/etc/sysconfit/iptables
Firewall configuration written by system-config-securitylevel
Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 65535 -j ACCEPT
COMMIT
/root/work/*
1. deny_death_ping.sh
/sbin/iptables -N ping
#/sbin/iptables -A ping -p icmp –icmp-type echo-request -m limit –limit 1/second -j RETURN
/sbin/iptables -A ping -p icmp -j REJECT
/sbin/iptables -I INPUT -p icmp –icmp-type echo-request -m state –state NEW -j ping
2. prevent_scan.sh
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL ALL -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags ALL NONE -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
3. sync_flood.sh
/sbin/iptables -N synfoold
/sbin/iptables -A synfoold -p tcp –syn -m limit –limit 1/s -j RETURN
/sbin/iptables -A synfoold -p tcp -j REJECT –reject-with tcp-reset
/sbin/iptables -A INPUT -p tcp -m state –state NEW -j synfoold
4. deny_mac.sh
#/sbin/iptables -A INPUT -m mac –mac-source xx:xx:xx:xx:xx:xx -j DROP
5.set_ipcheck_on.sh
set ip check on
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
fi
// prevent ip attack
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
//set ip forward off
echo 0 > /proc/sys/net/ipv4/ip_forward
/etc/rc.d/rc.local
#!/bin/sh
#
This script will be executed after all the other init scripts.
You can put your own initialization stuff in here if you don’t
want to do the full Sys V style init stuff.
/root/work/deny_death_ping.sh
/root/work/iptables.sh
/root/work/set_ipcheck_on.sh
/root/work/deny_mac.sh
/root/work/prevent_scan.sh
/root/work/sync_flood.sh