Linux服务器上适用的防火墙(转自CU)_SyBase_学习笔记★闵涛★计算机学习电脑编程软硬件技巧


	转至繁体中文版	\| 网站首页 \| 图文教程 \| 资源下载 \| 站长博客 \| 图片素材 \| 武汉seo \| 武汉网站优化 \|

Linux服务器上适用的防火墙(转自CU)

作者：闵涛文章来源：闵涛的学习笔记点击数：3052 更新时间：2009/4/22 23:08:00

o log

for x in ${TCP_PORT_LOG}
do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j LOG --log-prefix "INVALID:${x} SYN IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD${x}PORT IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "PORT:${x} attempt:" --log-tcp-options --log-ip-options --log-tcp-sequence
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -j DROP
done

#bulid a chain for the udp port or port range you want to deny

for x in ${UDP_PORT_LOG}

do
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m limit --limit 3/m -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP
done

#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT

#iptables -A INPUT -i ${LAN} -p tcp -s ${MANAGE_IP} -j ACCEPT
for x in ${MANAGE_IP}
do
iptables -t filter -A INPUT -p tcp -s ${x} --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d ${x} -j ACCEPT

done
#build a chain for the tcp port or port range you want to open on this firewll

for x in ${OPEN_TCP}
do
iptables -A INPUT -p tcp --dport ${x} --syn -j ACCEPT
iptables -A INPUT -p tcp --dport ${x} -j ACCEPT
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done

#build a chain for the udp port or port range you want to open on this firewall

for x in ${OPEN_UDP}
do
iptables -A INPUT -p udp --dport ${x} -j ACCEPT
iptables -A INPUT -p udp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done

#build a chain to drop and log IGMP
iptables -A INPUT -p igmp -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP IGMP"
iptables -A INPUT -p igmp -j DROP

#drop and log invalid ip range
iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 169.254.0.0/16 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 192.0.2.0/24 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -p ! udp -d 224.0.0.0/4 -j DROP
iptables -A INPUT -i ${UPLINK} -p udp -d 224.0.0.0/4 -j ACCEPT
iptables -A INPUT -i ${UPLINK} -d 127.0.0.1 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 127.0.0.1 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 0.0.0.0 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 255.255.255.255 -j DROP-AND-LOG
#drop and log invalid manage ip in

#iptables -A lan-input -p tcp --dport 23 -i ${LAN_IF} -s ! ${MANAGE_IP} -j LOG --log-level 6 --log-prefix " INVALID MANAGE_IP IN:"
#iptables -A lan-input -p tcp --dport 23 -i ${LAN_IF} -s ! ${MANGLE_IP} -j DROP

#build a chain for ipsec vpn
#iptables -A INPUT -p udp -i ${UPLINK} --sport 500 --dport 500 -j ACCEPT
#iptables -A INPUT -p 50 -i ${UPLINK} -j ACCEPT
#iptables -A INPUT -p 51 -i ${UPLINK} -j ACCEPT
#iptables -A INPUT -p 47 -i ${UPLINK} -j ACCEPT
#iptables -A FORWARD -p udp -i ${UPLINK} --sport 500 --dport 500 -j ACCEPT
#iptables -A FORWARD -p 50 -i ${UPLINK} -j ACCEPT
#iptables -A FORWARD -p 51 -i ${UPLINK} -j ACCEPT
#iptables -A FORWARD -p 47 -i ${UPLINK} -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
iptables -A INPUT -p icmp --icmp-type 13 -j DROP
iptables -A OUTPUT -p icmp --icmp-type 14 -j DROP
iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW,INVALID -m limit --limit 3/m -j LOG --log-prefix "INVALID NEW"
iptables -A INPUT -m state --state NEW,INVALID -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "DROP NEW NOT SYN:"
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -A INPUT -p tcp --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"
iptables -A INPUT -p tcp --syn -j DROP
echo -e "\t Logging INVALID ICMP packages:"
iptables -A INPUT -i ${UPLINK} -p icmp ! --icmp-type echo-reply -m limit --limit 20/m -j LOG --log-level 6 --log-prefix "INVAILD ICMP IN:"
iptables -A INPUT -i ${UPLINK} -f -p icmp -j LOG --log-prefix "Fragmented incoming ICMP: "
iptables -A INPUT -i ${UPLINK} -f -p icmp -j DROP
iptables -A INPUT -p icmp --icmp-type source-quench -d $UPIP -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
#iptables -A INPUT -i ${UPLINK} -p icmp -j REJECT --reject-with icmp-net-unreachable
#iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"
#iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable
#iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"
#iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i ${UPLINK} -s 0/0 -f -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "INVAILD FRAGMENT:"
iptables -A INPUT -i ${UPLINK} -s 0/0 -f -j DROP
iptables -A INPUT -i ${UPLINK} -j DROP
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tThe input rules has been successful applied ,continure..."

echo -e "\t Now starting FORWARD rules ,please wait ....."

iptables -A FORWARD -p igmp -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP IGMP:"
iptables -A FORWARD -p igmp -j DROP
iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD --fragment -p icmp -j LOG --log-prefix "Fragmented forwarded ICMP: "
iptables -A FORWARD --fragment -p icmp -j DROP
iptables -A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 50/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-option 64 -j DROP
iptables -A FORWARD -p tcp --tcp-option 128 -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 2000/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID forward: "
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 4000/s --limit-burst 6000 -j LOG --log-prefix " CONN TCP: "
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 200/s --limit-burst 400 -j LOG --log-prefix " CONN UDP:"
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 200/s --limit-burst 400 -j LOG --log-prefix " CONN ICMP: "
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tThe forward rules has been successful applied,conniture..."
echo -e "\tNow applying output rules,please wait ...."
#for i in ${DENY_USER}
# do
# echo -e "\tNo world wide visit for user:${i} "
# iptables -A OUTPUT -m owner --uid-owner ${i} -j LOG --log-prefix "DROP packet from ${i}:"
# iptables -A OUTPUT -m owner --uid-owner ${i} -j DROP
# done
#iptables -A OUTPUT -p udp -o ${UPLINK} --sport 500 --dport 500 -j ACCEPT
#iptables -A OUTPUT -p 50 -o ${UPLINK} -j ACCEPT
#iptables -A OUTPUT -p 51 -o ${UPLINK} -j ACCEPT
#iptables -A OUTPUT -p 47 -o ${UPLINK} -j ACCEPT

#if [ "$DHCP_SERVER" = "1" ]; then
# iptables -A OUTPUT -o $LAN_INTERFACE -p udp -s $BROADCAST_SRC --sport 67 -d $BROADCAST_DEST --dport 68 -j ACCEPT
#fi
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT --fragment -p icmp -j LOG --log-prefix "Fragmented outgoing ICMP: "
iptables -A OUTPUT --fragment -p icmp -j DROP
iptables -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type fragment

上一页 [1] [2] [3] [4] [5] 下一页

没有相关教程

教程录入：mintao 责任编辑：mintao

上一篇教程： SuSE Linux 9.1 Pro ＋永中Office2004简单评测

下一篇教程： Linux 使用技巧集锦(一)转

【字体：小大】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】

注：本站部分文章源于互联网，版权归原作者所有！如有侵权，请原作者与本站联系，本站将立即删除！本站文章除特别注明外均可转载，但需注明出处！ [MinTao学以致用网]

　网友评论：（只显示最新10条。评论内容只代表网友观点，与本站立场无关！）

同类栏目

· Sql Server  · MySql
· Access  · ORACLE
· SyBase  · 其他

热门推荐

没有教程

赞助链接

闵涛博文

500 - 内部服务器错误。

您查找的资源存在问题，因而无法显示。

鄂公网安备 42011102001154号

站长：MinTao ICP备案号：鄂ICP备11006601号-18

闵涛站盟:医药大全-武穴网。A打造B、C、D……