拒绝sql蠕虫,骚扰....

sorry ..搞错了...

[ Last edited by iamok on 2003-5-7 at 12:03 AM ]

最好详细点.

1. 
   
2. 
   
3. #!/bin/sh
   
4. #
   
5. # Generated iptables firewall script for the Linux 2.4 kernel
   
6. # Script generated by Easy Firewall Generator for IPTables
   
7. # copyright 2002 Timothy Scott Morizot
   
8. #
   
9. # Redhat chkconfig comments - firewall applied early,
   
10. #                             removed late
    
11. # chkconfig: 2345 08 92
    
12. # description: This script applies or removes iptables firewall rules
    
13. #
    
14. # This generator is primarily designed for RedHat installations,
    
15. # although it should be adaptable for others.
    
16. #
    
17. # It can be executed with the typical start and stop arguments.
    
18. # If used with stop, it will stop after flushing the firewall.
    
19. # The save and restore arguments will save or restore the rules
    
20. # from the /etc/sysconfig/iptables file.
    
21. 
    
22. # Redhat installation instructions
    
23. #
    
24. # 1. Ensure that ipchains will not automatically start.
    
25. #    chkconfig --level 0123456 ipchains off
    
26. #    This will make sure that the ipchains init.d script
    
27. #    is not linked to an S file in any of the rc directories.
    
28. #
    
29. # 2. Stop ipchains if it's running.
    
30. #    service ipchains stop
    
31. #
    
32. # 3. Execute lsmod to see if the ipchains kernel module is still loaded.
    
33. #    If it is, use rmmod to unload it. -- rmmod ipchains
    
34. #
    
35. # 4. Have the system link the iptables init.d startup script into run states
    
36. #    2, 3, and 5.
    
37. #    chkconfig --level 235 iptables on
    
38. #
    
39. # 5. Save this script and execute it to load the ruleset from this file.
    
40. #    You may need to run the dos2unix command on it to remove carraige returns.
    
41. #
    
42. # 6. Save the ruleset to /etc/sysconfig/iptables.  This can be done two ways.
    
43. #    service iptables save
    
44. #    iptables-save > /etc/sysconfig/iptables
    
45. #
    
46. # 7. The ruleset will be restored by the /etc/init.d/iptables script on boot.
    
47. #
    
48. # 8. Alternatively, save the /etc/init.d/iptables script and copy this script
    
49. #    to /etc/init.d/iptables.  It accepts stop, start, save, and restore
    
50. #    arguments.
    
51. #
    
52. # NOTE: The /etc/init.d/iptables script can be modified to run this script
    
53. # instead.  If you do so, save a copy so you can reapply your modifications
    
54. # after upgrading the iptables package.  The advantage of using this script for
    
55. # the ongoing operation of the firewall is it gives you greater control over
    
56. # the modules and rulesets used.  The above is simpler, however.
    
57. 
    
58. ###############################################################################
    
59. #
    
60. # Local Settings
    
61. #
    
62. 
    
63. # sysctl location.  If set, it will use sysctl to adjust the kernel parameters.
    
64. # If this is set to the empty string (or is unset), the use of sysctl
    
65. # is disabled.
    
66. 
    
67. SYSCTL="/sbin/sysctl -w"
    
68. 
    
69. # To echo the value directly to the /proc file instead
    
70. # SYSCTL=""
    
71. 
    
72. # IPTables Location - adjust if needed
    
73. 
    
74. IPT="/sbin/iptables"
    
75. IPTS="/sbin/iptables-save"
    
76. IPTR="/sbin/iptables-restore"
    
77. 
    
78. # Internet Interface
    
79. INET_IFACE="eth0"
    
80. #INET_ADDRESS="192.168.2.150"
    
81. 
    
82. # Localhost Interface
    
83. 
    
84. LO_IFACE="lo"
    
85. LO_IP="127.0.0.1"
    
86. 
    
87. 
    
88. 
    
89. ###############################################################################
    
90. #
    
91. # Load Modules
    
92. #
    
93. 
    
94. echo "Loading kernel modules ..."
    
95. 
    
96. # You should uncomment the line below and run it the first time just to
    
97. # ensure all kernel module dependencies are OK.  There is no need to run
    
98. # every time, however.
    
99. 
    
100. # /sbin/depmod -a
     
101. 
     
102. # Unless you have kernel module auto-loading disabled, you should not
     
103. # need to manually load each of these modules.  Other than ip_tables,
     
104. # ip_conntrack, and some of the optional modules, I've left these
     
105. # commented by default.  Uncomment if you have any problems or if
     
106. # you have disabled module autoload.  Note that some modules must
     
107. # be loaded by another kernel module.
     
108. 
     
109. # core netfilter module
     
110. /sbin/modprobe ip_tables
     
111. 
     
112. # the stateful connection tracking module
     
113. /sbin/modprobe ip_conntrack
     
114. 
     
115. # filter table module
     
116. /sbin/modprobe iptable_filter
     
117. 
     
118. # mangle table module
     
119. # /sbin/modprobe iptable_mangle
     
120. 
     
121. # nat table module
     
122. # /sbin/modprobe iptable_nat
     
123. 
     
124. # LOG target module
     
125. /sbin/modprobe ipt_LOG
     
126. 
     
127. # This is used to limit the number of packets per sec/min/hr
     
128. /sbin/modprobe ipt_limit
     
129. 
     
130. # masquerade target module
     
131. # /sbin/modprobe ipt_MASQUERADE
     
132. 
     
133. # filter using owner as part of the match
     
134. # /sbin/modprobe ipt_owner
     
135. 
     
136. # REJECT target drops the packet and returns an ICMP response.
     
137. # The response is configurable.  By default, connection refused.
     
138. # /sbin/modprobe ipt_REJECT
     
139. 
     
140. # This target allows packets to be marked in the mangle table
     
141. # /sbin/modprobe ipt_mark
     
142. 
     
143. # This target affects the TCP MSS
     
144. # /sbin/modprobe ipt_tcpmss
     
145. 
     
146. # This match allows multiple ports instead of a single port or range
     
147. # /sbin/modprobe multiport
     
148. 
     
149. # This match checks against the TCP flags
     
150. /sbin/modprobe ipt_state
     
151. 
     
152. # This match catches packets with invalid flags
     
153. /sbin/modprobe ipt_unclean
     
154. 
     
155. # The ftp nat module is required for non-PASV ftp support
     
156. #/sbin/modprobe ip_nat_ftp
     
157. 
     
158. # the module for full ftp connection tracking
     
159. #/sbin/modprobe ip_conntrack_ftp
     
160. 
     
161. # the module for full irc connection tracking
     
162. #/sbin/modprobe ip_conntrack_irc
     
163. 
     
164. 
     
165. ###############################################################################
     
166. #
     
167. # Kernel Parameter Configuration
     
168. #
     
169. 
     
170. # Required to enable IPv4 forwarding.
     
171. # Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
     
172. #if [ "$SYSCTL" = "" ]
     
173. #then
     
174. #    echo "1" > /proc/sys/net/ipv4/ip_forward
     
175. #else
     
176. #    $SYSCTL net.ipv4.ip_forward="1"
     
177. #fi
     
178. 
     
179. # This enables dynamic address hacking.
     
180. # This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
     
181. if [ "$SYSCTL" = "" ]
     
182. then
     
183.     echo "1" > /proc/sys/net/ipv4/ip_dynaddr
     
184. else
     
185.     $SYSCTL net.ipv4.ip_dynaddr="1"
     
186. fi
     
187. 
     
188. # This enables source validation by reversed path according to RFC1812.
     
189. # In other words, did the response packet originate from the same interface
     
190. # through which the source packet was sent?  It's recommended for single-homed
     
191. # systems and routers on stub networks.  Since those are the configurations
     
192. # this firewall is designed to support, I turn it on by default.
     
193. # Turn it off if you use multiple NICs connected to the same network.
     
194. if [ "$SYSCTL" = "" ]
     
195. then
     
196.     echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
     
197. else
     
198.     $SYSCTL net.ipv4.conf.all.rp_filter="1"
     
199. fi
     
200. 
     
201. # This option allows a subnet to be firewalled with a single IP address.
     
202. # It's used to build a DMZ.  Since that's not a focus of this firewall
     
203. # script, it's not enabled by default, but is included for reference.
     
204. # See: [url]http://www.sjdjweis.com/linux/proxyarp/[/url]
     
205. #if [ "$SYSCTL" = "" ]
     
206. #then
     
207. #    echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
     
208. #else
     
209. #    $SYSCTL net.ipv4.conf.all.proxy_arp="1"
     
210. #fi
     
211. 
     
212. 
     
213. ###############################################################################
     
214. #
     
215. # Flush Any Existing Rules or Chains
     
216. #
     
217. 
     
218. echo "Flushing Tables ..."
     
219. 
     
220. # Reset Default Policies
     
221. $IPT -P INPUT ACCEPT
     
222. $IPT -P FORWARD ACCEPT
     
223. $IPT -P OUTPUT ACCEPT
     
224. $IPT -t nat -P PREROUTING ACCEPT
     
225. $IPT -t nat -P POSTROUTING ACCEPT
     
226. $IPT -t nat -P OUTPUT ACCEPT
     
227. $IPT -t mangle -P PREROUTING ACCEPT
     
228. $IPT -t mangle -P OUTPUT ACCEPT
     
229. 
     
230. # Flush all rules
     
231. $IPT -F
     
232. $IPT -t nat -F
     
233. $IPT -t mangle -F
     
234. 
     
235. # Erase all non-default chains
     
236. $IPT -X
     
237. $IPT -t nat -X
     
238. $IPT -t mangle -X
     
239. 
     
240. ###############################################################################
     
241. #
     
242. # Rules Configuration
     
243. #
     
244. 
     
245. ###############################################################################
     
246. #
     
247. # Filter Table
     
248. #
     
249. ###############################################################################
     
250. 
     
251. # Set Policies
     
252. 
     
253. $IPT -P INPUT DROP
     
254. $IPT -P OUTPUT DROP
     
255. $IPT -P FORWARD DROP
     
256. 
     
257. ###############################################################################
     
258. #
     
259. # User-Specified Chains
     
260. #
     
261. # Create user chains to reduce the number of rules each packet
     
262. # must traverse.
     
263. 
     
264. echo "Create and populate custom rule chains ..."
     
265. 
     
266. # Create a chain to filter INVALID packets
     
267. 
     
268. $IPT -N bad_packets
     
269. 
     
270. # Create another chain to filter bad tcp packets
     
271. 
     
272. $IPT -N bad_tcp_packets
     
273. 
     
274. # Create separate chains for icmp, tcp (incoming and outgoing),
     
275. # and incoming udp packets.
     
276. 
     
277. $IPT -N icmp_packets
     
278. 
     
279. # Used for UDP packets inbound from the Internet
     
280. $IPT -N udp_inbound
     
281. 
     
282. # Used to block outbound UDP services from internal network
     
283. # Default to allow all
     
284. $IPT -N udp_outbound
     
285. 
     
286. # Used to allow inbound services if desired
     
287. # Default fail except for established sessions
     
288. $IPT -N tcp_inbound
     
289. 
     
290. # Used to block outbound services from internal network
     
291. # Default to allow all
     
292. $IPT -N tcp_outbound
     
293. 
     
294. ###############################################################################
     
295. #
     
296. # Populate User Chains
     
297. #
     
298. 
     
299. # bad_packets chain
     
300. #
     
301. # Drop INVALID packets immediately
     
302. 
     
303. $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
     
304.     --log-prefix "Invalid packet:"
     
305. $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
     
306. 
     
307. # Then check the tcp packets for additional problems
     
308. $IPT -A bad_packets -p tcp -j bad_tcp_packets
     
309. 
     
310. # All good, so return
     
311. $IPT -A bad_packets -p ALL -j RETURN
     
312. 
     
313. # bad_tcp_packets chain
     
314. #
     
315. # All tcp packets will traverse this chain.
     
316. # Every new connection attempt should begin with
     
317. # a syn packet.  If it doesn't, it is likely a
     
318. # port scan.  This drops packets in state
     
319. # NEW that are not flagged as syn packets.
     
320. 
     
321. 
     
322. $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
     
323.     --log-prefix "New not syn:"
     
324. $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
     
325. 
     
326. # All good, so return
     
327. $IPT -A bad_tcp_packets -p tcp -j RETURN
     
328. 
     
329. # icmp_packets chain
     
330. #
     
331. # This chain is for inbound (from the Internet) icmp packets only.
     
332. # Type 8 (Echo Request) is not accepted by default
     
333. # Enable it if you want remote hosts to be able to reach you.
     
334. # 11 (Time Exceeded) is the only one accepted
     
335. # that would not already be covered by the established
     
336. # connection rule.  Applied to INPUT on the external interface.
     
337. #
     
338. # See: [url]http://www.ee.siue.edu/~rwalden/networking/icmp.html[/url]
     
339. # for more info on ICMP types.
     
340. #
     
341. # Note that the stateful settings allow replies to ICMP packets.
     
342. # These rules allow new packets of the specified types.
     
343. 
     
344. # Echo - uncomment to allow your system to be pinged.
     
345. # $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
     
346. 
     
347. # Time Exceeded
     
348. #$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
     
349. 
     
350. # Not matched, so return so it will be logged
     
351. #$IPT -A icmp_packets -p ICMP -j RETURN
     
352. 
     
353. # TCP & UDP
     
354. # Identify ports at:
     
355. #    [url]http://www.chebucto.ns.ca/~rakerman/port-table.html[/url]
     
356. #    [url]http://www.iana.org/assignments/port-numbers[/url]
     
357. 
     
358. # udp_inbound chain
     
359. #
     
360. # This chain describes the inbound UDP packets it will accept.
     
361. # It's applied to INPUT on the external or Internet interface.
     
362. # Note that the stateful settings allow replies.
     
363. # These rules are for new requests.
     
364. # It drops netbios packets (windows) immediately without logging.
     
365. 
     
366. # Drop netbios calls
     
367. # Please note that these rules do not really change the way the firewall
     
368. # treats netbios connections.  Connections from the localhost and
     
369. # internal interface (if one exists) are accepted by default.
     
370. # Responses from the Internet to requests initiated by or through
     
371. # the firewall are also accepted by default.  To get here, the
     
372. # packets would have to be part of a new request received by the
     
373. # Internet interface.  You would have to manually add rules to
     
374. # accept these.  I added these rules because some network connections,
     
375. # such as those via cable modems, tend to be filled with noise from
     
376. # unprotected Windows machines.  These rules drop those packets
     
377. # quickly and without logging them.  This prevents them from traversing
     
378. # the whole chain and keeps the log from getting cluttered with
     
379. # chatter from Windows systems.
     
380. #$IPT -A udp_inbound -p UDP -s 192.168.2.0/24 --destination-port 137 -j ACCEPT
     
381. #$IPT -A udp_inbound -p UDP -s 192.168.2.0/24 --destination-port 138 -j ACCEPT
     
382. 
     
383. 
     
384. # Not matched, so return for logging
     
385. #$IPT -A udp_inbound -p UDP -j RETURN
     
386. 
     
387. # udp_outbound chain
     
388. #
     
389. # This chain is used with a private network to prevent forwarding for
     
390. # UDP requests on specific protocols.  Applied to the FORWARD rule from
     
391. # the internal network.  Ends with an ACCEPT
     
392. 
     
393. 
     
394. # No match, so ACCEPT
     
395. #$IPT -A udp_outbound -p UDP -d 0/0 -j ACCEPT
     
396. 
     
397. # tcp_inbound chain
     
398. #
     
399. # This chain is used to allow inbound connections to the
     
400. # system/gateway.  Use with care.  It defaults to none.
     
401. # It's applied on INPUT from the external or Internet interface.
     
402. 
     
403. # Web Server
     
404. 
     
405. # HTTP
     
406. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
     
407. 
     
408. # HTTPS (Secure Web Server)
     
409. #$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
     
410. 
     
411. # FTP Server (Control)
     
412. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
     
413. 
     
414. # FTP Client (Data Port for non-PASV transfers)
     
415. $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
     
416. 
     
417. # Passive FTP
     
418. #
     
419. # With passive FTP, the server provides a port to the client
     
420. # and allows the client to initiate the connection rather
     
421. # than initiating the connection with the client from the data port.
     
422. # Web browsers and clients operating behind a firewall generally
     
423. # use passive ftp transfers.  A general purpose FTP server
     
424. # will need to support them.
     
425. #
     
426. # However, by default an FTP server will select a port from the entire
     
427. # range of high ports.  It is not particularly safe to open all
     
428. # high ports.  Fortunately, that range can be restricted.  This
     
429. # firewall presumes that the range has been restricted to a specific
     
430. # selected range.  That range must also be configured in the ftp server.
     
431. #
     
432. # Instructions for specifying the port range for the wu-ftpd server
     
433. # can be found here:
     
434. # [url]http://www.wu-ftpd.org/man/ftpaccess.html[/url]
     
435. # (See the passive ports option.)
     
436. #
     
437. # Instructions for the ProFTPD server can be found here:
     
438. # [url]http://proftpd.linux.co.uk/localsite/Userguide/linked/x861.html[/url]
     
439. 
     
440. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 58000:64000 -j ACCEPT
     
441. 
     
442. # sshd
     
443. $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
     
444. 
     
445. 
     
446. 
     
447. 
     
448. # mysql
     
449. #$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 3306 -j ACCEPT
     
450. 
     
451. 
     
452. #netbios
     
453. #$IPT -A tcp_inbound -p TCP -s 192.168.2.0/24 --destination-port 139 -j ACCEPT
     
454. 
     
455. 
     
456. # Not matched, so return so it will be logged
     
457. $IPT -A tcp_inbound -p TCP -j RETURN
     
458. 
     
459. # tcp_outbound chain
     
460. #
     
461. # This chain is used with a private network to prevent forwarding for
     
462. # requests on specific protocols.  Applied to the FORWARD rule from
     
463. # the internal network.  Ends with an ACCEPT
     
464. 
     
465. 
     
466. # No match, so ACCEPT
     
467. #$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
     
468. 
     
469. ###############################################################################
     
470. #
     
471. # INPUT Chain
     
472. #
     
473. 
     
474. echo "Process INPUT chain ..."
     
475. 
     
476. # Allow all on localhost interface
     
477. $IPT -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
     
478. $IPT -A INPUT -p ALL -s 192.168.0.0/16 -j DROP
     
479. $IPT -A INPUT -p ALL -s 10.0.0.0/8 -j DROP
     
480. $IPT -A INPUT -p ALL -s 172.16.0.0/12 -j DROP
     
481. $IPT -A INPUT -p ALL -s 127.0.0.0/8 -j DROP
     
482. 
     
483. # Drop bad packets
     
484. $IPT -A INPUT -p ALL -j bad_packets
     
485. 
     
486. # DOCSIS compliant cable modems
     
487. # Some DOCSIS compliant cable modems send IGMP multicasts to find
     
488. # connected PCs.  The multicast packets have the destination address
     
489. # 224.0.0.1.  You can accept them.  If you choose to do so,
     
490. # Uncomment the rule to ACCEPT them and comment the rule to DROP
     
491. # them  The firewall will drop them here by default to avoid
     
492. # cluttering the log.  The firewall will drop all multicasts
     
493. # to the entire subnet (224.0.0.1) by default.  To only affect
     
494. # IGMP multicasts, change '-p ALL' to '-p 2'.  Of course,
     
495. # if they aren't accepted elsewhere, it will only ensure that
     
496. # multicasts on other protocols are logged.
     
497. # Drop them without logging.
     
498. 
     
499. # The rule to accept the packets.
     
500. # $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
     
501. 
     
502. 
     
503. # Inbound Internet Packet Rules
     
504. 
     
505. # Accept Established Connections
     
506. $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
     
507.      -j ACCEPT
     
508. 
     
509. # Route the rest to the appropriate user chain
     
510. $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
     
511. $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
     
512. #$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
     
513. 
     
514. # Drop without logging broadcasts that get this far.
     
515. # Cuts down on log clutter.
     
516. # Comment this line if testing new rules that impact
     
517. # broadcast protocols.
     
518. #$IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP
     
519. 
     
520. # Log packets that still don't match
     
521. $IPT -A INPUT -m limit --limit 1/second --limit-burst 1 -j LOG \
     
522.      --log-prefix "INPUT packet died: "
     
523. $IPT -A INPUT -m limit --limit 1/second --limit-burst 1 -j DROP
     
524. ###############################################################################
     
525. #
     
526. # FORWARD Chain
     
527. #
     
528. 
     
529. echo "Process FORWARD chain ..."
     
530. 
     
531. # Used if forwarding for a private network
     
532. 
     
533. 
     
534. ###############################################################################
     
535. #
     
536. # OUTPUT Chain
     
537. #
     
538. 
     
539. echo "Process OUTPUT chain ..."
     
540. 
     
541. # Generally trust the firewall on output
     
542. 
     
543. # However, invalid icmp packets need to be dropped
     
544. # to prevent a possible exploit.
     
545. $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
     
546. 
     
547. # Localhost
     
548. #$IPT -A OUTPUT -p ALL -o $LO_IFACE -s 127.0.0.1 -j ACCEPT
     
549. 
     
550. # To internet
     
551. #$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
     
552. $IPT -A OUTPUT -p ALL -j ACCEPT
     
553. # Log packets that still don't match
     
554. #$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
     
555. #     --log-prefix "OUTPUT packet died: "
     
556. 
     
557. 
     
558. 
     
559. 
     

复制代码

更多资讯查看bbs.be10.net与www.google.com

[ Last edited by iamok on 2003-5-7 at 12:04 AM ]