iptables 脚本

#!/bin/sh

IPTABLES=/sbin/iptables

MODPROBE=/sbin/modprobe

INT_NET=192.168.0.0/24

###flush existing rules and set chain policy setting to DROP

echo "[+] Flushing existing iptables rules..."

$IPTABLES -F

$IPTABLES -F -t nat

$IPTABLES -X

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

###load connection-tracking modules

$MODPROBE ip_conntrack

$MODPROBE iptable_nat

$MODPROBE ip_conntrack_ftp

$MODPROBE ip_nat_ftp

###INPUT chain ###

echo "[+] Seting up INPUT chain..."

###state tracking rules

$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options 

$IPTABLES -A INPUT -m state --state INVALID -j  DROP

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

###anti-spoofing rules

$IPTABLES -A INPUT -i  eth0 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT"

$IPTABLES -A INPUT -i  eth0 -s ! $INT_NET -j DROP

###ACCEPT rules

$IPTABLES -A INPUT -i eth0 -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -i eth0 -p tcp -s $INT_NET --dport 50070 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -i eth0 -p tcp -s $INT_NET --dport 50030 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -i eth0 -s 192.168.0.101 -j ACCEPT

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A INPUT -i lo -p tcp --syn -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -i eth0 -p tcp -s $INT_NET --dport 3306 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

###default INPUT LOG rule

$IPTABLES -A INPUT -i  ! lo -j LOG --log-prefix "DROP"  --log-ip-options --log-tcp-options

###OUTPUT chain###

echo "[+] Seting up OUTPUT chain..."

###state tracking rules

$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options

$IPTABLES -A OUTPUT -m state --state INVALID -j  DROP

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

###ACCEPT rules for allowing connections out

$IPTABLES -A OUTPUT -d 192.168.0.101  -j ACCEPT

$IPTABLES -A OUTPUT -o lo  -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request  -j ACCEPT

###default OUTPUT LOG rule

$IPTABLES -A OUTPUT -o  ! lo -j LOG --log-prefix "DROP"  --log-ip-options --log-tcp-options