Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1791292
  • 博文数量: 787
  • 博客积分: 10000
  • 博客等级: 上将
  • 技术积分: 5015
  • 用 户 组: 普通用户
  • 注册时间: 2008-09-22 15:17
文章分类

全部博文(787)

文章存档

2008年(787)

我的朋友

分类:

2008-09-25 16:07:15

在虚拟机上,参照书写了个iptables脚本,运行脚本后,什么也访问不了,不知道问题出在哪里了,麻烦各位帮忙看看。
#!/bin/sh
#enable broadcast echo protection
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;do
  echo 1 >$f
done
#enable tcp syn cookie protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
#disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;do
  echo 0 >$f
done
#don't send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects;do
  echo 0 >$f
done
#enable rp_filter
for f in /proc/sys/net/ipv4/conf/*/rp_filter;do
  echo 1 >$f
done
#log packets with impossible address
for f in /proc/sys/net/ipv4/conf/*/log_martians;do
  echo 1 >$f
done

#remove any existing rules from all chains
iptables -F
iptables -X

#reset the default policy
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

if [ "$1" = "stop" ]
then
echo "Firewall completely stopped!"
[root@cs ~]# cat /etc/rc.d/firewall
#!/bin/sh
#enable broadcast echo protection
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;do
  echo 1 >$f
done
#enable tcp syn cookie protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
#disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;do
  echo 0 >$f
done
#don't send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects;do
  echo 0 >$f
done
#enable rp_filter
for f in /proc/sys/net/ipv4/conf/*/rp_filter;do
  echo 1 >$f
done
#log packets with impossible address
for f in /proc/sys/net/ipv4/conf/*/log_martians;do
  echo 1 >$f
done

#remove any existing rules from all chains
iptables -F
iptables -X

#reset the default policy
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

if [ "$1" = "stop" ]
then
echo "Firewall completely stopped!"
exit 0
fi

#unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#unclean
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

#refuse illegal packets
iptables -A INPUT -i eth0 -s 10.46.0.2/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.1 -j DROP
iptables -A INPUT -i eth0 -s 255.255.255.255 -j DROP
iptables -A INPUT -i eth0 -d 0.0.0.0 -j DROP
iptables -A INPUT -i eth0 -d 10.46.0.255 -j DROP
iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP

#refuse address defined as reserved by the iana
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 192.0.2.0/24 -j DROP

#accept essential packets
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 10.46.0.2/24 --dport 113 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 10.46.0.2/24 --sport 113 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 10.46.0.2/24 --dport 21 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 10.46.0.2/24 --sport 21 --dport 1024:65535 ! --syn -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 10.46.0.2/24 --sport 20 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 10.46.0.2/24 --dport 20 ! --syn -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 10.46.0.2/24 --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 10.46.0.2/24 --sport 1024:65535 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 10.46.0.2/24 --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 10.46.0.2/24 --sport 22 --dport 1024:65535 -j ACCEPT
虚拟机IP是10.46.0.2/24,iptables版本是1.3.5,内核是我自己编译的2.6.25。
写到这里,测试FTP、HTTP、SSH都不行,停止脚本又可以了,各位帮忙看看,谢谢了!      
--------------------next---------------------

阅读(532) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~