Skip to content


iptables 默认安全规则脚本

默认脚本只开启常规web服务器的80,3306,22端口

#vi default_firewall.sh

  1. #!/bin/bash
  2. #########################################################################
  3. #
  4. # File:         default_firewall.sh
  5. # Description: 
  6. # Language:     GNU Bourne-Again SHell
  7. # Version: 1.0
  8. # Date: 2010-6-23
  9. # Corp.: c1gstudio.com
  10. # Author: c1g
  11. # WWW: http://blog.c1gstudio.com
  12. ### END INIT INFO
  13. ###############################################################################
  14.  
  15. IPTABLES=/sbin/iptables
  16.  
  17. # start by flushing the rules
  18. $IPTABLES -P INPUT DROP
  19. $IPTABLES -P FORWARD ACCEPT
  20. $IPTABLES -P OUTPUT ACCEPT
  21. $IPTABLES -t nat -P PREROUTING ACCEPT
  22. $IPTABLES -t nat -P POSTROUTING ACCEPT
  23. $IPTABLES -t nat -P OUTPUT ACCEPT
  24. $IPTABLES -t mangle -P PREROUTING ACCEPT
  25. $IPTABLES -t mangle -P OUTPUT ACCEPT
  26.  
  27. $IPTABLES -F
  28. $IPTABLES -X
  29. $IPTABLES -Z
  30. $IPTABLES -t nat -F
  31. $IPTABLES -t mangle -F
  32. $IPTABLES -t nat -X
  33. $IPTABLES -t mangle -X
  34. $IPTABLES -t nat -Z
  35.  
  36. ## allow packets coming from the machine
  37. $IPTABLES -A INPUT -i lo -j ACCEPT
  38. $IPTABLES -A OUTPUT -o lo -j ACCEPT
  39.  
  40. # allow outgoing traffic
  41. $IPTABLES -A OUTPUT -o eth0 -j ACCEPT
  42.  
  43. # block spoofing
  44. $IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
  45.  
  46. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  47. $IPTABLES -A INPUT -p icmp -j ACCEPT
  48.  
  49.  
  50. # stop bad packets
  51. #$IPTABLES -A INPUT -m state --state INVALID -j DROP
  52.  
  53. # NMAP FIN/URG/PSH
  54. #$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  55. # stop Xmas Tree type scanning
  56. #$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
  57. #$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  58. # stop null scanning
  59. #$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
  60. # SYN/RST
  61. #$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  62. # SYN/FIN
  63. #$IPTABLES -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  64. # stop sync flood
  65. #$IPTABLES -N SYNFLOOD
  66. #$IPTABLES -A SYNFLOOD -p tcp --syn -m limit --limit 1/s -j RETURN
  67. #$IPTABLES -A SYNFLOOD -p tcp -j REJECT --reject-with tcp-reset
  68. #$IPTABLES -A INPUT -p tcp -m state --state NEW -j SYNFLOOD
  69. # stop ping flood attack
  70. #$IPTABLES -N PING
  71. #$IPTABLES -A PING -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
  72. #$IPTABLES -A PING -p icmp -j REJECT
  73. #$IPTABLES -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j PING
  74.  
  75.  
  76. #################################
  77. ## What we allow
  78. #################################
  79.  
  80. # tcp ports
  81.  
  82. # smtp
  83. #$IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
  84. # http
  85. $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
  86. # pop3
  87. #$IPTABLES -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
  88. # imap
  89. #$IPTABLES -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
  90. # ldap
  91. #$IPTABLES -A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
  92. # https
  93. #$IPTABLES -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
  94. # smtp over SSL
  95. #$IPTABLES -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
  96. # line printer spooler
  97. #$IPTABLES -A INPUT -p tcp -m tcp --dport 515 -j ACCEPT
  98. # cups
  99. #$IPTABLES -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
  100. # mysql
  101. $IPTABLES -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
  102. # tomcat
  103. #$IPTABLES -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
  104. # squid
  105. #$IPTABLES -A INPUT -p tcp -m tcp --dport 81 -j ACCEPT
  106. # nrpe
  107. #$IPTABLES -A INPUT -p tcp -m tcp --dport 15666 -j ACCEPT
  108.  
  109. ## restrict some tcp things ##
  110.  
  111. # ssh
  112. $IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
  113. #$IPTABLES -A INPUT -p tcp -m tcp --dport 6022 -j ACCEPT
  114. # samba (netbios)
  115. #$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 137:139 -j ACCEPT
  116. # ntop
  117. #$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 3000  -j ACCEPT
  118. # Hylafax
  119. #$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 4558:4559 -j ACCEPT
  120. # webmin
  121. #$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 10000  -j ACCEPT
  122.  
  123. # udp ports
  124. # DNS
  125. #$IPTABLES -A INPUT -p udp -m udp --dport 53 -j ACCEPT
  126. # DHCP
  127. #$IPTABLES -A INPUT -p udp -m udp --dport 67:68 -j ACCEPT
  128. # NTP
  129. #$IPTABLES -A INPUT -p udp -m udp --dport 123 -j ACCEPT
  130. # SNMP
  131. #$IPTABLES -A INPUT -p udp -m udp --dport 161:162 -j ACCEPT
  132.  
  133. ## restrict some udp things ##
  134.  
  135. # Samba (Netbios)
  136. #$IPTABLES -A INPUT -p udp -m udp -s 192.168.0.0/16 --dport 137:139  -j ACCEPT
  137. #$IPTABLES -A INPUT -p udp -m udp --sport 137:138 -j ACCEPT
  138.  
  139. # finally - drop the rest
  140.  
  141. #$IPTABLES -A INPUT -p tcp --syn -j DROP

设置权限

  1. chmod u+x ./default_firewall.sh

运行脚本

  1. ./default_firewall.sh

查看iptables

  1. #/sbin/iptables -nL

保存iptables

  1. #/sbin/iptables-save > /etc/sysconfig/iptables

重启iptables

  1. #/etc/init.d/iptables restart

猛击下载脚本:
default_firewall.sh

Posted in shell, 安全, 技术.

Tagged with , , , .


One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Continuing the Discussion

  1. sourceforge 上如何使用shell | 吃杂烩 linked to this post on 2012/08/09

    […] iptables 默认安全规则脚本 ( 2010-06-29) […]



Some HTML is OK

or, reply to this post via trackback.