iptables的一个脚本（从knoppix.net上弄来的，希望对大家有用）

Omak

#!/bin/sh

# Use ipreset to clearall
# This allows nmap localhost but not from any other machine

# Debug:
##tcpdump -i eth0 not port 22 # Everything but ssh

# Trace, exit at 1st err
set -x -e

# Flush 1st
iptables -F

# Deletes any tables that you've created, and leaves the
# default (input, output, forward, etc.)
iptables -X

# Allow loopback access. This rule must come before the rules denying
# port access!!
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
##iptables -A INPUT -i lo -j ACCEPT


#This allows all data that has been sent out for the computer running the
# firewall to come back (for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
# Allow outside ping
iptables -A INPUT -p icmp -j ACCEPT


#These lines add rules (-A) to the OUTPUT and INPUT tables
# that match state as well. However, this time it only matches
# packets that are related to packets that have already been
# passed, or packets that are a part of an already-established
# connection (-m state --state RELATED,ESTABLISHED) and allows
# them to be accepted (-j ACCEPT). Think of this as a
# combination of yahoo sending its web page to you and you
# asking for a second one.
#/* You would need to load at least the ip_conntrack, iptable_filter and
#ipt_state modules, and would probably want to load the ip_conntrack_ftp
#module too.
#These rules should block incoming traffic which isn't associated to a
#connection which you've initiated from your machine.
#*/

iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state  RELATED,ESTABLISHED -j ACCEPT


# Allow ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Well, crap - we got rid of 8 rules in favor of 1

#Allow incoming FTP requests - xxx uncomment
iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 20 -j REJECT
iptables -A INPUT -p tcp -i ppp0 --dport 21 -j REJECT

## Allow Squid from local net
iptables -A INPUT -s 0/0 -p tcp --dport 8080 -j REJECT
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 0/0 -p tcp --dport 3128 -j REJECT

# Allow BitTorrent connections
# xxx 2003.1012 modified for only 3 ports (was 6881:6889)
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6881:6883 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6969 -j ACCEPT

# Allow 1 VNC
iptables -A INPUT -i eth0 -p tcp --dport 5902 -j ACCEPT


#####
##### BLOCKING
#####

#Example: Block all ports, besides port 22 to allow sshd:
##/sbin/iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
###/sbin/iptables -A INPUT -p tcp --syn -j DROP

#Block all ports,besides port 22, and only allow predefined IP to access that
#port.
##/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT
##/sbin/iptables -A INPUT -p tcp --syn -j DROP

#/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT
#allow connection to sshd from IP 192.168.1.100
#/sbin/iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
#allow httpd server to be accessed by world
#/sbin/iptables -A INPUT -p tcp --syn -j DROP
#block all ports (besides the limitations of above)


#More elaborate rules can be created that control access to specific subnets,
#or even specific nodes, within a LAN. You can also restrict certain dubious
#services such as trojans, worms, and other client/server viruses from
#contacting their server. For example, there are some trojans that scan
#networks for services on ports from 31337 to 31340 (called the elite ports
#in cracking lingo). Since there are no legitimate services that communicate
#via these non-standard ports, blocking it can effectively diminish the
#chances that potentially infected nodes on your network independently
#communicate with their remote master servers. Note that the following rule
#is only useful if your default OUTPUT policy is set to ACCEPT. If you set
#OUTPUT policy to DROP, then this rule is not needed.

#iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
# Remember, dport can only be used with -ptcp or -pudp specific.
iptables -A INPUT -i ppp0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A OUTPUT -o ppp0 -p tcp --dport 31337 --sport 31337 -j DROP

#FORWARD rules can be implemented to restrict certain types of traffic to the
#LAN only, such as local network file shares through NFS or Samba. The
#following rules reject outside connections to Samba shares:

iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP


# remote interface, claiming to be local machines, IP spoofing, get lost
# This turns out to be same as non-routable IPs
##iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j DROP
# New way:
# Block nonroutable IPs
iptables -A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -i ppp0 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP

#"A" for append, "INPUT" to specify the state for the condition (coming,
#going, or forwarding), and "sport" for source port.

# Block common Windoze ports / specific ports
iptables -A INPUT -s 0/0 -p tcp --sport 69 -j DROP
iptables -A INPUT -s 0/0 -p tcp --sport 135 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 139 -j REJECT  # Block Windows file sharing
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 445 -j REJECT  # Block Windows file sharing
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 1214 -j REJECT # Block Kazaa
iptables -A INPUT -s 0/0 -p tcp --sport 4444 -j DROP


# Block incoming Blaster Worm traffic on ports 153 and 707
# Chgd eth0 to ppp0, added -p tcp and got it to work
iptables -A INPUT -i ppp0 -p tcp --dport 153 -j DROP
iptables -A INPUT -i ppp0 -p tcp --dport 707 -j DROP

# Block infected machines from spreading Blaster Worm on 153 and 707
##/sbin/iptables -A OUTPUT -o ppp0 --dport 153 -j DROP
##/sbin/iptables -A OUTPUT -o ppp0 --dport 707 -j DROP


# !! Consider dropping all traffic to port 25 (mail)
# Block ports 127, 137, 138 and 139 (Sambe/windows) - blocked in FORWARD, above




# Fallthru

# Default rule
# Sets the default policy (-P) for INPUT packets to DROP. If a
# packet comes into your interface and doesn't match any other
# rules, the default policy takes effect and the packet is dropped.
iptables -P INPUT DROP


# Default rule
# Sets the default policy (-P) for FORWARD packets to DROP. If
# a packet needs to be routed from one interface to another
# (such as a firewall/router with two network cards) and
# doesn't match any other rules, the default policy takes
# effect and the packet is dropped.
iptables -P FORWARD DROP

# Final rule (stopgap)
iptables -A INPUT -p tcp --tcp-flags ALL SYN -j DROP

exit;



# References:
# http://nekohako.xware.cx/tech/adsl-2.4.html
# http://www.redhat.com/docs/manua ... ty-guide/ch-fw.html
# http://uug.byu.edu/pipermail/uug-list/2003-April/002060.html
# http://www.linuxchix.org/piperma ... -August/016116.html
# http://linuxwiki.de/FlorianWoegerer/Notizen
# http://www.linuxforum.com/forums ... st=0&#entry5637
# http://www.ltsp.org/contrib/vnc.html

## Orig ssh mess:
# Allow ssh
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p udp --sport 22 -j ACCEPT
# XXX added below
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p udp --dport 22 -j ACCEPT
#(Orig
##iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
##iptables -A OUTPUT -p udp --sport 22 -j ACCEPT

# Added more
##iptables -A INPUT -i eth0 -p udp --dport 22 -j ACCEPT
##iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
##iptables -A OUTPUT -o eth0 -p udp --dport 22 -j ACCEPT
##iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT

# UNUSED:
#To take the restrictions a step further, block all outside connections that
#attempt to spoof private IP address ranges to infiltrate your LAN. If a LAN
#uses the 192.168.1.0/24 range, a rule can set the Internet facing network
#device (for example, eth0) to drop any packets to that device with an
#address in your LAN IP range. Because it is recommended to reject forwarded
#packets as a default policy, any other spoofed IP address to the
#external-facing device (eth0) will be rejected automatically.
#
##iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i eth0 -j DROP
##iptables -A FORWARD -p udp -s 192.168.1.0/24 -i eth0 -j DROP
# xxx corrected
##iptables -A FORWARD -p tcp -s 192.168.0.0/24 -i ppp0 -j DROP
##iptables -A FORWARD -p udp -s 192.168.0.0/24 -i ppp0 -j DROP
##iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i ppp0 -j DROP
##iptables -A FORWARD -p udp -s 192.168.1.0/24 -i ppp0 -j DROP

# Block common Windoze ports / specific ports
# (this just doesnt wrk)
# I bet the reason is because -j DENY doesn't exist. Chg to DROP.
# Got it working
##iptables -A INPUT -s 0/0 -p tcp --sport 69 -j DENY
##iptables -A INPUT -s 0/0 -p tcp --sport 135 -j DENY
##iptables -A INPUT -s 0/0 -p tcp --sport 4444 -j DENY

#  for transprent proxy
#> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
#> --to-port 3128

Snoopy

set -x -e

什么意思?

网事无痕

有哪位大虾可以做个点评么？我实在看不出它好在哪里？

yongjian

嗯,我想至少有一点就是比较全吧.对于不同的interface, 不同的policy chain, nat, 等都有比较详细的配置, 我个人人为这是一个不错的iptable配置的参考脚本. 之所以是参考是因为iptable的配置因人而异, 不同的机器配置也不尽相同.所以我想参考这个脚本,再编写自己的脚本,会得到比较适合自己需求又吻合自己机器的firewall配置.

lanmaster

真的希望那位老大, 到这儿来指点一下这样有助于大家对IPTABLES的理解.

bluejesica

我和pinksnoopy一样,顶
set -x -e

什么意思?

yongjian

set -e means exit right away when exit non-zero.
set -x means display the expended command and its args.

未知数

这个是把80端口的包全部转向3128端口吗？

smile787

最初由 未知数 发表
这个是把80端口的包全部转向3128端口吗？

最后一句和句中都预先做的打开设置，去掉#就可以


这个好想是设置全一些，基本的服务都概括了！实用性强。
特别到没看到。

Huda

我是一个普通用户，不知道行家的表达习惯，想学习一下，请问：这脚本的文件名应该是啥 ？ 什么属性 ？ 应该放在那个文件夹里 ？