iptables

davidlee1986

浏览: 42468 次
性别:
来自: 上海

最近访客更多访客>>

xieliming4017

zhangly2011

腻宝儿

Guo_xjuan

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

shell

iptables shell

#!/bin/bash

# The outside interface, use ADSL
EXTIF="eth0"

# the inside interface
INIF="eth1"

# the inside network, This is for NAT's network
INNET="192.168.1.0/24"

#this shell is only for kernel 2.4 2.5 2.6
kver=`uname -r | cut -c 1-3`
if [ "$kver" != "2.4" ] && [ "$kver" != "2.5" ] && [ "$kver" != "2.6" ]; then
    echo "Your Linux Kernel Version may not be suported by this script!"
    echo "This scripts will not be runing"
    exit
fi

#remove ipchain mode
ipchains=`lsmod | grep ipchains`
if [ "$ipchains" != "" ]; then
echo "unload ipchains in your system"
rmmod ipchains 2>/dev/null
fi

# load some modes
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH EXTIF INIF INNET
modprobe ip_tables         2>/dev/null
modprobe iptable_nat       2>/dev/null
modprobe ip_nat_ftp        2>/dev/null
modprobe ip_nat_irc        2>/dev/null
modprobe ipt_mark          2>/dev/null
modprobe ip_conntrack      2>/dev/null
modprobe ip_conntrack_ftp 2>/dev/null
modprobe ip_conntrack_irc 2>/dev/null
modprobe ipt_MASQUERADE    2>/dev/null
modprobe ip_nat_h323       2>/dev/null
modprobe ip_conntrack_h323 2>/dev/null
#modprobe ip_nat_mms        2>/dev/null
#modprobe ip_conntrack_mms 2>/dev/null
modprobe ip_nat_pptp       2>/dev/null
modprobe ip_conntrack_pptp 2>/dev/null
#modprobe ip_nat_proto_gre        2>/dev/null
#modprobe ip_conntrack_proto_gre 2>/dev/null
#modprobe ip_nat_quake3         2>/dev/null
#modprobe ip_conntrack_quake3   2>/dev/null

# clean the iptables rule
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

#allow samba,smtp,pop3
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m multiport --dports 1863,443,110,80,25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s $INNET --dport 139 -j ACCEPT

#allow dns
/sbin/iptables -A INPUT -i $INIF -p udp -m multiport --dports 53 -j ACCEPT

#limit dos connect 15,eles deny
/sbin/iptables -A INPUT -s $INNET -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i $EXTIF -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
/sbin/iptables -A INPUT -s $INNET -p tcp --syn -m connlimit --connlimit-above 15 -j DROP

#setup icmp limit,and recode
/sbin/iptables -A INPUT -p icmp -m limit --limit 3/s -j LOG --log-level INFO --log-prefix "ICMP packet IN: "
/sbin/iptables -A INPUT -p icmp -m limit --limit 6/m -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j DROP

#L7 layer patch filter
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto msnmessenger -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto skypeout -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto skypetoskype -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto bittorrent -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto fasttrack -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto edonkey -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto kugoo -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto xunlei -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto code_red -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto kameng -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto poco -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto baiduxiaba -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto 100bao -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto socks -j DROP
#/sbin/iptables -t mangle -I POSTROUTING -m layer7 --l7proto nimda -j DROP

#To prevent light weight SYN attacks
/sbin/iptables -N syn-flood
/sbin/iptables -A INPUT -p tcp --syn -j syn-flood
/sbin/iptables -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
/sbin/iptables -A syn-flood -j REJECT

#FORWARD chain
#/sbin/iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 12:00 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat -j DROP
#/sbin/iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 13:30 --timestop 21:00 --days Sun,Mon,Tue,Wed,Thu,Fri,Sat -j DROP
/sbin/iptables -A FORWARD -p tcp -s $INNET -m multiport --dports 25,110,443,1863 -j ACCEPT
/sbin/iptables -A FORWARD -p udp -s $INNET --dport 53 -j ACCEPT
/sbin/iptables -A FORWARD -p gre -s $INNET -j ACCEPT
/sbin/iptables -A FORWARD -p icmp -s $INNET -j ACCEPT

#deny BT connect
#/sbin/iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP
#/sbin/iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP
#/sbin/iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP

#only allow 15 ipaddress connect to 80 port to forward at the same
/sbin/iptables -A FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 --connlimit-mask 24 -j DROP

#open syncookie To prevent light weight dos attacks
sysctl -w net.ipv4.tcp_syncookies=1 2>/dev/null

#setup defaults tcp connect for 3800s to do nothing
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 2>/dev/null

#setup the max_number 300000 about your server'memory and the version of iptables
sysctl -w net.ipv4.ip_conntrack_max=300000 2>/dev/null

#innernet ip forward
/sbin/iptables -A INPUT -i lo -j ACCEPT
if [ "$INIF" != "" ]; then
    /sbin/iptables -A INPUT -i $INIF -j ACCEPT
    echo "1" > /proc/sys/net/ipv4/ip_forward
    /sbin/iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE
    #/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128
    /sbin/iptables -t nat -A PREROUTING -p tcp -m iprange --src-range 192.168.1.3-192.168.1.253 --dport 80 -j REDIRECT --to-ports 3128
fi

#load the deny file and allow file
if [ -f /opt/iptables/iptables.deny ]; then
    sh /opt/iptables/iptables.deny
fi
if [ -f /opt/iptables/iptables.allow ]; then
    sh /opt/iptables/iptables.allow
fi

#limit the BW
if [ -f /opt/iptables/QoS.sh ]; then
    sh /opt/iptables/QoS.sh
fi

#to prevent attacks
#if [ -f /opt/httpd-err/http-netstat.sh ]; then
#    sh /opt/httpd-err/http-netstat.sh
#fi

#allow icmp and the package having connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
    /sbin/iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
done

#open the port
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 21 -j ACCEPT     # FTP
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 22 -j ACCEPT     # SSH
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 25 -j ACCEPT     # SMTP
/sbin/iptables -A INPUT -p UDP -i $EXTIF --dport 53 -j ACCEPT     # DNS
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT     # WWW
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 110 -j ACCEPT     # POP3
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 113 -j ACCEPT     # auth

分享到：

IPsec-VPN | BGP

2013-08-16 21:38
浏览 651
评论(0)
分类:开源软件
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

iptables

评论

发表评论

相关推荐

最近访客 更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

iptables

评论

发表评论

相关推荐

正则表达式

show sysinfo

check out setuid file

show user's info

add more users

iptables-rule

最近访客更多访客>>