?Linux????IPTables?????
???????????? ???????[ 2014/5/7 11:31:52 ] ????????Linux ????? ???
????????????????iptables?е????е????
????iptables -F
???????????????????????????????
????iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #NONE ??(???б??bit?????????)????????????????
????iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP #???sync-flood ????
????iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP #ALL???????е???bit???????????????????????????
????????sync-flood?? ?????wikipedia ??????
??????????? ?????????????????
??????????????y??????localhost???κ???????????????????????????
????iptables -A INPUT -i lo -j ACCEPT
????????????????????????????
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # SSH
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #HTTPS
iptables -A INPUT -p tcp --dport 25 -j ACCEPT #SMTP
iptables -A INPUT -p tcp --dport 465 -j ACCEPT #Secure SMTP
iptables -A INPUT -p tcp --dport 110 -j ACCEPT #POP3
iptables -A INPUT -p tcp --dport 995 -j ACCEPT #Secure POP3
iptables -A INPUT -p tcp --dport 143 -j ACCEPT #IMAP
iptables -A INPUT -p tcp --dport 993 -j ACCEPT #Secure IMAP
???????????? ???????????
????????????????д??????????????????????????????????????????????VPS?????yum update ?? ?????????????update???????
????iptables -I INPUT -m state --state ESTABLISHED?? RELATED -j ACCEPT
???????????????????????κν???????????????????д?Server??????????
????iptables -P OUTPUT ACCEPT
????iptables -P INPUT DROP
????????????????????
??????????? ????????
?????????????????????????????????????????
????iptable -L -n
???????????????????????????
????service iptables save
?????????????????????????д?? /etc/sysconfig/iptables???????????????????????
?????????
????service iptables restart
???????????iptables????????????????????Ч??
????????????
?????????????????????????iptables??????????????????е?iptables????????д?????????????У????????????????????浽iptable??????????С?
?????????????????iptables??? ~/script/firewall.sh
</pre>
#!/bin/bash
# A simple iptables firewall configuration
PATH=/sbin:/bin:/usr/sbin:/usr/bin; export PATH
#flush/erase original rules
iptables -F #??????????????rule
iptables -X #????????????chain/table
iptables -Z #?????е?chain?????????????????
#Accept localhost connetting?? no matter what it is
iptables -A INPUT -i lo -j ACCEPT
#Accept any response package which is initiated from inside
iptables -A INPUT -m state --state ESTABLISHED??RELATED -j ACCEPT
#block most common network attacks(recon packets and syn-flood attack)
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#open ports for different services
iptables -A INPUT -p tcp --dport 22 -j ACCEPT #SSH
iptables -A INPUT -p tcp --dport 80 -j ACCEPT #HTTP
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT #HTTPS
#iptables -A INPUT -p tcp --dport 25 -j ACCEPT #SMTP
#iptables -A INPUT -p tcp --dport 465 -j ACCEPT #Secure SMTP
#iptables -A INPUT -p tcp --dport 110 -j ACCEPT #POP3
#iptables -A INPUT -p tcp --dport 995 -j ACCEPT #Secure POP
#ICMP configuration
#To prevent ICMP DDOS??we do not allow ICMP type 8(echo-request) or limit this request with 1/second
#some ICMP requests are allowed.
icmp_type="0 3 4 11 12 14 16 18"
for ticmp in $icmp_type
do
iptables -A INPUT -p icmp --icmp-type $ticmp -j ACCEPT
done
#iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
#default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
#save to /etc/sysconfig/iptables
/etc/init.d/iptables save
???????????????????????????????
??????
???·???
??????????????????
2023/3/23 14:23:39???д?ò??????????
2023/3/22 16:17:39????????????????????Щ??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???·???????·
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11
sales@spasvo.com