iptables init script
#!/bin/sh
#
# This is a simple iptables firewall script.
# This can be used stand-alone or put in /etc/init.d/firewall.
# This works on both Ubuntu and RedHat systems.
# On Ubuntu, run "update-rc.d firewall defaults" to install this on startup.
# On RedHat, run "chkconfig --add firewall" to install this on startup.
# Note that RedHat has its own iptables init script that needs to be turned
# off if this script is to be used.
#
# Load firewall on boot:
#
# For Ubuntu/Debian you can put an init script into /etc/init.d then link to an 'S' file in /etc/rc2.d
# cp firewall /etc/init.d/firewall
# chmod 755 /etc/init.d/firewall
# cd /etc/rc2.d/
# ln -s ../init.d/firewall S99firewall
#
# For RedHat you need to edit:
# /etc/sysconfig/iptables
# Don't confuse this with /etc/sysconfig/iptables-config.
# Also note that RedHat has a tool called system-security-level that overwrites /etc/sysconfig/iptables,
# so if you run system-security-level you will loose your changes.
# You can edit the file manually or you can use system-security-level.
# Choose one or the other, not both.
# You can also setup the firewall the way you want using the iptables command
# and then save the settings using RedHat's inti.d script:
# /etc/init.d/iptables save
#
# rule by conmale (modified by pnco)
#
# chkconfig: 2345 08 92
# description: This configures iptables.
#
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: S 0 1 6
# Short-Description: This loads iptables with firewall rules.
# Description: This loads iptables with firewall rules. Placed this in /etc/init.d.
# This isn't technically a daemon control script.
# This just puts a familiar interface around iptables.
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
IF=`route | grep -i 'default' | awk '{print$8}'`
IP=`ifconfig $IF | grep "inet addr" | awk -F":" '{print$2}' | awk '{print $1}'`
IPT="iptables"
NET="any/0"
DNS="203.162.4.190 203.162.4.191"
SERV_TCP="21 22 25 80 443 50000:60000"
SERV_UDP="53 123"
HI_PORTS="1024:65535"
NON_NET="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/5 169.254.0.0/16 192.0.2.0/24"
OK_ICMP="0 3 4 8 11"
case "$1" in
start)
# Flush any old policies and rules.
$IPT -F
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Allow loopback interface for local services. If you don't use that service then safe comment out its.
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A FORWARD -i lo -j ACCEPT
# Drop illegal packets
$IPT -A INPUT -m state --state INVALID -m limit --limit 1/s -j LOG --log-prefix "INVALID_STATE: "
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A INPUT -i $IF -s $IP -d $IP -m limit --limit 1/s -j LOG --log-prefix "SPOOFING: "
$IPT -A INPUT -i $IF -s $IP -d $IP -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -s $NET -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -s $NET -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -s $NET -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -s $NET -j DROP
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -s $NET -j DROP
$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -s $NET -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -s $NET -j DROP
# New TCP connections must be SYN packets, else DROP
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s $NET -j DROP
# Drop any packet from private IP
for entry in $NON_NET; do
$IPT -A INPUT -i $IF -s $entry -m limit --limit 1/s -j LOG --log-level 5 --log-prefix "BAD_NET: "
$IPT -A INPUT -i $IF -s $entry -j DROP
done
# Allow some ICMP packet
for item in $OK_ICMP; do
$IPT -A INPUT -i $IF -s $NET -p icmp --icmp-type $item -m state --state ESTABLISHED \
-m limit --limit 1/s --limit-burst 1 -j ACCEPT
$IPT -A OUTPUT -o $IF -s $IP -p icmp --icmp-type $item -m state --state NEW,ESTABLISHED \
-m limit --limit 1/s --limit-burst 1 -j ACCEPT
done
# Allow DNS packet query to trusted DNS server
for entry in $DNS; do
$IPT -A OUTPUT -o $IF -p udp -s $IP --sport $HI_PORTS -d $entry --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $IF -p udp -s $entry --sport 53 -d $IP --dport $HI_PORTS -m state --state ESTABLISHED -j ACCEPT
done
# Allow some UDP services
for port in $SERV_UDP; do
$IPT -A INPUT -i $IF -p udp -s $NET --sport $port -d $IP --dport $port -m state --state NEW,ESTABLISHED \
-m limit --limit 2/s --limit-burst 2 -j ACCEPT
$IPT -A OUTPUT -o $IF -p udp -s $IP --sport $port -d $NET --dport $port -m state --state ESTABLISHED \
-m limit --limit 2/s --limit-burst 2 -j ACCEPT
if test $port -eq 53
then
$IPT -A INPUT -i $IF -p udp -s $NET --sport $port -d $IP --dport $port -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $IF -p udp -s $IP --sport $port -d $NET --dport $port -m state --state ESTABLISHED -j ACCEPT
else
$IPT -A INPUT -i $IF -p udp -s $NET --sport $HI_PORTS -d $IP --dport $port -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $IF -p udp -s $IP --sport $port -d $NET --dport $HI_PORTS -m state --state ESTABLISHED -j ACCEPT
fi
done
# Allow some TCP services
for port in $ SERV_TCP; do
$IPT -A INPUT -p tcp ! --syn -s $NET --sport $HI_PORTS -d $IP --dport $port -m state --state NEW \
-m limit --limit 1/s -j LOG --log-prefix "INVALID_SERVICE_REQUEST: "
$IPT -A INPUT -p tcp ! --syn -s $NET --sport $HI_PORTS -d $IP --dport $port -m state --state NEW -j DROP
#$IPT -A INPUT -i $IF -p tcp --syn -s $NET --sport $HI_PORTS -d $IP --dport $port -m limit --limit 3/s --limit-burst 5 \
#-m state --state NEW -m connlimit ! --connlimit-above 2 -j ACCEPT
$IPT -A INPUT -i $IF -p tcp --syn -s $NET --sport $HI_PORTS -d $IP --dport $port -m limit --limit 3/s --limit-burst 5 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $IF -p tcp ! --syn -s $IP --sport $port -d $NET --dport $HI_PORTS -m state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $IF -p tcp ! --syn -s $NET --sport $HI_PORTS -d $IP --dport $port -m state --state ESTABLISHED -j ACCEPT
done
# Clean up rules
$IPT -A INPUT -i $IF -d $IP -m limit --limit 1/s -j LOG --log-level 5 --log-prefix "BAD_INPUT: "
$IPT -A INPUT -i $IF -d $IP -j DROP
$IPT -A OUTPUT -o $IF -d $IP -m limit --limit 1/s -j LOG --log-level 5 --log-prefix "BAD_OUTPUT: "
$IPT -A OUTPUT -o $IF -d $IP -j DROP
$IPT -A FORWARD -i $IF -d $IP -m limit --limit 1/s -j LOG --log-level 5 --log-prefix "BAD_FORWARD: "
$IPT -A FORWARD -i $IF -d $IP -j DROP
;;
stop)
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -F
$IPT -X
;;
restart)
stop
start
;;
status)
$IPT -L -v
;;
*)
echo "Usage: $0 {start|stop|restart|status}" >&2
exit 1
;;
esac
exit 0
1 nhận xét:
ek ek, có cần chơi nguyên cái config dài ngoằng vậy không đại ca...
Đăng một Nhận xét