一 firewall规则
说明:
[
使用了
ipchains]一开始对所有input,output,forward接受; 然后对input, forward使用我定义
的规则链,开放22,23端口的tcp协议开放,另外开放指定的几个软件使用端口。
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#
firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT
二 iptables脚本实例
说明:
通过以上个步骤,我们建立了一个相对完整的防火墙。只对外开放了有限的几个端口,同时提供了客户对
Internet
的无缝访问,并且对
ip
碎片攻击和
icmp
的
ping of death
提供了有效的防护手段。
#!/bin/sh
echo "Starting iptables rules..."
#Refresh all chains
/sbin/iptables -F
############Define HTTP packets##################
#Allow www request packets from Internet clients to www servers
iptables -A FORWARD -p tcp -d 198.168.80.11 --dport www -i eth0 -j ACCEPT
##Define FTP packets
#Allow ftp request packets from Internet clients to Intranet ftp server
iptables -A FORWARD -p tcp -d 198.168.80.12 --dport ftp -i eth0 -j ACCEPT
##Define smtp packets
iptables -A FORWARD -p tcp -d 198.168.80.13 --dport smtp -i eth0 -j ACCEPT
##Define packets from Internet server to Intranet
iptables -A FORWARD -p tcp -s 0/0 --sport ftp-data -d 198.168.80.0/24 -i eth0 -j ACCEPT
iptables -A FORWARD -p tcp -d 198.168.80.0/24 ! -syn -i eth0 -j ACCEPT
iptables -A FORWARD -p udp -d 198.168.80.0/24 -i eth0 -j ACCEPT
##Define packets from Intranet to Internet
iptables -A FORWARD -s 198.168.80.0/24 -i eth1 -j ACCEPT
##Define fregment rule
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
##Define icmp rule
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
echo "Starting iptables rules..."
#Refresh all chains
/sbin/iptables -F
############Define HTTP packets##################
#Allow www request packets from Internet clients to www servers
iptables -A FORWARD -p tcp -d 198.168.80.11 --dport www -i eth0 -j ACCEPT
##Define FTP packets
#Allow ftp request packets from Internet clients to Intranet ftp server
iptables -A FORWARD -p tcp -d 198.168.80.12 --dport ftp -i eth0 -j ACCEPT
##Define smtp packets
iptables -A FORWARD -p tcp -d 198.168.80.13 --dport smtp -i eth0 -j ACCEPT
##Define packets from Internet server to Intranet
iptables -A FORWARD -p tcp -s 0/0 --sport ftp-data -d 198.168.80.0/24 -i eth0 -j ACCEPT
iptables -A FORWARD -p tcp -d 198.168.80.0/24 ! -syn -i eth0 -j ACCEPT
iptables -A FORWARD -p udp -d 198.168.80.0/24 -i eth0 -j ACCEPT
##Define packets from Intranet to Internet
iptables -A FORWARD -s 198.168.80.0/24 -i eth1 -j ACCEPT
##Define fregment rule
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
##Define icmp rule
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
三 禁止远程ping
说明:最简单有效的方法
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
3万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
