#!/bin/sh ## /etc/sysconfig/iptables ## iptables-save > /root/ipt.save ## cat /root/ipt.save | iptables-restore IPTABLES=/sbin/iptables MODPROBE=/sbin/modprobe INT_NET=192.168.10.0/24 ### flush existing rules and set chain policy setting to DROP echo "[+] Flushing existing iptables rules..." $IPTABLES -F $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP ### load connection-tracking modules $MODPROBE ip_conntrack $MODPROBE iptable_nat $MODPROBE ip_conntrack_ftp $MODPROBE ip_nat_ftp ###### INPUT chain ###### echo "[+] Setting up INPUT chain..." ### state tracking rules $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ### anti-spoofing rules $IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT " $IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j DROP ### ACCEPT rules $IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT ### default INPUT LOG rule $IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options ###### OUTPUT chain ###### echo "[+] Setting up OUTPUT chain..." ### state tracking rules $IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options $IPTABLES -A OUTPUT -m state --state INVALID -j DROP $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ### ACCEPT rules for allowing connections out $IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT ### default OUTPUT LOG rule $IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options ###### FORWARD chain ###### echo "[+] Setting up FORWARD chain..." ### state tracking rules $IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options $IPTABLES -A FORWARD -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ### anti-spoofing rules $IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT " $IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j DROP ### ACCEPT rules $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 21 --syn -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 25 --syn -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 43 --syn -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 4321 --syn -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT ### default log rule $IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options # Some protection from SYN floods is offered by iptables with the limit match: # iptables -I FORWARD 1 -p tcp --syn -m limit --limit 1/s -j ACCEPT ###### NAT rules ###### echo "[+] Setting up NAT rules..." $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.10.3:80 $IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.10.3:443 $IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -i eth0 -j DNAT --to 192.168.10.4:53 $IPTABLES -t nat -A POSTROUTING -s $INT_NET -o eth0 -j MASQUERADE ###### forwarding ###### echo "[+] Enabling IP forwarding..." echo 1 > /proc/sys/net/ipv4/ip_forward
转载于:https://blog.51cto.com/10237569/1846924