|
!/bin/sh
/sbin/modprobe ip_conntrack_ftp
CONNECTION_TRACKING="1" ACCEPT_AUTH="0" SSH_SERVER="0" FTP_SERVER="0" WEB_SERVER="0" SSL_SERVER="0" DHCP_SERVER="1" IPT="sbin/iptables" # Location of iptables on your system
INTERNET="eth0" # Internet-connected interface LOOPBACK_INTERFACE="lo" # However your system names it IPADDR="my.ip.address" # Your IP address SUBNET_BASE="my.subnet.bcast" # ISP network segment base address SUBNET_BROADCAST="my.subnet.bcast" # network segment broadcast address MY_ISP="my.isp.address.range" # ISP server & NOC address range NAMESERVER="isp.name.server.1" # address of a remote name server
POP_SERVER="isp.pop.server" # address of a remote pop server MAIL_SERVER="isp.mail.server" # address of a remote mail gateway NEWS_SERVER="isp.news.server" # address of a remote news server TIME_SERVER="some.time.server" # address of a remote time server DHCP_SERVER="isp.dhcp.server" # address of your ISP dhcp server LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # Class A private network CLASS_B="172.0.0.0/12" # Class B private network CLASS_C="192.168.0.0/16" # Class C private network CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast address CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved address BROADCAST_SRC="0.0.0.0" # broadcast source address BROADCAST_DEST="255.255.255.255" # broadcast destination address PRIVPORTS="0:1023" # well-know,privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range SSH_PORTS="1024:65535"
NFS_PORT="2049"
LOCKD_poRT="4045" SOCKS_PORT="1080" OPENWINDOWS_PORT="2000" XWINDOWS_PORTS="6000:6063" SQUID_PORT="3128" #####################################################################################
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_routed;do echo 0 > $f done # Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;do echo 0 > $f done # Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects;do echo 0 > $f done # Drop spoofed Packets coming in on interface,with,if replied to,
# would result in the reply going out a different interface. for f in /proc/sys/net/ipv4/conf/*/rp_filter;do echo 1 > $f done # Log packets with impossible address.
for f in /proc/sys/net/ipv4/conf/*/log_martians;do echo 1 > $f done #######################################################################################
# Remove any existing rules from all chains
$IPT --flush $IPT -t nat --flush $IPT -t mangle --flush $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT --policy INPUT ACCEPT $IPT --policy OUTPUT ACCEPT $IPT --policy FORWARD ACCEPT $IPT -t nat --policy PREROUTING ACCEPT $IPT -t nat --policy OUTPUT ACCEPT $IPT -t nat --policy POSTROUTING ACCEPT $IPT -t mangle --policy PREROUTING ACCEPT $IPT -t mangle --policy OUTPUT ACCEPT if [ "$1" = "stop" ] then echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL RUNNING." exit 0 fi #Unlimited traffic on the loopback interface $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT $ Set the default policy to drop
$IPT --policy INPUT DROP $IPT --policy OUTPUT DROP $IPT --policy FORWARD DROP $IPT -t nat --policy PREROUTING DROP
$IPT -t nat --policy OUTPUT DROP $IPT -t nat --policy POSTROUTING DROP $IPT -t mangle --policy PREROUTING DROP
$IPT -t mangle --policy OUTPUT DROP ######################################################################################### # Stealth Scans and TCP state Flags
# Unclean
$IPT -A INPUT -m unclean -j DROP # ALL of the bits are cleared
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP # FIN is the only bit set,without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP # PSH is the only bit set,without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP # URG is the only bit set,without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcl-flags ACK,URG URG -j DROP ##########################################################################################
#Using Connection State to By-pass Rule Checking |
 |
给我留言 | |