请大家一起帮忙改进优化iptables脚本

battosai · 发表于 2004-5-24 17:15:50

#!/bin/sh
#
###############################################################################
#
# Local Settings
#
# IPTables Location - adjust if needed
IPT="/sbin/iptables"
# Internet Interface
INET_IFACE="ppp0"
# Local Interface Information
LOCAL_IFACE="eth0"
LOCAL_IP="172.18.123.5"
LOCAL_NET="172.16.0.0/12"
LOCAL_BCAST="172.18.123.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
###############################################################################
#
# Load Modules
#
echo "Loading kernel modules ..."
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_REJECT
/sbin/modprobe multiport
/sbin/modprobe ipt_state
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
###############################################################################
#
# Kernel Parameter Configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
###############################################################################
#
# Flush Any Existing Rules or Chains
#
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
###############################################################################
#
# Rules Configuration
#
###############################################################################
#
# Filter Table
#
###############################################################################
# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
###############################################################################
#
# INPUT Chain
#
echo "Process INPUT chain ..."
# Drop bad packets
$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#------------------------------------------------------------------------------#
# Syn-flood INPUT protection
$IPT -A INPUT -i ppp0 -p tcp --syn -m limit --limit 10/h \
-j LOG --log-prefix 'Syn-flood INP attack??? '
$IPT -A INPUT -i ppp0 -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Port Scanner INPUT protection
$IPT -A INPUT -i ppp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-m limit --limit 10/h -j LOG --log-prefix 'Port Scanner INP attack??? '
$IPT -A INPUT -i ppp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-m limit --limit 1/s -j ACCEPT
# Pingu of Death INPUT protection
$IPT -A INPUT -i ppp0 -p icmp --icmp-type echo-request \
-m limit --limit 10/h -j LOG --log-prefix 'Ping of Death INP attack??? '
$IPT -A INPUT -i ppp0 -p icmp --icmp-type echo-request \
-m limit --limit 1/s -j ACCEPT
#------------------------------------------------------------------------------#
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
$IPT -A INPUT -p TCP -i $LOCAL_IFACE -m multiport --dport 135,136,137,138,445 -j DROP
# Inbound Internet Packet Rules
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -m multiport --destination-port 80,25,110 -j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j DROP
$IPT -A INPUT -p UDP -i $INET_IFACE --destination-port 53 -j ACCEPT
$IPT -A INPUT -p UDP -i $INET_IFACE -j DROP
$IPT -A INPUT -p ICMP -s $LOCAL_NET --icmp-type 8 -j ACCEPT
$IPT -A INPUT -p ICMP -s 0/0 -j DROP
$IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP
# Log packets that still don't match
$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
###############################################################################
#
# FORWARD Chain
#
echo "Process FORWARD chain ..."
# Used if forwarding for a private network
# Drop bad packets
$IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#------------------------------------------------------------------------------#
# Syn-flood FORWARDing protection
$IPT -A FORWARD -p tcp --syn -m limit --limit 10/h \
-j LOG --log-prefix 'Syn-flood FWD attack??? '
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Port Scanner FORWARDing protection
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-m limit --limit 10/h -j LOG --log-prefix 'Port Scanner FWD attack??? '
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-m limit --limit 1/s -j ACCEPT
# Ping of Death FORWARDing protection
$IPT -A FORWARD -p icmp --icmp-type echo-request \
-m limit --limit 10/h -j LOG --log-prefix 'Ping of Death FWD attack??? '
$IPT -A FORWARD -p icmp --icmp-type echo-request \
-m limit --limit 1/s -j ACCEPT
#------------------------------------------------------------------------------#
# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -p tcp -m multiport --dport 20,21,22,23,69,135,136,137,138,139,445,593,4444 -j DROP
$IPT -A FORWARD -i $INET_IFACE -p udp -m multiport --dport 20,21,22,23,69,135,136,137,138,139,445,593,4444 -j DROP
$IPT -A FORWARD -p tcp -m multiport --dport 69,135,136,137,138,445,593,4444 -j DROP
$IPT -A FORWARD -p udp -m multiport --dport 69,135,136,137,138,445,593,4444 -j DROP
# Log packets that still don't match
$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
###############################################################################
#
# OUTPUT Chain
#
echo "Process OUTPUT chain ..."
# Generally trust the firewall on output
# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p ALL --state INVALID -j DROP
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p tcp -o $LOCAL_IFACE -m multiport --dport 135,136,137,138,445 -j DROP
$IPT -A OUTPUT -p udp -o $LOCAL_IFACE -m multiport --dport 135,136,137,138,445 -j DROP
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
# Log packets that still don't match
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
###############################################################################
#
# nat table
#
###############################################################################
echo "Load rules for nat table ..."
###############################################################################
#
# PREROUTING chain
#
#
$IPT -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
#allow internet
$IPT -t nat -A PREROUTING -s 172.18.123.177 -d ! $LOCAL_NET -j ACCEPT
$IPT -t nat -A PREROUTING -s $LOCAL_NET -d ! $LOCAL_NET -DROP
$IPT -t nat -A POSTROUTING -s $LOCAL_NET -d ! $LOCAL_NET -j MASQUERADE
###############################################################################
#
# mangle table
#
###############################################################################

复制代码

看看哪些地方多余了，哪些地方少了？

我自己想实现的功能就是只允许内部网浏览网页和收邮件，访问内部samba，ping,允许自己的IP（172.18.123.177）所有权限，阻止外面的任何有攻击企图的包和链接
谢谢了，m(_ _)m

faint · 发表于 2004-5-24 20:25:56

只能自己修改啦。有问题就提问，估计很少人会完全看完你的脚本的。

		自动登录	找回密码
密码			注册

请大家一起帮忙改进优化iptables脚本

浏览过的版块