Linux服务器上适用的防火墙(转自CU)_SyBase_学习笔记★闵涛★计算机学习电脑编程软硬件技巧


	转至繁体中文版	\| 网站首页 \| 图文教程 \| 资源下载 \| 站长博客 \| 图片素材 \| 武汉seo \| 武汉网站优化 \|

Linux服务器上适用的防火墙(转自CU)

作者：闵涛文章来源：闵涛的学习笔记点击数：3055 更新时间：2009/4/22 23:08:00

mp ipt_MASQURADE
mp ipt_REJECT
mp ipt_conntrack_ftp
mp ipt_conntrack_irc
mp iptable_filter
mp iptable_nat
mp iptable_mangle
mp ip_conntrack
mp ipt_limit
mp ipt_state
mp ipt_unclean
mp ipt_TCPMSS
mp ipt_TOS
mp ipt_TTL
mp ipt_quota
mp ipt_iplimit
mp ipt_pkttype
mp ipt_ipv4options
mp ipt_MARK
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
else
echo -e "\tSorry,no iptables modules found !!"
fi
fi

#prepare the firewall tables for use

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -F INPUT
iptables -t filter -F FORWARD
iptables -t filter -F OUTPUT
iptables -F -t nat
iptables -F -t mangle
iptables -Z
iptables -X
iptables -N CHECK_FLAGS
iptables -F CHECK_FLAGS
iptables -N tcpHandler
iptables -F tcpHandler
iptables -N udpHandler
iptables -F udpHandler
iptables -N icmpHandler
iptables -F icmpHandler
iptables -N DROP-AND-LOG
iptables -F DROP-AND-LOG
iptables -N syn-flood
iptables -F syn-flood

echo -e "\tOK,the kernel is now prepared to use for building a firewall!!!"
echo -e "\n\t starting firewall ,Waitting ........................"
echo -e "\n\tCreating a drop and log chain....."
iptables -A DROP-AND-LOG -j LOG --log-level 6
iptables -A DROP-AND-LOG -j DROP
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

#design a chain for syn-flood protect
echo -e "\t define a chain for syn-flood pretect.."
iptables -A syn-flood -m limit --limit 4000/s --limit-burst 6000 -j RETURN
iptables -A syn-flood -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --syn -j syn-flood
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

iptables -A tcpHandler -p tcp -m limit --limit 4000/s --limit-burst 6000 -j RETURN
iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "
iptables -A tcpHandler -p tcp -j DROP
iptables -A udpHandler -p udp -m limit --limit 200/s --limit-burst 400 -j RETURN
iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"
iptables -A udpHandler -p udp -j DROP
iptables -A icmpHandler -p icmp -m limit --limit 200/s --limit-burst 400 -j RETURN
iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"
iptables -A icmpHandler -p icmp -j DROP

#define a chain for log malformed packages
if [ "$MALFORMED_PACKET_LOG" = "yes" ]
then
echo -e "\tNow logging malformed packages"
iptables -A INPUT -i ${UPLINK} -m unclean -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP malformed packet:"
iptables -A INPUT -i ${UPLINK} -m unclean -j DROP
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
# drop malformed packages
# iptables -A INPUT -i ${UPLINK} -m unclean -j DROP

echo -e "\tNow starting the check_flag rules,please wait...."
echo -e "\tLogging illegal TCP flags...."

if [ " $LOG_ILLEGAL_FLAGS " = " yes " ]
then

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ALL FIN :" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,FIN FIN :" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,PSH PSH:" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,URG URG:" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN " --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " SYN/RST SCAN" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " FIN/RST SCAN" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN " --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 " --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 " --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "XMAS-PSH:" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "NULL_SCAN" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID SCAN:" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP

else

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m"
fi
#DROP packages with a invalid FLAG
iptables -A INPUT -i ${UPLINK} -p tcp -j CHECK_FLAGS
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tFinished check_flags rules...."

echo -e "\tNow starting the input rules,please wait......."

#for i in $OPEN_TCP_QUOTA; do
# printf " firewall ->port $i tcp open with quota $QUOTA..."
#iptables -A INPUT -i $UPLINK -p tcp --syn -m state --state NEW -m limit --limit 2/s --dport $i -m quota --quota $QUOTA -j ACCEPT
#iptables -A INPUT -i $UPLINK -p tcp --dport $i -j DROP
#done
#for i in $OPEN_UDP_QUOTA; do
# echo " firewall ->port $i udp open with quota $QUOTA..."
#iptables -A INPUT -i $UPLINK -p udp -m state --state NEW -m limit --limit 2/s --dport $i -m quota --quota $QUOTA -j ACCEPT
#iptables -A INPUT -i $UPLINK -p udp --dport $i -j DROP
#done

#build a chain for deny ip or ip range

for x in ${DENYIP}
do
iptables -A INPUT -i ${UPLINK} -p tcp -s ${x} -m state --state NEW -j LOG --log-prefix "INVAILD:${x} TCP IN:"
iptables -A INPUT -i ${UPLINK} -p tcp -s ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --syn -s ${x} -j LOG --log-prefix "INVAILD:${x} SYN IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --syn -s ${x} -j DROP
iptables -A INPUT -i ${UPLINK} -p ALL -s ${x} -m limit --limit 6/m -j LOG --log-level 6 --log-prefix "DENYED IP ${x} IN:"
iptables -A INPUT -i ${UPLINK} -p ALL -s ${x} -j DROP
iptables -A FORWARD -s ${x} -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 6 --log-prefix "DENYED ${x} FORWARD:"
iptables -A FORWARD -s ${x} -m state --state NEW,ESTABLISHED,RELATED -j DROP
iptables -A FORWARD -d ${x} -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 6 --log-prefix "DENYED ${x} FORWARD:"
iptables -A FORWARD -d ${x} -m state --state NEW,ESTABLISHED,RELATED -j DROP
done

#build a chain for the tcp port or port range you want t

上一页 [1] [2] [3] [4] [5] 下一页

没有相关教程

教程录入：mintao 责任编辑：mintao

上一篇教程： SuSE Linux 9.1 Pro ＋永中Office2004简单评测

下一篇教程： Linux 使用技巧集锦(一)转

【字体：小大】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】

注：本站部分文章源于互联网，版权归原作者所有！如有侵权，请原作者与本站联系，本站将立即删除！本站文章除特别注明外均可转载，但需注明出处！ [MinTao学以致用网]

　网友评论：（只显示最新10条。评论内容只代表网友观点，与本站立场无关！）

同类栏目

· Sql Server  · MySql
· Access  · ORACLE
· SyBase  · 其他

热门推荐

没有教程

赞助链接

闵涛博文

500 - 内部服务器错误。

您查找的资源存在问题，因而无法显示。

鄂公网安备 42011102001154号

站长：MinTao ICP备案号：鄂ICP备11006601号-18

闵涛站盟:医药大全-武穴网。A打造B、C、D……