES=/sbin/iptables
  17. # start by flushing the rules
  18. $IPTABLES -P INPUT DROP
  19. $IPTABLES -P FORWARD ACCEPT
  20. $IPTABLES -P OUTPUT ACCEPT
  21. $IPTABLES -t nat -P PREROUTING ACCEPT
  22. $IPTABLES -t nat -P POSTROUTING ACCEPT
  23. $IPTABLES -t nat -P OUTPUT ACCEPT
  24. $IPTABLES -t mangle -P PREROUTING ACCEPT
  25. $IPTABLES -t mangle -P OUTPUT ACCEPT
  27. $IPTABLES -F
  28. $IPTABLES -X
  29. $IPTABLES -Z
  30. $IPTABLES -t nat -F
  31. $IPTABLES -t mangle -F
  32. $IPTABLES -t nat -X
  33. $IPTABLES -t mangle -X
  34. $IPTABLES -t nat -Z
  36. ## allow packets coming from the machine
  37. $IPTABLES -A INPUT -i lo -j ACCEPT
  38. $IPTABLES -A OUTPUT -o lo -j ACCEPT
  40. # allow outgoing traffic
  41. $IPTABLES -A OUTPUT -o eth0 -j ACCEPT
  43. # block spoofing
  44. $IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
  46. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  47. $IPTABLES -A INPUT -p icmp -j ACCEPT
  50. # stop bad packets
  51. #$IPTABLES -A INPUT -m state --state INVALID -j DROP
  53. # NMAP FIN/URG/PSH
  54. #$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  55. # stop Xmas Tree type scanning
  56. #$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
  57. #$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  58. # stop null scanning
  59. #$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
  60. # SYN/RST
  61. #$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  62. # SYN/FIN
  63. #$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  64. # stop sync flood
  65. #$IPTABLES -N SYNFLOOD
  66. #$IPTABLES -A SYNFLOOD -p tcp --syn -m limit --limit 1/s -j RETURN
  67. #$IPTABLES -A SYNFLOOD -p tcp -j REJECT --reject-with tcp-reset
  68. #$IPTABLES -A INPUT -p tcp -m state --state NEW -j SYNFLOOD
  69. # stop ping flood attack
  70. #$IPTABLES -N PING
  71. #$IPTABLES -A PING -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
  72. #$IPTABLES -A PING -p icmp -j REJECT
  73. #$IPTABLES -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j PING
  76. #################################
  77. ## What we allow
  78. #################################
  80. # tcp ports
  82. # smtp
  83. #$IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
  84. # http
  85. $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
  86. # pop3
  87. #$IPTABLES -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
  88. # imap
  89. #$IPTABLES -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
  90. # ldap
  91. #$IPTABLES -A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
  92. # https
  93. #$IPTABLES -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
  94. # smtp over SSL
  95. #$IPTABLES -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
  96. # line printer spooler
  97. #$IPTABLES -A INPUT -p tcp -m tcp --dport 515 -j ACCEPT
  98. # cups
  99. #$IPTABLES -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
  100. # mysql
  101. $IPTABLES -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
  102. # tomcat
  103. #$IPTABLES -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
  104. # squid
  105. #$IPTABLES -A INPUT -p tcp -m tcp --dport 81 -j ACCEPT
  106. # nrpe
  107. #$IPTABLES -A INPUT -p tcp -m tcp --dport 15666 -j ACCEPT
  109. ## restrict some tcp things ##
  111. # ssh
  112. $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
  113. #$IPTABLES -A INPUT -p tcp -m tcp --dport 6022 -j ACCEPT
  114. # samba (netbios)
  115. #$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 137:139 -j ACCEPT
  116. # ntop
  117. #$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 3000  -j ACCEPT
  118. # Hylafax
  119. #$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 4558:4559 -j ACCEPT
  120. # webmin
  121. #$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 10000  -j ACCEPT
  123. # udp ports
  124. # DNS
  125. #$IPTABLES -A INPUT -p udp -m udp --dport 53 -j ACCEPT
  126. # DHCP
  127. #$IPTABLES -A INPUT -p udp -m udp --dport 67:68 -j ACCEPT
  128. # NTP
  129. #$IPTABLES -A INPUT -p udp -m udp --dport 123 -j ACCEPT
  130. # SNMP
  131. #$IPTABLES -A INPUT -p udp -m udp --dport 161:162 -j ACCEPT
  133. ## restrict some udp things ##
  135. # Samba (Netbios)
  136. #$IPTABLES -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137:139  -j ACCEPT
  137. #$IPTABLES -A INPUT -p udp -m udp --sport 137:138 -j ACCEPT
  139. # finally - drop the rest
  141. #$IPTABLES -A INPUT -p tcp --syn -j DROP

設定許可權

  1. chmod u+x ./default_firewall.sh

執行指令碼

  1. ./default_firewall.sh

檢視iptables

  1. #/sbin/iptables -nL

儲存iptables

  1. #/sbin/iptables-save > /etc/sysconfig/iptables

重啟iptables

  1. #/etc/init.d/iptables restart

指令碼下載:

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/70109/viewspace-689580/,如需轉載,請註明出處,否則將追究法律責任。

相關文章