#!/bin/sh
#####
##name:iptables_firewall
#####
iptables -F
iptables -X
iptables -Z
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -F
###安全策略###
###禁止用nmap掃描服務器端口
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # NMAP FIN/URG/PSH
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Xmas Tree
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Another Xmas Tree
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Null Scan(possibly)
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # SYN/RST
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # SYN/FIN -- Scan(possibly)
###防止 synflood 攻擊的設定
iptables -N synfoold
iptables -A synfoold -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j RETURN #每秒最多4個syn聯機封包進入
iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -j synfoold
###防止 Ping of Death
iptables -N bad-ping
iptables -A bad-ping -p icmp --icmp-type echo-request -m limit --limit 1/s -j RETURN
iptables -A bad-ping -p icmp -j REJECT
iptables -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j bad-ping
###進入本機包
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT ###允許dns query
iptables -A INPUT -p tcp --dport 22 -j ACCEPT ###進入本機ssh
iptables -A INPUT -p tcp -m multiport --destination-port 53,80,21,22,3306,10001 -j ACCEPT
###定義默認策略
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t nat -vnL
iptables -t mangle -vnL
iptables -t filter -vnL
service iptables save
