实用的iptables防火墙规则

#!/bin/sh

#####

##name:iptables_firewall

#####

 

iptables -F

iptables -X

iptables -Z

iptables -t filter -P INPUT ACCEPT

iptables -t filter -P OUTPUT ACCEPT

iptables -t filter -P FORWARD ACCEPT

iptables -t nat -F

iptables -t mangle -F

iptables -t filter -F

 

###安全策略###

###禁止用nmap扫描服务器端口

iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP                  # NMAP FIN/URG/PSH

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP                      # Xmas Tree

iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP              # Another Xmas Tree

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP                       # Null Scan(possibly)

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP                          # SYN/RST

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP                         # SYN/FIN -- Scan(possibly)

 

###防止 synflood 攻击的设定

iptables -N synfoold

iptables -A synfoold -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j RETURN        #每秒最多4个syn联机封包进入

iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset

iptables -A INPUT -p tcp -m state --state NEW -j synfoold

 

###防止 Ping of Death

iptables -N bad-ping

iptables -A bad-ping -p icmp --icmp-type echo-request -m limit --limit 1/s -j RETURN

iptables -A bad-ping -p icmp -j REJECT

iptables -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j bad-ping

 

###进入本机包

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -p udp --sport 53 -j ACCEPT     ###允许dns query

iptables -A INPUT -p tcp --dport 22 -j ACCEPT     ###进入本机ssh

iptables -A INPUT -p tcp -m multiport --destination-port 53,80,21,22,3306,10001 -j ACCEPT

 

###定义默认策略

iptables -t filter -P INPUT DROP

iptables -t filter -P OUTPUT ACCEPT

iptables -t filter -P FORWARD DROP

iptables -t nat -vnL

iptables -t mangle -vnL

iptables -t filter -vnL

service iptables save

本文永久地址:https://sjolzy.cn/useful-iptables.html

--EOF--

标签: iptables

随机文章

添加新评论