linux最安全防火墙

 

echo "Enabling IP Forwarding........"
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.netfilter.ip_conntrack_max=32768
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=300
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_max_syn_backlog=8192
sysctl -w net.ipv4.tcp_synack_retries=2
sysctl -w net.ipv4.tcp_syn_retries=2
sysctl -w net.ipv4.icmp_echo_ignore_all=0
echo "Enabling iptables rules........"
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
iptables -F
iptables -X
iptables -F -t mangle
iptables -X -t mangle
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#PING
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 -d 0/0 -j ACCEPT
iptables -A OUTPUT -p icmp -s 0/0 -d 0/0 -j ACCEPT
#SSH
iptables -A INPUT -p tcp -s 192.168.0.0/22 -d 192.168.0.252 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.252 -d 192.168.0.0/22  --sport 22 -m state --state ESTABLISHED,RELATED  -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 61.150.4.238 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s 61.150.4.238 -d 0/0 --sport 22  -m state --state ESTABLISHED,RELATED -j ACCEPT
#DNS
iptables -A OUTPUT -p udp -s 0/0 -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -s 0/0 -d 0/0  --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
#FORWARD
iptables -A FORWARD -s 192.168.0.0/22 -d 0/0 -j ACCEPT
iptables -A FORWARD -s 0/0 -d 192.168.0.0/22  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -I FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
#synfoold DDOS
iptables -N syn-flood
iptables -I INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
iptables -I syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -I syn-flood -j DROP
echo "Enabling lan to share ........"
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/22 -j SNAT --to-source 61.150.4.238
#FTP
iptables -t nat -A PREROUTING -d 61.150.4.238 -p tcp --dport 7136 -j DNAT --to 192.168.0.222:7136
iptables -A FORWARD -p tcp -d 192.168.0.222 --dport 7136 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d 61.150.4.238 -p tcp --dport 700 -j DNAT --to 192.168.0.92:21
iptables -A FORWARD -p tcp -d 192.168.0.92 --dport 21 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d 61.150.4.238 -p tcp --dport 800 -j DNAT --to 192.168.0.90:21
iptables -A FORWARD -p tcp -d 192.168.0.90 --dport 21 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d 61.150.4.238 -p tcp --dport 4899 -j DNAT --to 192.168.0.92:4899
iptables -A FORWARD -p tcp -d 192.168.0.92 --dport 4899 -j ACCEPT
iptables -t nat -A PREROUTING -d 61.150.4.238 -p tcp --dport 2008 -j DNAT --to 192.168.0.94:2008
iptables -A FORWARD -p tcp -d 192.168.0.94 --dport 2008 -j ACCEPT