o log
for x in ${TCP_PORT_LOG}
do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j LOG --log-prefix "INVALID:${x} SYN IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD${x}PORT IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "PORT:${x} attempt:" --log-tcp-options --log-ip-options --log-tcp-sequence
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -j DROP
done
#bulid a chain for the udp port or port range you want to deny
for x in ${UDP_PORT_LOG}
do
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m limit --limit 3/m -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP
done
#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
#iptables -A INPUT -i ${LAN} -p tcp -s ${MANAGE_IP} -j ACCEPT
for x in ${MANAGE_IP}
do
iptables -t filter -A INPUT -p tcp -s ${x} --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d ${x} -j ACCEPT
done
#build a chain for the tcp port or port range you want to open on this firewll
for x in ${OPEN_TCP}
do
iptables -A INPUT -p tcp --dport ${x} --syn -j ACCEPT
iptables -A INPUT -p tcp --dport ${x} -j ACCEPT
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
#build a chain for the udp port or port range you want to open on this firewall
for x in ${OPEN_UDP}
do
iptables -A INPUT -p udp --dport ${x} -j ACCEPT
iptables -A INPUT -p udp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
#build a chain to drop and log IGMP
iptables -A INPUT -p igmp -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP IGMP"
iptables -A INPUT -p igmp -j DROP
#drop and log invalid ip range
iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 169.254.0.0/16 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 192.0.2.0/24 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -p ! udp -d 224.0.0.0/4 -j DROP
iptables -A INPUT -i ${UPLINK} -p udp -d 224.0.0.0/4 -j ACCEPT
iptables -A INPUT -i ${UPLINK} -d 127.0.0.1 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 127.0.0.1 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 0.0.0.0 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 255.255.255.255 -j DROP-AND-LOG
#drop and log invalid manage ip in
#iptables -A lan-input -p tcp --dport 23 -i ${LAN_IF} -s ! ${MANAGE_IP} -j LOG --log-level 6 --log-prefix " INVALID MANAGE_IP IN:"
#iptables -A lan-input -p tcp --dport 23 -i ${LAN_IF} -s ! ${MANGLE_IP} -j DROP
#build a chain for ipsec vpn
#iptables -A INPUT -p udp -i ${UPLINK} --sport 500 --dport 500 -j ACCEPT
#iptables -A INPUT -p 50 -i ${UPLINK} -j ACCEPT
#iptables -A INPUT -p 51 -i ${UPLINK} -j ACCEPT
#iptables -A INPUT -p 47 -i ${UPLINK} -j ACCEPT
#iptables -A FORWARD -p udp -i ${UPLINK} --sport 500 --dport 500 -j ACCEPT
#iptables -A FORWARD -p 50 -i ${UPLINK} -j ACCEPT
#iptables -A FORWARD -p 51 -i ${UPLINK} -j ACCEPT
#iptables -A FORWARD -p 47 -i ${UPLINK} -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
iptables -A INPUT -p icmp --icmp-type 13 -j DROP
iptables -A OUTPUT -p icmp --icmp-type 14 -j DROP
iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW,INVALID -m limit --limit 3/m -j LOG --log-prefix "INVALID NEW"
iptables -A INPUT -m state --state NEW,INVALID -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "DROP NEW NOT SYN:"
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"
iptables -A INPUT -p tcp --syn -j DROP
echo -e "\t Logging INVALID ICMP packages:"
iptables -A INPUT -i ${UPLINK} -p icmp ! --icmp-type echo-reply -m limit --limit 20/m -j LOG --log-level 6 --log-prefix "INVAILD ICMP IN:"
iptables -A INPUT -i ${UPLINK} -f -p icmp -j LOG --log-prefix "Fragmented incoming ICMP: "
iptables -A INPUT -i ${UPLINK} -f -p icmp -j DROP
iptables -A INPUT -p icmp --icmp-type source-quench -d $UPIP -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
#iptables -A INPUT -i ${UPLINK} -p icmp -j REJECT --reject-with icmp-net-unreachable
#iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"
#iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable
#iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"
#iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i ${UPLINK} -s 0/0 -f -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "INVAILD FRAGMENT:"
iptables -A INPUT -i ${UPLINK} -s 0/0 -f -j DROP
iptables -A INPUT -i ${UPLINK} -j DROP
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tThe input rules has been successful applied ,continure..."
echo -e "\t Now starting FORWARD rules ,please wait ....."
iptables -A FORWARD -p igmp -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP IGMP:"
iptables -A FORWARD -p igmp -j DROP
iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD --fragment -p icmp -j LOG --log-prefix "Fragmented forwarded ICMP: "
iptables -A FORWARD --fragment -p icmp -j DROP
iptables -A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 50/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-option 64 -j DROP
iptables -A FORWARD -p tcp --tcp-option 128 -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 2000/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID forward: "
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 4000/s --limit-burst 6000 -j LOG --log-prefix " CONN TCP: "
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 200/s --limit-burst 400 -j LOG --log-prefix " CONN UDP:"
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 200/s --limit-burst 400 -j LOG --log-prefix " CONN ICMP: "
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tThe forward rules has been successful applied,conniture..."
echo -e "\tNow applying output rules,please wait ...."
#for i in ${DENY_USER}
# do
# echo -e "\tNo world wide visit for user:${i} "
# iptables -A OUTPUT -m owner --uid-owner ${i} -j LOG --log-prefix "DROP packet from ${i}:"
# iptables -A OUTPUT -m owner --uid-owner ${i} -j DROP
# done
#iptables -A OUTPUT -p udp -o ${UPLINK} --sport 500 --dport 500 -j ACCEPT
#iptables -A OUTPUT -p 50 -o ${UPLINK} -j ACCEPT
#iptables -A OUTPUT -p 51 -o ${UPLINK} -j ACCEPT
#iptables -A OUTPUT -p 47 -o ${UPLINK} -j ACCEPT
#if [ "$DHCP_SERVER" = "1" ]; then
# iptables -A OUTPUT -o $LAN_INTERFACE -p udp -s $BROADCAST_SRC --sport 67 -d $BROADCAST_DEST --dport 68 -j ACCEPT
#fi
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT --fragment -p icmp -j LOG --log-prefix "Fragmented outgoing ICMP: "
iptables -A OUTPUT --fragment -p icmp -j DROP
iptables -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type fragment上一页 [1] [2] [3] [4] [5] 下一页 |
