实用的iptables防火墙规则

#!/bin/sh

#####

##name:iptables_firewall

#####

 

iptables -F

iptables -X

iptables -Z

iptables -t filter -P INPUT ACCEPT

iptables -t filter -P OUTPUT ACCEPT

iptables -t filter -P FORWARD ACCEPT

iptables -t nat -F

iptables -t mangle -F

iptables -t filter -F

 

###安全策略###

###禁止用nmap扫描服务器端口

iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP                  # NMAP FIN/URG/PSH

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP                      # Xmas Tree

iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP              # Another Xmas Tree

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP                       # Null Scan(possibly)

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP                          # SYN/RST

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP                         # SYN/FIN -- Scan(possibly)

 

###防止 synflood 攻击的设定

iptables -N synfoold

iptables -A synfoold -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j RETURN        #每秒最多4个syn联机封包进入

iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset

iptables -A INPUT -p tcp -m state --state NEW -j synfoold

 

###防止 Ping of Death

iptables -N bad-ping

iptables -A bad-ping -p icmp --icmp-type echo-request -m limit --limit 1/s -j RETURN

iptables -A bad-ping -p icmp -j REJECT

iptables -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j bad-ping

 

###进入本机包

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -p udp --sport 53 -j ACCEPT     ###允许dns query

iptables -A INPUT -p tcp --dport 22 -j ACCEPT     ###进入本机ssh

iptables -A INPUT -p tcp -m multiport --destination-port 53,80,21,22,3306,10001 -j ACCEPT

 

###定义默认策略

iptables -t filter -P INPUT DROP

iptables -t filter -P OUTPUT ACCEPT

iptables -t filter -P FORWARD DROP

iptables -t nat -vnL

iptables -t mangle -vnL

iptables -t filter -vnL

service iptables save

标签: iptables

linux network无法启动解决

/service network start 报错:Bringing up interface eth0:  Device does not seem to be present, delaying initialization. [FAILED] 

解决办法:ifconfig -a 查看eth0的HWaddr值

打开/etc/sysconfig/network-scripts/ifcfg-eth0 文件

修改为:

 

DEVICE=eth0

BOOTPROTO=static

ONBOOT=yes

IPADDR=你的IP

NETMASK=255.255.255.192

HWADDR=00:16:3E:F2:A0:9C

 

重新启动network服务,得以PING通

标签: linux, network

Centos L2TP相关错误解决

Centos一键安装L2TP脚本下载

也可以参见:CentOS VPS创建l2tp VPN服务

#bash l2tp.sh 安装完成之后,ipsec verify 验证测试环境。

可以参见:VPNs----手把手教你用Openswan建立linux对linux的IPSecRSA连接

出现几点错误:

The Centos L2TP related error solve

Checking for IPsec support in kernel [FAILED]
Checking that pluto is running [FAILED]

这两个错误可以不管,运行“/etc/init.d/ipsec restart
”之后,重新“ipsec verify
”出现新的错误:

Centos L2TP相关错误解决

解决新的错误,需要在终端运行:

for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

继续“ipsec verify”,已知的错误成功解决。

L2TP错误解决成功

如果出现不能访问外网的情况,则补充下启用转发:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
标签: VPN, centos, l2tp