Chinaunix首页 | 论坛 | 博客
  • 博客访问: 283394
  • 博文数量: 44
  • 博客积分: 2046
  • 博客等级: 大尉
  • 技术积分: 611
  • 用 户 组: 普通用户
  • 注册时间: 2010-07-06 11:11
文章分类

全部博文(44)

文章存档

2011年(1)

2010年(43)

我的朋友

分类:

2010-07-16 10:32:36

每台linux服务器在上架之前,都必须做好默认的IPTABLE测试,以下的规则可以直接做成开机脚本运行,也可以添加到/etc/sysconfig/iptables文件中。
 
#!/bin/bash
#定义常用的变量:
IPTB="/sbin/IPTBables"
CONNECTION_TRACKING="1"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
LOOPBACK_INTERFACE="lo"
#删除现有所有规则:
$IPTB -F
$IPTB -X
#设置默认防火墙策略:
$IPTB -P FORWARD DROP
$IPTB -P INPUT DROP
$IPTB -P OUTPUT DROP
 
#设置环路策略
$IPTB -A INPUT -i lo -j ACCEPT
$IPTB -A OUTPUT -o lo -j ACCEPT
 
# 安全扫描与TCP状态标识相关设置:
# All of the bits are cleared
$IPTB -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPTB -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPTB -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPTB -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPTB -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPTB -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
 
# Using Connection State to By-pass Rule Checking
if [ "$CONNECTION_TRACKING" = "1" ]; then
    $IPTB -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTB -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTB -A INPUT -m state --state INVALID -j DROP
    $IPTB -A OUTPUT -m state --state INVALID -j DROP
fi
##################################################################
# Source Address Spoofing and Other Bad Addresses
# Refuse spoofed packets pretending to be from
# the external interface.s IP address
# Refuse packets claiming to be from a Class A private network
$IPTB -A INPUT -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network
#$IPTB -A INPUT -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network
$IPTB -A INPUT -s $CLASS_C -j DROP
$IPTB -A INPUT -s 0.0.0.0/8 -j DROP
$IPTB -A INPUT -s 169.254.0.0/16 -j DROP
$IPTB -A INPUT -s 192.0.2.0/24 -j DROP
###################################################################
#设置访问规则
#允许出站域名解析
$IPTB -A OUTPUT -p udp  --dport 53 -j ACCEPT
 
#时钟同步
$IPTB -A OUTPUT -d 192.43.244.18 -j ACCEPT
 
#允许ping出
$IPTB -A OUTPUT -p icmp -j ACCEPT
 
#允许出站http
$IPTB -A OUTPUT -p tcp  --dport 80 -j ACCEPT
 
#允许yum更新(mirrors.163.com)
$IPTB -A OUTPUT -p tcp -d 60.191.81.189 -j ACCEPT
 
############################################################################
#允许入站ssh
$IPTB -A INPUT -p tcp -s xxx.xxx.xxx.xxx --dport 22 -j ACCEPT
 
#允许入站80、8008
$IPTB -A INPUT -p tcp  --dport XX -j ACCEPT
#允许入站ICMP
$IPTB -A INPUT -p icmp -s xxx.xxx.xxx.xxx -j ACCEPT
阅读(1012) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~