Hunter的大杂烩 技术学习笔记

2012-06-08

iptables 默认安全规则脚本

Filed under: 技术话题 — hunter @ 6:05 pm

from: http://space.itpub.net/70109/viewspace-689580

默认脚本只开启常规web服务器的80,3306,22端口

#vi default_firewall.sh

  1. #!/bin/bash
  2. #########################################################################
  3. #
  4. # File: default_firewall.sh
  5. # Description:
  6. # Language: GNU Bourne-Again SHell
  7. # Version: 1.0
  8. # Date: 2010-6-23
  9. # Corp.: c1gstudio.com
  10. # Author: c1g
  11. # WWW: http://blog.c1gstudio.com
  12. ### END INIT INFO
  13. ###############################################################################
  15. IPTABLES=/sbin/iptables
  17. # start by flushing the rules
  18. $IPTABLES -P INPUT DROP
  19. $IPTABLES -P FORWARD ACCEPT
  20. $IPTABLES -P OUTPUT ACCEPT
  21. $IPTABLES -t nat -P PREROUTING ACCEPT
  22. $IPTABLES -t nat -P POSTROUTING ACCEPT
  23. $IPTABLES -t nat -P OUTPUT ACCEPT
  24. $IPTABLES -t mangle -P PREROUTING ACCEPT
  25. $IPTABLES -t mangle -P OUTPUT ACCEPT
  27. $IPTABLES -F
  28. $IPTABLES -X
  29. $IPTABLES -Z
  30. $IPTABLES -t nat -F
  31. $IPTABLES -t mangle -F
  32. $IPTABLES -t nat -X
  33. $IPTABLES -t mangle -X
  34. $IPTABLES -t nat -Z
  36. ## allow packets coming from the machine
  37. $IPTABLES -A INPUT -i lo -j ACCEPT
  38. $IPTABLES -A OUTPUT -o lo -j ACCEPT
  40. # allow outgoing traffic
  41. $IPTABLES -A OUTPUT -o eth0 -j ACCEPT
  43. # block spoofing
  44. $IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
  46. $IPTABLES -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
  47. $IPTABLES -A INPUT -p icmp -j ACCEPT
  50. # stop bad packets
  51. #$IPTABLES -A INPUT -m state –state INVALID -j DROP
  53. # NMAP FIN/URG/PSH
  54. #$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
  55. # stop Xmas Tree type scanning
  56. #$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL ALL -j DROP
  57. #$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  58. # stop null scanning
  59. #$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL NONE -j DROP
  60. # SYN/RST
  61. #$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
  62. # SYN/FIN
  63. #$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
  64. # stop sync flood
  65. #$IPTABLES -N SYNFLOOD
  66. #$IPTABLES -A SYNFLOOD -p tcp –syn -m limit –limit 1/s -j RETURN
  67. #$IPTABLES -A SYNFLOOD -p tcp -j REJECT –reject-with tcp-reset
  68. #$IPTABLES -A INPUT -p tcp -m state –state NEW -j SYNFLOOD
  69. # stop ping flood attack
  70. #$IPTABLES -N PING
  71. #$IPTABLES -A PING -p icmp –icmp-type echo-request -m limit –limit 1/second -j RETURN
  72. #$IPTABLES -A PING -p icmp -j REJECT
  73. #$IPTABLES -I INPUT -p icmp –icmp-type echo-request -m state –state NEW -j PING
  76. #################################
  77. ## What we allow
  78. #################################
  80. # tcp ports
  82. # smtp
  83. #$IPTABLES -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
  84. # http
  85. $IPTABLES -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
  86. # pop3
  87. #$IPTABLES -A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
  88. # imap
  89. #$IPTABLES -A INPUT -p tcp -m tcp –dport 143 -j ACCEPT
  90. # ldap
  91. #$IPTABLES -A INPUT -p tcp -m tcp –dport 389 -j ACCEPT
  92. # https
  93. #$IPTABLES -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
  94. # smtp over SSL
  95. #$IPTABLES -A INPUT -p tcp -m tcp –dport 465 -j ACCEPT
  96. # line printer spooler
  97. #$IPTABLES -A INPUT -p tcp -m tcp –dport 515 -j ACCEPT
  98. # cups
  99. #$IPTABLES -A INPUT -p tcp -m tcp –dport 631 -j ACCEPT
  100. # mysql
  101. $IPTABLES -A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
  102. # tomcat
  103. #$IPTABLES -A INPUT -p tcp -m tcp –dport 8080 -j ACCEPT
  104. # squid
  105. #$IPTABLES -A INPUT -p tcp -m tcp –dport 81 -j ACCEPT
  106. # nrpe
  107. #$IPTABLES -A INPUT -p tcp -m tcp –dport 15666 -j ACCEPT
  109. ## restrict some tcp things ##
  111. # ssh
  112. $IPTABLES -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
  113. #$IPTABLES -A INPUT -p tcp -m tcp –dport 6022 -j ACCEPT
  114. # samba (netbios)
  115. #$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 137:139 -j ACCEPT
  116. # ntop
  117. #$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 3000 -j ACCEPT
  118. # Hylafax
  119. #$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 4558:4559 -j ACCEPT
  120. # webmin
  121. #$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 10000 -j ACCEPT
  123. # udp ports
  124. # DNS
  125. #$IPTABLES -A INPUT -p udp -m udp –dport 53 -j ACCEPT
  126. # DHCP
  127. #$IPTABLES -A INPUT -p udp -m udp –dport 67:68 -j ACCEPT
  128. # NTP
  129. #$IPTABLES -A INPUT -p udp -m udp –dport 123 -j ACCEPT
  130. # SNMP
  131. #$IPTABLES -A INPUT -p udp -m udp –dport 161:162 -j ACCEPT
  133. ## restrict some udp things ##
  135. # Samba (Netbios)
  136. #$IPTABLES -A INPUT -p udp -m udp -s 192.168.0.0/16 –dport 137:139 -j ACCEPT
  137. #$IPTABLES -A INPUT -p udp -m udp –sport 137:138 -j ACCEPT
  139. # finally – drop the rest
  141. #$IPTABLES -A INPUT -p tcp –syn -j DROP

设置权限

  1. chmod u+x ./default_firewall.sh

运行脚本

  1. ./default_firewall.sh

查看iptables

  1. #/sbin/iptables -nL

保存iptables

  1. #/sbin/iptables-save > /etc/sysconfig/iptables

重启iptables

  1. #/etc/init.d/iptables restart

脚本下载:

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress