在虚拟机上,参照书写了个iptables脚本,运行脚本后,什么也访问不了,不知道问题出在哪里了,麻烦各位帮忙看看。
#!/bin/sh
#enable broadcast echo protection
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;do
echo 1 >$f
done
#enable tcp syn cookie protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
#disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;do
echo 0 >$f
done
#don't send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects;do
echo 0 >$f
done
#enable rp_filter
for f in /proc/sys/net/ipv4/conf/*/rp_filter;do
echo 1 >$f
done
#log packets with impossible address
for f in /proc/sys/net/ipv4/conf/*/log_martians;do
echo 1 >$f
done
#remove any existing rules from all chains
iptables -F
iptables -X
#reset the default policy
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
if [ "$1" = "stop" ]
then
echo "Firewall completely stopped!"
[root@cs ~]# cat /etc/rc.d/firewall
#!/bin/sh
#enable broadcast echo protection
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;do
echo 1 >$f
done
#enable tcp syn cookie protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
#disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;do
echo 0 >$f
done
#don't send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects;do
echo 0 >$f
done
#enable rp_filter
for f in /proc/sys/net/ipv4/conf/*/rp_filter;do
echo 1 >$f
done
#log packets with impossible address
for f in /proc/sys/net/ipv4/conf/*/log_martians;do
echo 1 >$f
done
#remove any existing rules from all chains
iptables -F
iptables -X
#reset the default policy
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
if [ "$1" = "stop" ]
then
echo "Firewall completely stopped!"
exit 0
fi
#unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#set the default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#unclean
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
#refuse illegal packets
iptables -A INPUT -i eth0 -s 10.46.0.2/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.1 -j DROP
iptables -A INPUT -i eth0 -s 255.255.255.255 -j DROP
iptables -A INPUT -i eth0 -d 0.0.0.0 -j DROP
iptables -A INPUT -i eth0 -d 10.46.0.255 -j DROP
iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
#refuse address defined as reserved by the iana
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 192.0.2.0/24 -j DROP
#accept essential packets
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 10.46.0.2/24 --dport 113 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 10.46.0.2/24 --sport 113 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 10.46.0.2/24 --dport 21 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 10.46.0.2/24 --sport 21 --dport 1024:65535 ! --syn -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 10.46.0.2/24 --sport 20 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 10.46.0.2/24 --dport 20 ! --syn -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 10.46.0.2/24 --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 10.46.0.2/24 --sport 1024:65535 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 -d 10.46.0.2/24 --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 10.46.0.2/24 --sport 22 --dport 1024:65535 -j ACCEPT
虚拟机IP是10.46.0.2/24,iptables版本是1.3.5,内核是我自己编译的2.6.25。
写到这里,测试FTP、HTTP、SSH都不行,停止脚本又可以了,各位帮忙看看,谢谢了!
--------------------next---------------------
阅读(532) | 评论(0) | 转发(0) |