最近負責網站的華3的防火牆總是出問題，具體的表現就是外網透過防火牆訪問網站不通，但是在內網，直接訪問有時正常的，初步定在防火牆的NAT的連結數的限制問題，估計一時半會搞不好，我就直接把網站放在公網了，順便用iptable寫了一個簡單的包過濾的規則，如下：

#!/bin/bash
SYSCTL="/sbin/sysctl -w"
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi

if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi

#IP
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth0/log_martians
# ddos
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/tcp_synack_retries
echo "2048" > /proc/sys/net/ipv4/tcp_max_syn_backlog

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

iptables -A INPUT -p tcp -d 192.168.1.100 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.100 --sport 22 -j ACCEPT
iptables -A INPUT -p tcp -d 192.168.1.100 --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.100 --sport 80 -j ACCEPT
iptables -A INPUT -p tcp -d WAN_IP --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s WAN_IP --sport 80 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 1521 -j ACCEPT
iptables -A INPUT -p tcp --sport 1521 -j ACCEPT
#DNS
#iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
#iptables -A INPUT -p udp --sport 53 -j ACCEPT
# LO loop interface
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 192.168.1.100 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.100 -d 0.0.0.0/0 -j ACCEPT
#FTP enable

iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT

iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

#ip route add 10.1.0.0/16 via 10.1.2.1 dev eth0

iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 30/m --limit-burst 2 -j ACCEPT

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -p tcp --dport 1024:65000 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024:65000 -j ACCEPT

iptables -L -n --line-number -v -x

netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'

目前看來還比較問題，btw，要是blog能支援程式碼就好了：）

[@more@]

一個簡單的iptable的應用

相關文章