我的防火墙脚本
时间:2006-10-26 来源:liuxingyuyuni
/etc/sysconfit/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 65535 -j ACCEPT
COMMIT
/root/work/* 1. deny_death_ping.sh /sbin/iptables -N ping
#/sbin/iptables -A ping -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
/sbin/iptables -A ping -p icmp -j REJECT
/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ping 2. prevent_scan.sh /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 3. sync_flood.sh /sbin/iptables -N synfoold
/sbin/iptables -A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN
/sbin/iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p tcp -m state --state NEW -j synfoold 4. deny_mac.sh #/sbin/iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP 5.set_ipcheck_on.sh # set ip check on
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi
// prevent ip attack
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
//set ip forward off
echo 0 > /proc/sys/net/ipv4/ip_forward
/etc/rc.d/rc.local #!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
/root/work/deny_death_ping.sh
/root/work/iptables.sh
/root/work/set_ipcheck_on.sh
/root/work/deny_mac.sh
/root/work/prevent_scan.sh
/root/work/sync_flood.sh
# Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 65535 -j ACCEPT
COMMIT
/root/work/* 1. deny_death_ping.sh /sbin/iptables -N ping
#/sbin/iptables -A ping -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
/sbin/iptables -A ping -p icmp -j REJECT
/sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ping 2. prevent_scan.sh /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 3. sync_flood.sh /sbin/iptables -N synfoold
/sbin/iptables -A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN
/sbin/iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p tcp -m state --state NEW -j synfoold 4. deny_mac.sh #/sbin/iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP 5.set_ipcheck_on.sh # set ip check on
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi
// prevent ip attack
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
//set ip forward off
echo 0 > /proc/sys/net/ipv4/ip_forward
/etc/rc.d/rc.local #!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
/root/work/deny_death_ping.sh
/root/work/iptables.sh
/root/work/set_ipcheck_on.sh
/root/work/deny_mac.sh
/root/work/prevent_scan.sh
/root/work/sync_flood.sh
相关阅读 更多 +
