linux iptables 脚本,Linux--iptables脚本

最新推荐文章于 2021-05-05 14:43:13 发布

酒业资讯

最新推荐文章于 2021-05-05 14:43:13 发布

阅读量217

点赞数

文章标签： linux iptables 脚本

#!/bin/bash

# Firewall rules for laptop. Only connections are allowed out when turned on.

# Function to set the file to one or zero.

enable () { for file in $@; do echo 1 > $file; done }

disable () { for file in $@; do echo 0 > $file; done }

######################################################################

function on {

echo "Firewall: enabling filtering"

#Use Selective ACK which can be used to signify that specific packets are missing.

disable /proc/sys/net/ipv4/tcp_sack

#If the kernel should attempt to forward packets. Off by default. Routers should enable.

disable /proc/sys/net/ipv4/ip_forward

#Protect against wrapping sequence numbers and in round trip time measurement.

disable /proc/sys/net/ipv4/tcp_timestamps

#Help against syn-flood DoS or DDoS attacks using particular choices of initial TCP sequence numbers.

enable /proc/sys/net/ipv4/tcp_syncookies

# Enable broadcast echo protection.

enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable source routed packets.

disable /proc/sys/net/ipv4/conf/*/accept_source_route

# Disable ICMP Redirect acceptance.

disable /proc/sys/net/ipv4/conf/*/accept_redirects

# Don't send Redirect messages.

disable /proc/sys/net/ipv4/conf/*/send_redirects

# Do not respond to packets that would cause us to go out

# a different interface than the one to which we're responding.

enable /proc/sys/net/ipv4/conf/*/rp_filter

# Log packets with impossible addresses.

enable /proc/sys/net/ipv4/conf/*/log_martians

# Clear any previous rules.

iptables -F

iptables -F -t nat

iptables -F -t mangle

# Default drop policy.

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

# Allow anything over loopback.

iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT

iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

# Drop any tcp packet that does not start a connection with a syn flag.

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Drop any invalid packet that could not be identified.

iptables -A INPUT -m state --state INVALID -j DROP

# Drop invalid packets.

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP

# Reject broadcasts to 224.0.0.1

iptables -A INPUT -d 224.0.0.0 -j REJECT

# Allow TCP/UDP connections out. Keep state so conns out are allowed back in.

iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow ICMP out and anything that went out back in.

iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow only ICMP echo requests (ping) in. Limit rate in. Uncomment if needed.

#iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Allow ssh connections in. Uncomment if needed.

# iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -m limit --limit 1/s -j ACCEPT

# Drop everything that did not match above and log it.

iptables -A INPUT -j LOG --log-level 4 --log-prefix "IPT_INPUT: "

iptables -A INPUT -j DROP

iptables -A FORWARD -j LOG --log-level 4 --log-prefix "IPT_FORWARD: "

iptables -A FORWARD -j DROP

iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "IPT_OUTPUT: "

iptables -A OUTPUT -j DROP

}

######################################################################

function off {

# stop firewall

echo "Firewall: disabling filtering (allowing all access)"

iptables -F

iptables -F -t nat

iptables -F -t mangle

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

}

######################################################################

function stop {

# stop all external connections

echo "Firewall: stopping all external connections"

iptables -F INPUT

iptables -F OUTPUT

iptables -P INPUT DROP

iptables -P FORWARD REJECT

iptables -P OUTPUT REJECT

# allow anything over loopback

iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT

iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

}

case "$1" in

start)

;;

stop)

off

;;

echo "$0 {start|stop|off}"

echo "Start executes primary ruleset. Default is block all in and allow everything out."

echo "Stop disables all filtering"

echo "Off disables all non-loopback connections"

;;

esac

酒业资讯

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
复制链接

分享到 QQ

分享到新浪微博

扫一扫