防火墙脚本

发表于 | 分类于

/etc/sysconfit/iptables

Firewall configuration written by system-config-securitylevel

Manual customization of this file is not recommended.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 65535 -j ACCEPT
COMMIT

/root/work/*

1. deny_death_ping.sh

/sbin/iptables -N ping

#/sbin/iptables -A ping -p icmp –icmp-type echo-request -m limit –limit 1/second -j RETURN
/sbin/iptables -A ping -p icmp -j REJECT
/sbin/iptables -I INPUT -p icmp –icmp-type echo-request -m state –state NEW -j ping

2. prevent_scan.sh

/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL ALL -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL NONE -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP

3. sync_flood.sh

/sbin/iptables -N synfoold
/sbin/iptables -A synfoold -p tcp –syn -m limit –limit 1/s -j RETURN
/sbin/iptables -A synfoold -p tcp -j REJECT –reject-with tcp-reset
/sbin/iptables -A INPUT -p tcp -m state –state NEW -j synfoold

4. deny_mac.sh

#/sbin/iptables -A INPUT -m mac –mac-source xx:xx:xx:xx:xx:xx -j DROP

5.set_ipcheck_on.sh

set ip check on

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi
// prevent ip attack
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
//set ip forward off
echo 0 > /proc/sys/net/ipv4/ip_forward

/etc/rc.d/rc.local

#!/bin/sh
#

This script will be executed after all the other init scripts.

You can put your own initialization stuff in here if you don’t

want to do the full Sys V style init stuff.

/root/work/deny_death_ping.sh
/root/work/iptables.sh
/root/work/set_ipcheck_on.sh
/root/work/deny_mac.sh
/root/work/prevent_scan.sh
/root/work/sync_flood.sh