⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 1600.html

📁 著名的linux英雄站点的文档打包
💻 HTML
📖 第 1 页 / 共 4 页
字号:
🔍
1234 
 # fi  <br>
#echo 1 &gt;/proc/sys/net/ipv4/icmp_echo_ignore_all<br>
#modprobe ip_tables<br>
depmod -a<br>
<br>
<br>
iptables -P INPUT DROP<br>
iptables -P FORWARD DROP<br>
iptables -P OUTPUT DROP<br>
iptables -F INPUT<br>
iptables -F FORWARD<br>
iptables -F OUTPUT<br>
iptables -F -t nat<br>
iptables -F -t mangle<br>
iptables -Z<br>
iptables -X  <br>
iptables -N CHECK_FLAGS<br>
iptables -F CHECK_FLAGS<br>
iptables -N tcpHandler<br>
iptables -F tcpHandler<br>
iptables -N udpHandler<br>
iptables -F udpHandler<br>
iptables -N icmpHandler<br>
iptables -F icmpHandler<br>
iptables -N DROP-AND-LOG<br>
iptables -F DROP-AND-LOG<br>
<br>
echo "OK,the kernel is now prepared to use for building a firewall!!!"<br>
echo "Waitting ........................"<br>
echo "Creating a drop chain....."<br>
iptables -A DROP-AND-LOG -j LOG --log-level 5<br>
iptables -A DROP-AND-LOG -j DROP<br>
echo "     OK !!!!"<br>
echo "Now starting the check_flag rules,please wait...."<br>
   <br>
    iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN "<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 "<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN"<br>
    iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP<br>
<br>
echo "  OK !!!! Finished check_flags rules...."<br>
<br>
<br>
echo "Now starting the input rules,please wait......."<br>
   for x in ${DENYPORTS}<br>
<br>
<br>
        do<br>
          iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} TCP IN:"  <br>
          iptables -A INPUT -i ${UPLINK} -p tcp  --dport ${x} -m state --state NEW -j DROP<br>
          iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} SYN IN:"<br>
          iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j DROP<br>
        done<br>
<br>
   for x in ${DENYUDPPORT}<br>
<br>
         do<br>
           iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"<br>
           iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j DROP<br>
           iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT:${x} UDP IN:"<br>
           iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP<br>
        done<br>
<br>
<br>
#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT<br>
<br>
   for  x in ${SERVICES}<br>
       <br>
          do  <br>
               iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
               iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>
          done<br>
<br>
   iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG<br>
   iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOG<br>
   iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG<br>
   iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG<br>
   iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG<br>
 <br>
<br>
#iptables -A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
#iptables -A INPUT -i ${UPLINK} -j LOG --log-prefix " INVALID INPUT "<br>
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP<br>
iptables -A INPUT -i ${LAN_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A INPUT -i ${DMZ_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j REJECT<br>
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM DMZ:"<br>
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJECT --reject-with tcp-reset<br>
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD UDP FROM DMZ:"<br>
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP<br>
iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD ICMP FROM DMZ:"<br>
iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP<br>
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"<br>
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j DROP<br>
iptables -A INPUT -p icmp -i ${UPLINK} -j LOG --log-prefix "INVAILD ICMP IN:"<br>
iptables -A INPUT -p icmp -i ${UPLINK} -j REJECT --reject-with icmp-net-unreachable<br>
iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"<br>
iptables -A INPUT  -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable<br>
iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"<br>
iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset<br>
iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j LOG --log-prefix "NEW,INVALID state:"<br>
iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j DROP<br>
iptables -A INPUT -i ${UPLINK} -f -j LOG --log-prefix "INVAILD FRAGMENTS ${UPLINK}:"<br>
iptables -A INPUT -i ${UPLINK} -f -j DROP<br>
iptables -A INPUT -i ${LAN_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${LAN_IF}:"<br>
iptables -A INPUT -i ${LAN_IF} -f -j DROP<br>
iptables -A INPUT -i ${DMZ_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${DMZ_IF}:"<br>
iptables -A INPUT -i ${DMZ_IF} -f -j DROP<br>
iptables -A INPUT -i ${UPLINK} -j DROP<br>
echo "  OK !!!! The input rules has been successful applied ,continure......"<br>
<br>
echo " Now starting FORWARD rules ,please wait ....."<br>
<br>
iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT<br>
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT<br>
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT<br>
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP<br>
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP<br>
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP<br>
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP<br>
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP<br>
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP<br>
iptables -A FORWARD  -p tcp --syn -m limit --limit 1/s -j ACCEPT<br>
iptables -A FORWARD  -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT<br>
iptables -A FORWARD  -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A FORWARD  -i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A FORWARD -i ${UPLINK}  -p tcp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN TCP: "<br>
iptables -A FORWARD -i ${UPLINK}  -p tcp -m state --state NEW -j tcpHandler<br>
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN UDP:"<br>
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler<br>
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICMP: "<br>
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler<br>
iptables -A tcpHandler -p tcp -m limit --limit 5/minute --limit-burst 10 -j RETURN<br>
iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "<br>
iptables -A tcpHandler -p tcp -j DROP<br>
iptables -A udpHandler -p udp -m limit --limit 5/minute --limit-burst 10 -j RETURN<br>
iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"<br>
iptables -A udpHandler -p udp -j DROP<br>
iptables -A icmpHandler -p icmp -m limit --limit 5/minute --limit-burst 10 -j RETURN<br>
iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"<br>
iptables -A icmpHandler -p icmp -j DROP<br>
<br>
iptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -j ACCEPT<br>
iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT<br>
#iptables -A FORWARD -o ${UPLINK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>
#iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:"<br>
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j REJECT --reject-with tcp-reset<br>
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j LOG --log-prefix "INVAILD UDP FORWARD FROM DMZ:"<br>
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j DROP<br>
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:"<br>
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j DROP<br>
iptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT<br>
iptables -A FORWARD -s ${LAN_NET} -d ${DMZ_NET} -i ${LAN_IF} -j ACCEPT<br>
iptables -A FORWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i ${DMZ_IF} ! --syn -j ACCEPT<br>
iptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT<br>
 <br>
<br>
iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA"<br>
iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j DROP<br>
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG  --log-prefix "INVAILD UDP FORWARD DATA"<br>
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j DROP<br>
iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVALID ICMP FORWARD DATA"<br>
iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROP<br>
iptables -A FORWARD -m state --state NEW,INVALID -j DROP<br>
iptables -A FORWARD -j DROP<br>
<br>
echo "   OK !!!! The forward rules has been successful applied,conniture......"<br>
echo " Now applying output rules,please wait ...."<br>
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A OUTPUT -s ${LAN_NET}  -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A OUTPUT -s ${DMZ_NET}  -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A OUTPUT -s ${LAN_NET}  -o ${DMZ_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<br>
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j LOG --log-prefix "INVAILD TCP OUTPUT FROM DMZ:"<br>
iptables -A OUTPUT -s ${DMZ_NET}  -o ${LAN_IF} -p tcp -j REJECT --reject-with tcp-reset<br>
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j LOG --log-prefix "INVAILD UDP OUTPUT FROM DMZ:"<br>
iptables -A OUTPUT -s ${DMZ_NET}  -o ${LAN_IF} -p udp -j DROP<br>
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP OUTPUT FROM DMZ:"<br>
1234

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -