朋友公司的web服务器的iptables脚本
朋友公司的web服务器的iptables脚本
echo "##################kernel sys##################"
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > ${interface}
done
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "###########################starting firewall##############"
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > ${interface}
done
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "###########################starting firewall##############"
iptables -F
iptables -X
iptables -I INPUT -p icmp --icmp-type echo-request -m limit --limit 6/min --limit-burst 4 -j ACCEPT
# NMAP FIN/URG/PSH
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# Xmas Tree
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
# Another Xmas Tree
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Null Scan(possibly)
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
# SYN/RST
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN -- Scan(possibly)
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -N synfoold
iptables -A synfoold -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -j synfoold
iptables -N bad-ping
iptables -A bad-ping -p icmp --icmp-type echo-request -m limit --limit 1/s -j RETURN
iptables -A bad-ping -p icmp -j REJECT
iptables -I INPUT -p icmp --icmp-type echo-request -m state --state NE* -* *ad-ping
#iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 1234
iptables -X
iptables -I INPUT -p icmp --icmp-type echo-request -m limit --limit 6/min --limit-burst 4 -j ACCEPT
# NMAP FIN/URG/PSH
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# Xmas Tree
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
# Another Xmas Tree
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Null Scan(possibly)
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
# SYN/RST
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN -- Scan(possibly)
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -N synfoold
iptables -A synfoold -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -j synfoold
iptables -N bad-ping
iptables -A bad-ping -p icmp --icmp-type echo-request -m limit --limit 1/s -j RETURN
iptables -A bad-ping -p icmp -j REJECT
iptables -I INPUT -p icmp --icmp-type echo-request -m state --state NE* -* *ad-ping
#iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 1234
发表您的意见和建议!
