iptables

#!/bin/bash
###############################iptalbes#####################################
  PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
  export DEV="eth0"

# 本机防火墙设置
# 核心网络功能
  echo "1" > /proc/sys/net/ipv4/tcp_syncookies
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo "1" > $i
  done
  for i in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo "1" > $i
  done
  for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo "0" > $i
  done
  for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
        echo "0" > $i
  done

  iptables -A INPUT -p all -s 192.168.1.0/24 -i eth0 -j ACCEPT
  iptables -A OUTPUT -p all -s 192.168.1.0/24 -j ACCEPT
  iptables -A INPUT -p all -s 192.168.1.0/24 -i eth1 -j ACCEPT
  iptables -A OUTPUT -p all -s 192.168.1.0/24 -j ACCEPT

modprobe ip_conntrack_ftp
  iptables -F
  iptables -X
  iptables -Z
  iptables -P INPUT   DROP
  iptables -P OUTPUT  ACCEPT
  iptables -P FORWARD DROP
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -m state --state RELATED -j ACCEPT

  iptables -A INPUT -p all -s 192.168.1.1/24 -i eth1 -j ACCEPT
  ICMP="0 3 3/4 4 11 12 14 16 18"
  for tyicmp in $ICMP
  do
     iptables -A INPUT -i $DEV -p icmp --icmp-type $tyicmp -j ACCEPT
  done

  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  #iptables -A INPUT -p TCP -i $DEV --dport  20  -j ACCEPT
  iptables -A INPUT -p TCP -i $DEV --dport  19191  -j ACCEPT

  iptables -A INPUT -p TCP -i $DEV --dport  81  -j ACCEPT
  iptables -A INPUT -p TCP -i $DEV --dport  21  -j ACCEPT
  iptables -A INPUT -p TCP -i $DEV --dport  20  -j ACCEPT
  iptables -A INPUT -p TCP -i $DEV --dport  80  -j ACCEPT
  iptables -A INPUT -p TCP -i $DEV --dport  3306  -j ACCEPT

  #iptables -A OUTPUT -p TCP -o $DEV --sport  20  -j ACCEPT
  iptables -A OUTPUT -p TCP -o $DEV --sport  19191  -j ACCEPT
  iptables -A OUTPUT -p TCP -o $DEV --sport  81  -j ACCEPT
  iptables -A OUTPUT -p TCP -o $DEV --sport  21  -j ACCEPT
  iptables -A OUTPUT -p TCP -o $DEV --sport  20  -j ACCEPT
  iptables -A OUTPUT -p TCP -o $DEV --sport  80  -j ACCEPT
  iptables -A OUTPUT -p TCP -o $DEV --sport  3306  -j ACCEPT


#  iptables -A OUTPUT -p tcp --sport 31337 -j DROP
#  iptables -A OUTPUT -p tcp --dport 31337 -j DROP
# 丢弃坏的TCP包
  iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
  iptables -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
# 处理IP碎片数量,防止攻击,允许每秒100个
  iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
  iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

# 载入一些需要的模组
  modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack
ip_conntrack_ftp ip_conntrack_irc"
  for mod in $modules
  do
        testmod=`lsmod | grep "${mod} "`
        if [ "$testmod" == "" ]; then
                modprobe $mod
        fi
  done

# 2. 清除 NAT table 的规则
  iptables -F -t nat
  iptables -X -t nat
  iptables -Z -t nat
  iptables -t nat -P PREROUTING  ACCEPT
  iptables -t nat -P POSTROUTING ACCEPT
  iptables -t nat -P OUTPUT      ACCEPT

  # 启动 MTU 限制规范
#  iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss \
#   --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu