以下規則為己經實行使用的iptables規則,主要針對游戲服務器的連接,端口做訪問限制,由於考慮到網吧用戶的存在故部分值的設置可能過大,攻擊遠比網吧正常用戶來得猛烈一些,對於攻擊的防范效果還是不錯的.
如有更好的規則望不吝賜教,打造更和諧的安全:)
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MYNET - [0:0]
-A INPUT -j MYNET
-A FORWARD -j MYNET
-A MYNET -i lo -j ACCEPT
-A MYNET -p icmp --icmp-type any -j ACCEPT
-A MYNET -s 192.168.0.0/16 -j ACCEPT
-A MYNET -p tcp --dport 30101 -m connlimit --connlimit-above 50 -j REJECT
-A MYNET -p tcp --dport 30102 -m connlimit --connlimit-above 50 -j REJECT
-A MYNET -p tcp --syn -m limit --limit 15/s --limit-burst 30 -j ACCEPT
-A MYNET -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 15/sec --limit-burst 30 -j ACCEPT
-A MYNET -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 15/s --limit-burst 30 -j ACCEPT
-A MYNET -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A MYNET -m state --state ESTABLISHED,RELATED -j ACCEPT
-A MYNET -m state --state NEW -m tcp -p tcp --dport 8989 -j ACCEPT
-A MYNET -m state --state NEW -m tcp -p tcp --dport 30101 -j ACCEPT
-A MYNET -m state --state NEW -m tcp -p tcp --dport 30102 -j ACCEPT
-A MYNET -p udp --dport 161 -j ACCEPT
-A MYNET -p tcp --dport 191 -j ACCEPT
-A MYNET -j REJECT --reject-with icmp-host-prohibited
COMMIT