Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1724776
  • 博文数量: 362
  • 博客积分: 10587
  • 博客等级: 上将
  • 技术积分: 4098
  • 用 户 组: 普通用户
  • 注册时间: 2009-09-10 18:15
文章分类

全部博文(362)

文章存档

2014年(1)

2013年(58)

2011年(115)

2010年(112)

2009年(76)

分类: LINUX

2011-01-04 15:57:46

#!/bin/bash

IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe

### flush existing rules and set chain policy setting to DROP
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

### load connecting-tracking modules
$MODPROBE ip_conntrack
$MODPROBE iptables_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

##### INPUT chain #####
echo "[+] Setting up INPUT chain..."
### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules
#$IPTABLES -A INPUT -i eth1 -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

### default INPUT LOG rule
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

##### OUTPUT chain #####
echo "[+] Setting up OUTPUT chain..."
### state tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connectings out
$IPTABLES -A OUTPUT -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 25 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 43 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 80 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 443 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 4321 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --syn --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT


### default OUTPUT LOG rule
$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options


##### FORWARD chain #####
echo "[+] Setting up FORWARD chain..."
### state tracking rules
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules
$IPTABLES -A FORWARD -i eth0 -j LOG --log-prefix "SPOOFED PKT"
$IPTABLES -A FORWARD -i eth0 -s ! 192.168.2.0 -j DROP

### ACCEPT rules
$IPTABLES -A FORWARD -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn --dport 25 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn --dport 43 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn --dport 80 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn --dport 443 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn --dport 4321 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

### default log rule
$IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options



##### NAT rules #####
echo "[+] Setting up NAT rules..."
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.1.3:80
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.1.3:443
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -i eth0 -j DNAT --to 192.168.1.4:53
$IPTABLES -t nat -A POSTROUTING -s 192.168.2.0 -j MASQUERADE

##### forwarding #####
echo "[+] Enabling IP forwarding..."
echo 1 > /proc/sys/net/ipv4/ip_forward
阅读(1903) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~