[转帖].firewall scripts一例.
#!/bin/sh
# iptables., by Technion.
# $Id: iptables.,v 1.3.3 2002/11/20 23:22:16 technion Exp $电影
# chkconfi.g: 2345 08 80外贸
# descri.ption: Script fo.r setting IPTABLES rules.
# proces.sname: iptables.
# Is this script to be run on Red Hat Lin.ux? If not,. set to "NO" 健康
REDHAT="YES"
# Network information y.ou wil.l need to adjust服务器
INT.ERNALIF="eth0" 美容
INTERN.ALNET=".192.168.0.0/16".
INT..ERNALBCAST="192.168.0.255".
EXTER.NALIF="ppp0" 乙肝
#MYADDR="1.2.3.4" # Only needed for DNAT, leave out .otherwis.e 电子
# Pathnames
DMESG.="/bin/dmesg"--- 印刷
IPTABL.ES="`which iptable.s`" 建材
MODPROBE="/sbin/modp.robe" 电子
# .This is a batch of Red Hat Linux.-specific commands.
# that e.nable. a user to call the script with a start/stop/restart虚拟主机
# argument.
if [ X"$REDHA.T." = X"YES" ]; then( 游戏 )
.. /etc/rc.d/init..d/functions--------------彩票
case "$1." in投资
. stop) 乙肝
acti.on "S.hutting down firewall:" echo服务器
. . $IPTABLES -F域名
$IPTA.BLES -P FORWARD DR.OP<性病>
. . exit 0 婚庆
.. ;;--- 印刷
. status)域名
.echo ."T.he status command is not supported for iptables".
. e.xit 0.
. . ;; 健康
. restar.t|reload)电影
$0 ..stop学习
exe.c $0. start 健康
. . ;; 女人
. start) 汽车
. . action "Starting Firewall:" echo( 游戏 )
. . ;;电脑
. *).
. echo "Usage: firewall (start|s.top|restart)".
. exi.t 1 汽车
esac
fi
################################################.#.############### 婚庆
#Insert m.odules- should be .done automatically if needed[成人用品]
dmesg -n. 1 #Kill copyright display on modul.e load.
/sbi.n/modprobe ip_tables教育
/.sbin/modp.robe iptable_filter 婚庆
/sbin/.modprobe ip_.conntrack--------------彩票
/sbin/modprobe ip_conn.tra.ck_ftp(广告)
#
#.# Flush everything, start from scr.atch虚拟主机
#
# Incoming packets from .the outside ne.twork.
$IPTA.BLES -F INPUT( 游戏 )
# Outgoing packets fro.m .the internal network学习
$IPTABLES -F OU.TPUT 电子
# Forwarding/mas.querading 电子
$.IPTABLES -F FORWARD.
#Nat table
$I.PTABLES -t nat -F教育
##Setup sysctl controls which af.fect .tcp/ip.
#
#Disabling IP Spoofing att.acks.. 外汇
#Com.ment this line out when u.sing IPSEC 汽车
echo 2 >.;. /proc/sys/net/ipv4/conf/all/rp_filter虚拟主机
#Don.'t respond to broadcast p.ings健康
echo "1" >; /proc/sys/net/.ipv4/icmp_echo_ignore_broadcast.s.
#Defragment .all Packets--- 印刷
#Default now
#Enable forw.arding.
echo 1 >;/proc/sys/net/ipv4./.ip_forward外贸
#Block sourc.e routing 建材
echo 0 >;/proc/sys/net./i.pv4/conf/all/accept_source_route 汽车
#Kill timestamps. These have be.en the subj.ect of a recent bugtraq thread( 游戏 )
echo 0 >; /proc/sys/net./ipv4/tcp._timestamps电脑
#E.nable SYN Cookies.
echo 1 >; /proc/sys/net/.ipv4/.tcp_syncookies健康
#Kill red.irects--- 印刷
echo 0 >;/proc/sys/net/ipv4/conf/.all/accept_red.irects 美容
#Enable .bad error mess.age protection电脑
echo 1 >; /proc/sys/n.et/ipv4/.icmp_ignore_bogus_error_responses[成人用品]
#Allow .dynamic ip addresse.s.
echo "1" >; /proc/sys/net/ipv4/ip._dy.naddr(广告)
#Log martians (packets with impossib.l.e addresses) 婚庆
#RiVaL said that certain. NICs don't like this. Comment out .if necessary..
echo 1 >;/proc/sys/net/ipv4/conf/all/.log_martian.s.
#Set out loc.al port range 杀毒
echo "32768 61000" >;/proc./sys/net/ipv4/ip_local_p.ort_range 外汇
#Reduce DoS'ing ability by reducing timeo..uts.
ec.ho. 30 >; /proc/sys/net/ipv4/tcp_fin_timeout 健康
echo 1800 >; /proc./sys/net/ipv4/tcp_keepalive_t.ime健康
echo 1 >; ./proc/sys/net/ipv4/tcp_window_s.caling.
echo 0 >; /.proc/sys/n.et/ipv4/tcp_sack 女人
echo 1280 >; /proc/sys/net/ipv4/tcp_max_syn_backl.o.g 美容
##Set basic rule.s--------------彩票
#
#Not.e that un.like ipchains, rules passing through a FORWARD chain do NOT虚拟主机
#also have to pass through an INP.UT ch.ain. 鲜花
#Kill ANY stupid .packets., including虚拟主机
#-Packets that are too sh.ort to have a full ICMP/UDP/TCP .header(广告)
#- TCP and UDP packets with zero (i.llegal) .source and destination ports.
#-.Illeg.al combinations of TCP flags学习
#-Zero-length (illegal.) or over.-length TCP and IP options, 域名
# or o.pt.ions after the END-OF-OPTIONS option(广告)
#-Fragmen.ts of illegal lengt.h or offset (e.g., Ping of Death).虚拟主机
#Above list ripped from
http://www.linux-mag.com/2000-01/bestdefense_02.html 汽车
#This has been found to be a .little buggy. Removed .for now..
$.IPTABLES -A INPUT -m unc.lean -j DROP 健康
$IP.TABLES -A FORWARD -m unclean -j DR.OP 婚庆
#Kill invalid packets (illegal combinations .of flags.).
$IPTABLES -..A INPUT -m state --state INVALID -j DROP 电子
$I.PTABLES -A FORWARD -m state --state INV.ALID -j DROP--------------彩票
# A.llow all connections on the inter.nal interface电脑
#
$IPTABLES -A INPUT -i .lo -j ACCE.PT 杀毒
#Kil.l. connections to the local interface from the outside world. 鲜花
$IP.TABLES -A INPUT -d 127..0.0.0/8 -j REJECT[成人用品]
#Allow u.nlimited tra.ffic from internal network using legit addresses.
$IPTABLES -A INPUT -i $INTERNALIF -s $INTERNAL.NE.T -j ACCEPT电影
#
#Allow I.PV6 tunnel. traffic 乙肝
#$IPTABLE.S -A INPUT -p ipv6 -j ACCEP.T 建材
#.Al.low IPSEC tunnel traffic(广告)
#$IPTABLES -A INPUT. -p 50 .-j ACCEPT健康
#Allow all tr.affic from the ipsec device to the internal n.etwork外贸
#$IPTABLES -A FO.RWA.RD -i ipsec0 -o $INTERNALIF -j ACCEPT[成人用品]
#Allow key neg.otiation 鲜花
#$IPTAB.LES -A INPUT -p .udp --dport 500 -j ACCEPT.
#Ki.ll anything from outside claiming to be from internal n.etwork 婚庆
$IPTA.BLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJEC.T.
##ICMP
#p.ing don't f.orward pings going inside外贸
$IPTABLES -A FORWARD -p icmp --.ic.mp-type echo-request -o $INTERNALIF -j REJECT.虚拟主机
#.ping flood protection( 游戏 )
$I..PTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/.s -j ACCEPT.
$IPTABLES -A INPUT -.p .icmp --icmp-type echo-request -j DROP电脑
#Deny icmp .to broadcast addre.ss.
$IPTABLES -A I.NPUT -p icmp -d $INTERNALBC.AST -j DROP服务器
#Allow all other .icmp.
$.IPT.ABLES -A INPUT -p icmp -j ACCEPT 鲜花
##Al.low. established connections电脑
#Unlike i.pchains, we don't have. to go through the business of allowing学习
#a local por.t range- just allow all connections already est.ablished.虚拟主机
$IPTABLES -A INPUT -m state --state ESTA.BLISHED,RELATED -j ACCEP.T 鲜花
#.Note that .unlike ipchains, the following must be enabled even with masqu.erading<性病>
#Don't forward SMB rela.ted t.raffic.
$.IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 .-j REJECT .
$IPTABL.ES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j .REJECT 杀毒
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -.j REJE.CT 乙肝
$IPTABLES -A F.ORWARD -o. $EXTERNALIF -p udp --dport 137 -j REJECT .
$IPTABLES -A FORWARD -o $EXTERNALIF. -p udp --d.port 138 -j REJECT 电影
$IPTABLES. -A FORWARD -o .$EXTERNALIF -p udp --dport 139 -j REJECT 外汇
$IPTABLES -A INPUT -i $E.XT.ERNALIF -p udp --dport 137 -j REJECT虚拟主机
#Samba Share
#$IPTABLES -A INPUT -p tcp --dport 1.37 -j ACCE.PT.
#$IPTABLES. -A INPUT -p udp --dpor.t 137 -j ACCEPT电影
#$I.PTABLES -A INPUT -p tcp --dpor.t 138 -j ACCEPT--------------彩票
#$IPTABLES -A INPUT -p udp -.-dport 13.8 -j ACCEPT.
#$IPTABLES. -A INPUT -p tcp --dport 1.39 -j ACCEPT--------------彩票
#$IPTA.BLES -A INPUT -p udp --dp.ort 139 -j ACCEPT--- 印刷
#
#Allow ALL. .other forwarding going out健康
$.IPTABLE.S -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT 外汇
#Allow replies coming i.n.
$IPTABLES -A FORWARD -i $EX.TERNALIF -m state. --state ESTABLISHED,RELATED. -j ACCEPT
#Whack allo.wances--- 印刷
#A.llow DHCP- Optus. users need this教育
#$IPTABLES -A INPUT -p udp. -d 255.255.255.255 --dport 68. -j ACCEPT.
#Allow yo.urself to be a DHCP server for .your inside network虚拟主机
#Necessary because the default rule allowing valid. addresses ignor.es. broadcast.
#$IPTABL.ES -.A INPUT -i $INTERNALIF -p tcp --sport 68 --dport 67 -j ACCEPT<性病>
#.$IPTABLES -A INPUT -i $INTERNALIF. -p udp --sport 68 --dport 67 -j ACCEPT 女人
#Allow nam.eserver packets. Different ve.rs.ions of iptables seem to error here.投资
#Co.mment ou.t if necessary.服务器
cat /etc./resolv.conf | \ 电子
awk '/^namese.rve.r/ {print $2}' | \.
xargs. -n1 $IPTABLES -A INPUT -p udp --sport 53 -j .ACCEPT -s.
#Allow Telstra hearbeat. 健康
#Thi.s se.ction is propz to Defed学习
#$IPTAB.LES -A INPUT -p udp -.-sport 5050 -j ACCEPT.
#.$IPTABLES -A INPUT -p udp --sport 5051 .-j ACCEPT 外汇
#From here on,. we're dealing with connect.ion attempts.--- 印刷
#The -m limit is .a. DoS protection on connects 电子
#First we allow a certain amount. of connection.s per second投资
#DROP t.he rest (so we don't DoS ours.elf with rejections)学习
#We don't limit nor.mal packets (!syn) by allowing the. rest域名
##Basic services.. Un.comment to allow in. 婚庆
# ftp-data
#$I.PTABLES -A INPUT -.p tcp --dport 20 -j ACCEPT--- 印刷
# ftp
#$IPTABLES -A INPUT -p t.cp --dport 21 -j ACC.EPT外贸
# ssh
#$I.PTABLES -A INPUT -p tcp --dport 22 -j ACCE.PT.
#telnet
#$IPTABLES -A INPUT -.p tcp --dpor.t 23 -j ACCEPT<性病>
# smtp. One per second limt -burst rate. of ten学习
#$IPTABLES -A INPUT -p. tcp --dport 25 --syn -m l.imit --limit 1/s \电影
# --limit-bur.st 1.0 -j ACCEPT 投资
#$IPTABLES -A INP.UT -p tcp --dport 25. --syn -j DROP 电影
#$IPTABLES -A .INPUT -p tcp --dport 25 -j ACC.EPT
# DNS
#$IPTABLES -.A INPUT -p tcp. --dport 53 -j ACCEPT 美容
#$IPTABLES -A INPUT -p u.dp --dport .53 -j ACCEPT.
# http
$IPTABLES -A INPU.T -p tcp --dport 80 -j ACCE.PT投资
# POP-3
#$IPTABLES -A INPUT .-p tcp --dport 110 -j A.CCEPT 杀毒
# identd
#$IPTABLES -A INPU.T -p tcp --dport. 113 -j ACCEPT.
# https
#$IPTABLES -A INPUT -p tcp --dpo.rt .443 -j ACCEPT 婚庆
#VNC Server
#$IPTABLES -A INPUT -p tcp --dpo.rt 5801 -j ACCE.PT( 游戏 )
#$IPTABLES .-A I.NPUT -p tcp --dport 5901 -j ACCEPT 建材
#$IPTABLES -A INPUT -.p tcp --dport 6001 -j ACCEPT.
#
##DNAT
#Modify addresses and uncomment to allow DNAT (por.t. forwarding) 电子
#.Send web requests to an .internal machine 美容
#Send mail to an intern.al .machine--- 印刷
#$IPTABLES -.A PRER.OUTING -t nat -i $EXTERNALIF -p tcp -d $MYA.DDR --dport 80 \ 外汇
# . . -j DNAT --to 192.168.0.10:80 乙肝
#$.IPTAB..LES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.0.10 --dport 80 -j ACCEPT.
#$I.PTABLES -A PREROUTIN.G -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dpo.rt 25 \.
# -..j DNAT --to 192.168.0.10:25 健康
#$IPTABLES -A FORWARD -i $EXTE.RNALIF -p tcp -.d 192.168.0.10 --dport 25 -j ACCE.PT电影
##Some ports should be denie.d. and logged..
$IPTABLES -A INPU.T -p tcp .--dport 1433 -m limit -j LOG \服务器
. --log-prefix "Firewalled packet.: MSSQL " .
$IPT.ABLES -A INPUT -p tcp --dport 1433 -j .DROP.
$IPTABLES -A INPUT -p tcp --dport 667.0 -m. limit -j LOG \(广告)
--log-prefix "Firewalled packet: Dee.pthrt ." 电影
$IPTABLES. -A INPUT -p tcp --dp.ort 6670 -j DROP服务器
$IPTABLES -A INPUT -p tcp --dpor.t 671.1 -m limit -j LOG \[成人用品]
--log-prefix "Firew.alled packet.: Sub7 " 电子
$IPTABLES -A INPUT. -p tcp --dport 6.711 -j DROP虚拟主机
$.IPTABLES -A IN.PUT -p tcp --dport 6712 -m limit -j LOG \ 外汇
--log-prefix ."Firewa.lled packet: Sub7 " --------------彩票
$IPTABLE.S -A I.NPUT -p tcp --dport 6712 -j DROP.
$IPTA.BLES -A INPUT -p tcp --dport 6713 .-m limit -j LOG \[成人用品]
--log-prefix "Firew.alled p.acket: Sub7 " 女人
$IPT.ABLES -A. INPUT -p tcp --dport 6713 -j DROP 鲜花
$IPTABLES -.A INPUT -p tcp --dport 12345 -m .limit -j LOG \电脑
--log-prefix .".Firewalled packet: Netbus " .
$IPTABLES. -A INPUT -p tcp --dport 12345 -j D.ROP(广告)
$IPTABLES -A INPUT -p tcp --dport 12346 -m limit ..-j LOG \.
--log-prefix "Firew.alled packet.: Netbus " 域名
$.IPTABLES -A INPU.T -p tcp --dport 12346 -j DROP.
$IPTABLES -A INPUT -p tcp --d.port 20034 -m limit -.j LOG \虚拟主机
--log-p.refix "Firewalled. packet: Netbus " .
$IPTABLES -A INPUT -p .tcp --dport 20034 -j D.ROP外贸
$IPTABLES -A INPUT -p tcp --dport .31337 -m .limit -j LOG \
--lo.g-prefix "Firewalled pack.et: BO " [成人用品]
$IPTABL.ES -A INPUT -p tcp --dpo.rt 31337 -j DROP 女人
$IPTABL.ES -A INPUT -p tcp .--dport 6000 -m limit -j LOG \.
. . --log-prefix "Firewalled packet: XWin ".
$IPTABLES -A INPUT -p tcp --dport 6000. -j DROP.投资
#Traceroutes depend on .finding a rejected port. DROP the ones it. uses(广告)
$IPTABLE.S -A INPUT -.p udp --dport 33434:33523 -j DROP.
#Don't log ide.nt because it gets hi.t all the time eg connecti.ng to an irc server 美容
$IPTAB.LES -A INPUT -p tcp .--dport 113 -j REJECT电脑
#Don't log ig.mp. Some people get to.o many of these投资
$IPTA..BLES -A INPUT -p igmp -j REJECT.
#Don't log web or ssl because people surfing for long .times lose connec.tion 建材
#tracking and cause the system to create a new one, f.lood.ing logs..
$IPTABLES -A .INPUT -p tcp --dport 80 -j. REJECT 女人
$.IPTABLES -A INPUT -p tcp --dport 443 -j REJEC.T( 游戏 )
##Catch. all rules..
#iptables reverts to these if it hasn't matched any of th.e pre.vious rules.投资
#Log. There's no point logging noise. There'.s too muc.h of it.服务器
#Just log. connection reque.sts.
$IPTAB.LES -A INPUT -p tcp --syn -m l.imit --limit 5/minute -j LOG \.
. . --log-prefix "Firewalled packet:"( 游戏 )
$IPTA.BLES -A FORWAR.D -p tcp --syn -m limit --limit 5/minute -j LOG \虚拟主机
. --log-prefix "Firewalled p.acket:"--------------彩票
#Reject
$IPTABLES -A INPUT -p tcp -j REJE.C.T --reject-with tcp-reset.
$IPTABLES -A I.NPUT -.p all -j DROP<性病>
$.IPTABLES -A FORWARD -p tcp -j R.EJECT --reject-with tcp-reset 婚庆
$IPTABL.ES -A FORWARD -p all -.j DROP .
#Accept .it anyway if i.t's only output健康
$IPTAB.LES -A OUTP.UT -j ACCEPT投资
#Masquerade. internal connections. going out..
$IPTABLES -A .POSTROUTING -t nat -o $EXTERNALIF -j MASQU.ERADE 婚庆
exit 0