##iptables default rules

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

##allow ping packets

iptables -A INPUT -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT

iptables -A INPUT -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT

iptables -A INPUT -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT

iptables -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -m limit --limit 5/s -j ACCEPT

iptables -A FORWARD -p ICMP -j ACCEPT

##enable forwarding

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

##STATE RELATED for router

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

##accept internal packets on the internal i/f

iptables -A INPUT -s $SERVER_IP -p tcp -j ACCEPT

##open ports on router for server/services

##TCP PORTS

for ATP in $TPORTS

do

iptables -A INPUT ! -s $SERVER_IP -d $SERVER_IP -p tcp --destination-port $ATP -j ACCEPT

          iptables -A FORWARD -p tcp --destination-port $ATP -j ACCEPT

done

##UDP PORTS

for AUP in $UPORTS

do

          iptables -A INPUT -p udp --destination-port $AUP -j ACCEPT

          iptables -A FORWARD -p udp --destination-port $AUP -j ACCEPT

done

##bad_packets chain

##drop INVALID packets immediately

iptables -A INPUT -p ALL -m state --state INVALID -j DROP

##limit SYN flood

#iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

#iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

##deny all ICMP packets,eth0 is external net_eth

#iptables -A INPUT -i eth0 -s  0.0.0.0/0 -p ICMP -j DROP

##allow loopback

iptables -A INPUT -i lo -p all -j ACCEPT

iptables -A OUTPUT -o lo -p all -j ACCEPT

##enable forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

< --end-- >

7．2 ipchains类型防火墙：

7．2．1 ipchains概念：

Ipchains 被用来安装、维护、检查Linux内核的防火墙规则。规则可以分成四类：IP input链、IP output链、IP forward链、user defined 链。

一个防火墙规则指定包的格式和目标。当一个包进来时, 核心使用

上一页  [1] [2] [3] [4] [5] [6] [7]  下一页