个人简介
专注系统运维、网络架构,研究技术凯发app官方网站的解决方案,记录我的思想轨迹、工作学习、生活和关注的领域
文章分类
相关博文
- ·
- ·
- ·
- ·
- ·
- ·
- ·
- ·
- ·
- ·
分类: 系统运维
2012-04-20 09:43:25
linux自带的防火墙iptables可以说非常强大,可以做到严格的访问控制,分享一个常用的iptables规则:
脚本:vi fws.sh
#!/bin/bash
#set the variable
ipt=/sbin/iptables
wan="eth0"
#ipaddr=61.134.1.4
loopback_interface="lo"
#remove any existing rules
$ipt -f
$ipt -x
#setting default firewall policy
$ipt --policy output accept
$ipt --policy forward drop
$ipt -p input drop
#setting for loopback interface
$ipt -a input -i lo -j accept
$ipt -a output -o lo -j accept
#stealth scans and tcp state flags
#all of the bits are cleared
$ipt -a input -p tcp --tcp-flags all none -j drop
#syn and fin are both set
$ipt -a input -p tcp --tcp-flags syn,fin syn,fin -j drop
#syn and rst are both set
$ipt -a input -p tcp --tcp-flags syn,rst syn,rst -j drop
#fin and rst are both set
$ipt -a input -p tcp --tcp-flags fin,rst fin,rst -j drop
#fin is the only bit set, without the expected accompanying ack
$ipt -a input -p tcp --tcp-flags ack,fin fin -j drop
#psh is the only bit set, without the expected accompanying ack
$ipt -a input -p tcp --tcp-flags ack,psh psh -j drop
#urg is the only bit set, without the expected accompanying ack
$ipt -a input -p tcp --tcp-flags ack,urg urg -j drop
#$ipt -a input -i $wan -s $ipaddr -j drop
###################################################################
##setting wan access rules##
#wan enable dns connect out
$ipt -a input -i $wan -p udp --sport 53 -j accept
#wan enable http connect out and in
$ipt -a input -i $wan -p tcp --sport 80 -j accept
$ipt -a input -i $wan -p tcp --dport 80 -j accept
#enable ftp connect out and in
$ipt -a input -i $wan -p tcp --dport 20 -s 1.1.1.1 -j accept
$ipt -a input -i $wan -p tcp --dport 21 -s 1.1.1.1 -j accept
$ipt -a input -i $wan -p tcp --sport 20 -j accept
$ipt -a input -i $wan -p tcp --sport 21 -j accept
#wan enable icmp connect
$ipt -a input -p icmp -j accept
$ipt -a output -p icmp -j accept
#wan enable ntp connect out
$ipt -a input -i $wan -p udp --sport 123 -j accept
#enable ssh connect out and in
$ipt -a input -i $wan -p tcp --dport 22 -j accept
$ipt -a input -i $wan -p tcp --sport 22 -j accept
#set the variable
ipt=/sbin/iptables
wan="eth0"
#ipaddr=61.134.1.4
loopback_interface="lo"
#remove any existing rules
$ipt -f
$ipt -x
#setting default firewall policy
$ipt --policy output accept
$ipt --policy forward drop
$ipt -p input drop
#setting for loopback interface
$ipt -a input -i lo -j accept
$ipt -a output -o lo -j accept
#stealth scans and tcp state flags
#all of the bits are cleared
$ipt -a input -p tcp --tcp-flags all none -j drop
#syn and fin are both set
$ipt -a input -p tcp --tcp-flags syn,fin syn,fin -j drop
#syn and rst are both set
$ipt -a input -p tcp --tcp-flags syn,rst syn,rst -j drop
#fin and rst are both set
$ipt -a input -p tcp --tcp-flags fin,rst fin,rst -j drop
#fin is the only bit set, without the expected accompanying ack
$ipt -a input -p tcp --tcp-flags ack,fin fin -j drop
#psh is the only bit set, without the expected accompanying ack
$ipt -a input -p tcp --tcp-flags ack,psh psh -j drop
#urg is the only bit set, without the expected accompanying ack
$ipt -a input -p tcp --tcp-flags ack,urg urg -j drop
#$ipt -a input -i $wan -s $ipaddr -j drop
###################################################################
##setting wan access rules##
#wan enable dns connect out
$ipt -a input -i $wan -p udp --sport 53 -j accept
#wan enable http connect out and in
$ipt -a input -i $wan -p tcp --sport 80 -j accept
$ipt -a input -i $wan -p tcp --dport 80 -j accept
#enable ftp connect out and in
$ipt -a input -i $wan -p tcp --dport 20 -s 1.1.1.1 -j accept
$ipt -a input -i $wan -p tcp --dport 21 -s 1.1.1.1 -j accept
$ipt -a input -i $wan -p tcp --sport 20 -j accept
$ipt -a input -i $wan -p tcp --sport 21 -j accept
#wan enable icmp connect
$ipt -a input -p icmp -j accept
$ipt -a output -p icmp -j accept
#wan enable ntp connect out
$ipt -a input -i $wan -p udp --sport 123 -j accept
#enable ssh connect out and in
$ipt -a input -i $wan -p tcp --dport 22 -j accept
$ipt -a input -i $wan -p tcp --sport 22 -j accept
wq保存退出
chmod x fws.sh
./fws.sh
注意根据自己需求适当修改一下
给主人留下些什么吧!~~