1293.html

著名的linux英雄站点的文档打包

-d $IPADDR $UNPRIVPORTS -j ACCEPT<br>
<br>
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp <br>
-s $IPADDR $UNPRIVPORTS <br>
-d $NAMESERVER_1 53 -j ACCEPT<br>
<br>
# ----------------------------------------------------------------------------<br>
# TCP accept only on selected ports<br>
# ---------------------------------<br>
# ------------------------------------------------------------------<br>
<br>
# SSH server (22)<br>
# ---------------<br>
<br>
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp <br>
-s $ANYWHERE $UNPRIVPORTS <br>
-d $IPADDR 22 -j ACCEPT<br>
<br>
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y <br>
-s $IPADDR 22 <br>
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT<br>
<br>
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp <br>
-s $ANYWHERE $SSH_PORTS <br>
-d $IPADDR 22 -j ACCEPT<br>
<br>
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y <br>
-s $IPADDR 22 <br>
-d $ANYWHERE $SSH_PORTS -j ACCEPT<br>
<br>
# ------------------------------------------------------------------<br>
<br>
# AUTH server (113)<br>
# -----------------<br>
<br>
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)<br>
<br>
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp <br>
-s $ANYWHERE <br>
-d $IPADDR 113 -j REJECT<br>
<br>
# ------------------------------------------------------------------<br>
<br>
# SYSLOG server (514)<br>
# -----------------<br>
<br>
# Provides full remote logging. Using this feature you're able to<br>
# control all syslog messages on one host.<br>
<br>
# ipchains -A input -i $EXTERNAL_INTERFACE -p udp <br>
# -s $SYSLOG_CLIENT <br>
# -d $IPADDR 514 -j ACCEPT<br>
<br>
# SYSLOG client (514)<br>
# -----------------<br>
<br>
# ipchains -A output -i $EXTERNAL_INTERFACE -p udp <br>
# -s $IPADDR 514 <br>
# -d $SYSLOG_SERVER 514 -j ACCEPT<br>
<br>
# ------------------------------------------------------------------<br>
<br>
# SMTP server (25)<br>
# ----------------<br>
<br>
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp <br>
-s $ANYWHERE $UNPRIVPORTS <br>
-d $IPADDR 25 -j ACCEPT<br>
<br>
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y <br>
-s $IPADDR 25 <br>
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT<br>
<br>
# SMTP client (25)<br>
# ----------------<br>
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y <br>
-s $ANYWHERE 25 <br>
-d $IPADDR $UNPRIVPORTS -j ACCEPT<br>
<br>
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp <br>
-s $IPADDR $UNPRIVPORTS <br>
-d $ANYWHERE 25 -j ACCEPT<br>
<br>
# ------------------------------------------------------------------<br>
<br>
# IMAP server (143)<br>
# -----------------<br>
<br>
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp <br>
-s $ANYWHERE $UNPRIVPORTS <br>
-d $IPADDR 143 -j ACCEPT<br>
<br>
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y <br>
-s $IPADDR 143 <br>
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT<br>
<br>
# POP server (110)<br>
# -----------------<br>
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp <br>
# -s $ANYWHERE $UNPRIVPORTS <br>
# -d $IPADDR 110 -j ACCEPT<br>
<br>
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y <br>
# -s $IPADDR 110 <br>
# -d $ANYWHERE $UNPRIVPORTS -j ACCEPT<br>
<br>
# ------------------------------------------------------------------<br>
<br>
# OUTGOING TRACEROUTE<br>
# -------------------<br>
ipchains -A output -i $EXTERNAL_INTERFACE -p udp <br>
-s $IPADDR $TRACEROUTE_SRC_PORTS <br>
-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT<br>
<br>
# ----------------------------------------------------------------------------<br>
# Enable logging for selected denied packets<br>
<br>
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp <br>
-d $IPADDR -j DENY -l<br>
<br>
ipchains -A input -i $EXTERNAL_INTERFACE -p udp <br>
-d $IPADDR $PRIVPORTS -j DENY -l<br>
<br>
ipchains -A input -i $EXTERNAL_INTERFACE -p udp <br>
-d $IPADDR $UNPRIVPORTS -j DENY -l<br>
<br>
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp <br>
-s $ANYWHERE 5 -d $IPADDR -j DENY -l<br>
<br>
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp <br>
-s $ANYWHERE 13:255 -d $IPADDR -j DENY -l<br>
<br>
# ----------------------------------------------------------------------------<br>
<br>
;;<br>
stop)<br>
echo -n "Shutting Firewalling Services: "<br>
<br>
# Remove all existing rules belonging to this filter<br>
ipchains -F<br>
<br>
# Delete all user-defined chain to this filter<br>
ipchains -X<br>
<br>
# Reset the default policy of the filter to accept.<br>
ipchains -P input ACCEPT<br>
ipchains -P output ACCEPT<br>
ipchains -P forward ACCEPT<br>
<br>
;;<br>
status)<br>
status firewall<br>
;;<br>
restart|reload)<br>
$0 stop<br>
$0 start<br>
;;<br>
*)<br>
echo "Usage: firewall {start|stop|status|restart|reload}"<br>
exit 1<br>
esac<br>
<br>
exit 0<br>
<br>
<br>
<br>
Now, make this script executable and change its default permissions:<br>
<br>
<br>
[root@deep] /#chmod 700 /etc/rc.d/init.d/firewall<br>
[root@deep] /#chown 0.0 /etc/rc.d/init.d/firewall<br>
<br>
<br>
<br>
Create the symbolic rc.d links for your Firewall with the command:<br>
<br>
<br>
[root@deep] /#chkconfig --add firewall<br>
[root@deep] /#chkconfig --level 345 firewall on<br>
<br>
<br>
Now, your firewall rules are configured to use System V init (System V init is in charge of starting all the normal processes that need to run at boot time) and it will be automatically started each time if your server reboot.<br>
<br>
<br>
To manually stop the firewall on your system, use the following command:<br>
<br>
<br>
[root@deep] /# /etc/rc.d/init.d/firewall stop<br>
<br>
<br>
<br>
Shutting Firewalling Services: [ OK ]<br>
<br>
<br>
<br>
<br>
To manually start the firewall on your system, use the following command:<br>
<br>
<br>
[root@deep] /# /etc/rc.d/init.d/firewall start<br>
<br>
<br>
<br>
Starting Firewalling Services: [ OK ]<br>
webserver脚本
This is the configuration script file for our Web Server. This configuration allows unlimited traffic on the Loopback interface, ICMP, DNS Caching and Client Server (53), SSH Server (22), HTTP Server (80),HTTPS Server (443), SMTP Client (25), FTP Server (20, 21), and OUTGOING TRACEROUTE requests by default.<br>
If you don't want some services listed in the firewall rules files for the Web Server that I make ON by default, comment them out with a "#" at the beginning of the line. If you want some other services that I commented out with a "#", then remove the "#" at the beginning of those lines.<br>
Create the firewall script file, touch /etc/rc.d/init.d/firewall on your Web Server and add:<br>
<br>
#!/bin/sh<br>
#<br>
# ----------------------------------------------------------------------------<br>
# Last modified by Gerhard Mourani: 04-25-2000<br>
# ----------------------------------------------------------------------------<br>
# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler<br>
#<br>
# Permission to use, copy, modify, and distribute this software and its<br>
# documentation for educational, research, private and non-profit purposes,<br>
# without fee, and without a written agreement is hereby granted.<br>
# This software is provided as an example and basis for individual firewall<br>
# development. This software is provided without warranty.<br>
#<br>
# Any material furnished by Robert L. Ziegler is furnished on an<br>
# "as is" basis. He makes no warranties of any kind, either expressed<br>
# or implied as to any matter including, but not limited to, warranty<br>
# of fitness for a particular purpose, exclusivity or results obtained<br>
# from use of the material.<br>
# ----------------------------------------------------------------------------<br>
#<br>
# Invoked from /etc/rc.d/init.d/firewall.<br>
# chkconfig: - 60 95<br>
# description: Starts and stops the IPCHAINS Firewall <br>
# used to provide Firewall network services.<br>
<br>
# Source function library.<br>
. /etc/rc.d/init.d/functions<br>
<br>
# Source networking configuration.<br>
. /etc/sysconfig/network<br>
<br>
# Check that networking is up.<br>
if [ ${NETWORKING} = "no" ]<br>
then<br>
exit 0<br>
fi<br>
<br>
if [ ! -x /sbin/ipchains ]; then<br>
exit 0<br>
fi<br>
<br>
# See how we were called.<br>
case "$1" in<br>
start)<br>
echo -n "Starting Firewalling Services: "<br>
<br>
# Some definitions for easy maintenance.<br>
<br>
# ----------------------------------------------------------------------------<br>
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.<br>
<br>
EXTERNAL_INTERFACE="eth0" # Internet connected interface<br>
LOOPBACK_INTERFACE="lo" # Your local naming convention<br>
IPADDR="my.ip.address" # Your IP address<br>
ANYWHERE="any/0" # Match any IP address<br>
NAMESERVER_1="my.name.server.1" # Everyone must have at least one<br>
NAMESERVER_2="my.name.server.2" # Your secondary name server<br>
MY_ISP="my.isp.address.range/24" # ISP NOC address range<br>
<br>
SMTP_SERVER="my.smtp.server" # Your Mail Hub Server.<br>
SYSLOG_SERVER="syslog.internal.server" # Your syslog internal server<br>
SYSLOG_CLIENT="sys.int.client.range/24" # Your syslog internal client range<br>
<br>
LOOPBACK="127.0.0.0/8" # Reserved loopback address range<br>
CLASS_A="10.0.0.0/8" # Class A private networks<br>
CLASS_B="172.16.0.0/12" # Class B private networks<br>
CLASS_C="192.168.0.0/16" # Class C private networks<br>
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses<br>
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses<br>
BROADCAST_SRC="0.0.0.0" # Broadcast source address<br>
BROADCAST_DEST="255.255.255.255" # Broadcast destination address<br>
PRIVPORTS="0:1023" # Well known, privileged port range<br>
UNPRIVPORTS="1024:65535" # Unprivileged port range<br>