iptables脚本模板

注意：以下只是部分总结，并没有进行验证，只做本人参考，后续将会验证之

#/bin/bash
#
#===============<<load modules>>===================
#
# 整理核心支持模块之清单
#/sbin/depmod -a
#
#modprobe the modules we need
#
#/sbin/modprobe ip_conntrack
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_recent ip_list_tot=1024 ip_pkt_list_tot=50
#/sbin/modprobe ipt_state
#/sbin/modprobe ip_nat_ftp
#
#===============<<set variable>>===================
#
#IPT=/sbin/iptables
#LOCAL_NETWORK=192.168.0.0/24
#SITES_DENY=domains

#WAN_IP=

#
#===============<<Set nat table>>==================
#
#$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#$IPT -t nat -A POSTROUTING -o eth1 -s $LOCAL_NETWORK -j SNAT --to $WAN_IP
#$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 6002 -j DNAT --to 192.168.0.4:6002
#$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 192.168.0.4:25
#$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 110 -j DNAT --to 192.168.0.4:110
#
#==============<<Set Default Policy>>==============
#
#$IPT -t filter -P INPUT DROP
#$IPT -t filter -P FORWARD DROP
#$IPT -t filter -P OUTPUT DROP   #unusually set up
#
#==============<<Clear Original Rule>>=============
#
#$IPT -t filter -F
#$IPT -t filter -X
#$IPT -t nat -F
#$IPT -t nat -X
#
#=============<<Set INPUT Rule>>=======================
#
#be sure the firewall host can visit the wan.As there is no rules in output chain
#the fellow two rules will be ok.Of course in the condiction the default rule of output

#chain is accept
#
#$IPT -A INPUT  -m state --state INVALID -j DROP
#$IPT -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

#open the manageable port to manage iptables through ssh

#$IPT -A INPUT -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT
#
#=============<<Set FORWARD Rule>>===================================
#
#$IPT -A FORWARD -i eth0 -o eth1 -m state --state INVALID -j DROP
#$IPT -A FORWARD -i eth0 -o eht1 -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A FORWARD -i eht0 -o eht1 -p tcp -s $ACC_PC -d $MAIL_SRV --dport 25:110 -j ACCEPT

#
#$IPT -A FORWARD -i eht0 -o eht1 -p tcp --syn -m state --state NEW -s $ACC_PC -d $MAIL_SRV

#--dport 25,110 -j ACCEPT
#$IPT -A FORWARD -i eth0 -o eth1 -p all -s $ACC_PC -j DROP
#
#iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn -m state --state NEW -m multiport --dports 25,110,80,443 -j ACCEPT
#
#------------------------------------------------------------
#
#$IPT -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
#
#$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d $SITES_DENY -j DROP
#
#$IPT -A FORWARD -s 192.168.0.0/24 -m string --string "qq" -j DROP
#
#=============<<enable router>>====================================
#
#echo "1" > /proc/sys/net/ipv4/ip_forward
#
#enable syn泛洪攻击保护（syn cook flood）
#syn攻击利用tcp协议缺陷，发送大量伪造的tcp连接请求，使被攻击方资源耗尽，导致拒绝服务
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts