自己总结的一套iptables初化脚本,自认为是比较好一些,可以根本实际情况更改

*filter

:LOGDROP_ILLEGAL_PACKET - [0:0]

-A  INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOGDROP_ILLEGAL_PACKET 

-A  INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOGDROP_ILLEGAL_PACKET 

-A  INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOGDROP_ILLEGAL_PACKET 

-A  INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOGDROP_ILLEGAL_PACKET 

-A  INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOGDROP_ILLEGAL_PACKET 

-A  INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j LOGDROP_ILLEGAL_PACKET 

-A  INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOGDROP_ILLEGAL_PACKET 

-A  LOGDROP_ILLEGAL_PACKET -m limit --limit 2/sec -j LOG --log-prefix "IPTFW-bad-flag " --log-level 7

#-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j LOGDROP_ILLEGAL_PACKET

-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j LOGDROP_ILLEGAL_PACKET

-A INPUT -s 169.254.0.0/255.255.0.0 -j LOGDROP_ILLEGAL_PACKET 

-A  LOGDROP_ILLEGAL_PACKET -j DROP 

:FORWARD ACCEPT [0:0]

:INPUT DROP [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A INPUT -s 192.168.11.0/24 -j ACCEPT

-A INPUT -p vrrp -j ACCEPT

-A INPUT -s 210.14.144.220 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.0.0 -j DROP

-A INPUT -s 239.2.11.71  -j DROP

-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

-A INPUT -i lo -j ACCEPT 

-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec -j ACCEPT 

-A INPUT -p icmp -m icmp --icmp-type 0 -m limit --limit 5/sec -j ACCEPT 

-A INPUT -p icmp -m icmp --icmp-type 11 -m limit --limit 5/sec -j ACCEPT 

-A INPUT -p icmp -m icmp --icmp-type 3 -m limit --limit 5/sec -j ACCEPT 

-A INPUT -p icmp -j DROP 

#-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8900 -j ACCEPT

-A INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited 

:OUTPUT DROP [0:0]

 

-A OUTPUT -d 192.168.11.0/24 -j ACCEPT

-A OUTPUT -p vrrp -j ACCEPT 

-A OUTPUT -d 210.14.144.220 -j ACCEPT

-A OUTPUT -d 239.2.11.71  -j DROP

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

-A OUTPUT -o lo -j ACCEPT  

-A OUTPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

-A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec -j ACCEPT 

-A OUTPUT -p icmp -m icmp --icmp-type 0 -m limit --limit 5/sec -j ACCEPT 

-A OUTPUT -p icmp -m icmp --icmp-type 11 -m limit --limit 5/sec -j ACCEPT 

-A OUTPUT -p icmp -m icmp --icmp-type 3 -m limit --limit 5/sec -j ACCEPT 

-A OUTPUT -p icmp -j DROP

COMMIT