⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 firewall_rules.htm

📁 这是我对防火墙技术的一些见解
💻 HTM
字号:
🔍 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0042)http://killyridols.net/firewall.rules.html -->
<HTML><HEAD><TITLE>firewall.rules.html</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff><PRE><FONT color=#8080ff>#!/bin/sh</FONT>

<FONT color=#8080ff># the initial setup for this firewall was setup by levy.pl</FONT>
<FONT color=#8080ff># check it out to create a skeleton for your firewall</FONT>

<FONT color=#8080ff># route packets between interfaces</FONT>
echo "1" &gt; /proc/sys/net/ipv4/ip_forward

<FONT color=#8080ff># chain policies</FONT>
<FONT color=#8080ff># set default policies</FONT>
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT  # Set to DROP if you're NOT doing NAT'ing!

<FONT color=#8080ff># flush tables</FONT>
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -X
/sbin/iptables -F -t nat

<FONT color=#8080ff># create DUMP table</FONT>
/sbin/iptables -N DUMP &gt; /dev/null
/sbin/iptables -F DUMP
/sbin/iptables -A DUMP -p <FONT color=#00ff00>tcp</FONT> -j LOG
/sbin/iptables -A DUMP -p <FONT color=#00ff00>udp</FONT> -j LOG
/sbin/iptables -A DUMP -p <FONT color=#00ff00>tcp</FONT> -j REJECT --reject-with <FONT color=#00ff00>tcp</FONT>-reset
/sbin/iptables -A DUMP -p <FONT color=#00ff00>udp</FONT> -j REJECT --reject-with <FONT color=#00ff00>icmp</FONT>-port-unreachable
/sbin/iptables -A DUMP -j DROP

<FONT color=#8080ff># Stateful table</FONT>
/sbin/iptables -N STATEFUL &gt; /dev/null
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! eth0 -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP

<FONT color=#8080ff># loopback rules</FONT>
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

<FONT color=#8080ff># To allow anything coming from tunnels such as vtun access</FONT>
<FONT color=#8080ff>#/sbin/iptables -A INPUT -i tun0 -j ACCEPT</FONT>
<FONT color=#8080ff>#/sbin/iptables -A OUTPUT -o tun0 -j ACCEPT</FONT>
<FONT color=#8080ff>#/sbin/iptables -A INPUT -i tun1 -j ACCEPT</FONT>
<FONT color=#8080ff>#/sbin/iptables -A OUTPUT -o tun1 -j ACCEPT</FONT>

<FONT color=#8080ff># drop reserved addresses incoming (these are reserved addresses</FONT>
<FONT color=#8080ff># but may change soon</FONT>
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>0.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>1.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>2.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>5.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>7.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>10.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>23.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>27.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>31.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>36.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>39.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>41.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>42.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>58.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>59.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>60.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>127.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>169.254.0.0/16</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>172.16.0.0/12</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>192.168.0.0/16</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>197.0.0.0/8</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>224.0.0.0/3</FONT> -j DUMP
/sbin/iptables -A INPUT -i eth0 -s <FONT color=#ff6060>240.0.0.0/8</FONT> -j DUMP

<FONT color=#8080ff># allow certain inbound ICMP types (ping, traceroute..)</FONT>
/sbin/iptables -A INPUT -i eth0 -p <FONT color=#00ff00>icmp</FONT> --<FONT color=#00ff00>icmp</FONT>-<FONT color=#ffff00>type</FONT> destination-unreachable -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p <FONT color=#00ff00>icmp</FONT> --<FONT color=#00ff00>icmp</FONT>-<FONT color=#ffff00>type</FONT> time-exceeded -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p <FONT color=#00ff00>icmp</FONT> --<FONT color=#00ff00>icmp</FONT>-<FONT color=#ffff00>type</FONT> echo-reply -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p <FONT color=#00ff00>icmp</FONT> --<FONT color=#00ff00>icmp</FONT>-<FONT color=#ffff00>type</FONT> echo-request -j ACCEPT

<FONT color=#8080ff># kill off identd quick </FONT>
/sbin/iptables -A INPUT -p <FONT color=#00ff00>tcp</FONT> -i eth0 --dport 113 -j REJECT --reject-with <FONT color=#00ff00>tcp</FONT>-reset

<FONT color=#8080ff># sfs</FONT>
/sbin/iptables -A INPUT -p <FONT color=#00ff00>tcp</FONT> -i eth0 --dport 4  -j ACCEPT
<FONT color=#8080ff># ftp</FONT>
/sbin/iptables -A INPUT -p <FONT color=#00ff00>tcp</FONT> -i eth0 --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p <FONT color=#00ff00>udp</FONT> -i eth0 --dport 21 -j ACCEPT
<FONT color=#8080ff># ssh</FONT>
/sbin/iptables -A INPUT -p <FONT color=#00ff00>tcp</FONT> -i eth0 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -p <FONT color=#00ff00>udp</FONT> -i eth0 --dport 22 -j ACCEPT
<FONT color=#8080ff># www</FONT>
/sbin/iptables -A INPUT -p <FONT color=#00ff00>tcp</FONT> -i eth0 --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p <FONT color=#00ff00>udp</FONT> -i eth0 --dport 80 -j ACCEPT
<FONT color=#8080ff># https</FONT>
/sbin/iptables -A INPUT -p <FONT color=#00ff00>tcp</FONT> -i eth0 --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p <FONT color=#00ff00>udp</FONT> -i eth0 --dport 443 -j ACCEPT
<FONT color=#8080ff># Example of opening up port 666 for a local subnet</FONT>
/sbin/iptables -A INPUT -p <FONT color=#00ff00>tcp</FONT> -i eth0 -s <FONT color=#ff6060>170.76.50.0/24</FONT> --dport 666 -j ACCEPT
<FONT color=#8080ff># vtun</FONT>
/sbin/iptables -A INPUT -p <FONT color=#00ff00>tcp</FONT> -i eth0 --dport 5000 -j ACCEPT
/sbin/iptables -A INPUT -p <FONT color=#00ff00>udp</FONT> -i eth0 --dport 5000 -j ACCEPT
<FONT color=#8080ff># some program that runs on port 8000... </FONT>
/sbin/iptables -A INPUT -p <FONT color=#00ff00>tcp</FONT> -i eth0 --dport 8000 -j ACCEPT
/sbin/iptables -A INPUT -p <FONT color=#00ff00>udp</FONT> -i eth0 --dport 8000 -j ACCEPT

<FONT color=#8080ff># sample rule to block all outgoing smtp traffic</FONT>
<FONT color=#8080ff>#/sbin/iptables -A OUTPUT -p tcp -o eth0 --dport 25 -j REJECT --reject-with tcp-reset</FONT>

<FONT color=#8080ff># Don't log route packets coming from routers - too much logging</FONT>
/sbin/iptables -A INPUT -p <FONT color=#00ff00>udp</FONT> -i eth0 --dport 520 -j REJECT

<FONT color=#8080ff># Don't log smb/windows sharing packets - too much logging</FONT>
/sbin/iptables -A INPUT -p <FONT color=#00ff00>tcp</FONT> -i eth0 --dport 137:<FONT color=#ff6060>139</FONT> <FONT color=#ff6060>-j</FONT> <FONT color=#ff6060>REJECT</FONT>
/sbin/iptables -A INPUT -p <FONT color=#00ff00>udp</FONT> -i eth0 --dport 137:<FONT color=#ff6060>139</FONT> <FONT color=#ff6060>-j</FONT> <FONT color=#ff6060>REJECT</FONT>


<FONT color=#8080ff># The next two example set up 'ip masquerading' and port forwarding. The following two rules</FONT>
<FONT color=#8080ff># aren't needed if you're not a firewall for a local LAN</FONT>

<FONT color=#8080ff># Set up NAT for internal network</FONT>
/sbin/iptables -t nat -A POSTROUTING -s <FONT color=#ff6060>10.10.0.0/24</FONT> -o eth0 -j MASQUERADE

<FONT color=#8080ff># Port Forwarding example (using NAT) firewall:1234 --&gt; internalcomputer:80</FONT>
/sbin/iptables -t nat -A PREROUTING -p <FONT color=#00ff00>tcp</FONT> --dport 1234 -j DNAT --to <FONT color=#ff6060>10.10.0.2</FONT>:<FONT color=#ff6060>80</FONT>



<FONT color=#8080ff># push everything else to state table</FONT>
/sbin/iptables -A INPUT -j STATEFUL
</PRE></BODY></HTML>

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -