刚写的 iptables 规则

[BigSnake.NET]

http://paste.ubuntu.org.cn/5369

大家帮忙看看有什么可改进

代码： 全选

#!/bin/bash -e
export PATH=/bin:/usr/bin:/sbin:/usr/sbin

if [ $UID != 0 ]
then
        echo please run me as root. 1>&2
        exit 1
fi


################################################################################

chain_clean() {
        echo Cleaning iptables chains...
        for table in filter nat mangle
        do
                iptables -t $table -F
                iptables -t $table -X
        done
}

chain_show() {
        echo Listing chains...
        for table in filter nat mangle
        do
                echo ==================== Table : $table ====================
                iptables -t $table -L -v -n --line-numbers
                echo
        done
}

chain_init() {
        # filter
        iptables -P INPUT DROP
        iptables -P FORWARD DROP
        iptables -P OUTPUT DROP
        iptables -N IReject
        setup_IReject
        # nat
        iptables -t nat -P PREROUTING ACCEPT
        iptables -t nat -P POSTROUTING ACCEPT
        iptables -t nat -P OUTPUT ACCEPT
        # mangle
        iptables -t mangle -P PREROUTING ACCEPT
        iptables -t mangle -P INPUT ACCEPT
        iptables -t mangle -P FORWARD ACCEPT
        iptables -t mangle -P OUTPUT ACCEPT
        iptables -t mangle -P POSTROUTING ACCEPT
}

setup_IReject () {
        # 迷惑敌人
        # iptables -A IReject -j LOG -s ! 192.168.6.0/24 --log-prefix "FIREWALL:IReject "
        iptables -A IReject -j LOG --log-level 4 --log-prefix "FIREWALL:IReject "
        iptables -A IReject -p tcp -j REJECT --reject-with tcp-reset
        iptables -A IReject -p udp -j REJECT --reject-with icmp-port-unreachable
        iptables -A IReject -p icmp -j REJECT --reject-with icmp-port-unreachable
        iptables -A IReject -j DROP
}

################################################################################

ban_pub() {
        # 这里屏蔽永远也用不到的机器
        for i in "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
        do
                iptables -A INPUT -s "$i" -j IReject
                iptables -A OUTPUT -d "$i" -j DROP
        done
}

allow_gate() {
        # 需要ping网关测试网络
        route -n | tail -n +3 |\
        while read line
        do
                gateway=`echo $line | awk '{print $2}'`
                eth=`echo $line | awk '{print $8}'`
                if [ ${gateway##*.} -ne 0 ] # 有效的网关
                then
                        i=`ip addr | grep "^.: $eth: " -A2 | awk 'BEGIN { FS = "[ /]+" } /inet/{print $3}'`
                        iptables -A OUTPUT -o $eth -s $i       -d $gateway -j ACCEPT
                        iptables -A INPUT  -i $eth -s $gateway -d $i -m state --state ESTABLISHED,RELATED -j ACCEPT
                fi
        done
}

getmyip() {
        ip addr | grep "^.: $1: " -A2 | awk 'BEGIN { FS = "[ /]+" } /inet/{print $3}'
}

allow() {
        #lo
        iptables -A OUTPUT -o lo -s localhost -d localhost -j ACCEPT
        iptables -A INPUT  -i lo -s localhost -d localhost -j ACCEPT

        #eth0
        iptables -A OUTPUT -o eth0 -s `getmyip eth0` -j ACCEPT
        iptables -A INPUT  -i eth0 -d `getmyip eth0` -m state --state ESTABLISHED,RELATED -j ACCEPT

}

################################################################################

main() {
        chain_clean
        chain_init

        allow_gate
        ban_pub

        allow

        # 剩下的 INPUT 统统拒绝..
        iptables -A INPUT -j IReject

        iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "FIREWALL:OUTPUT "
        chain_show
}
main

[xiooli]

先占个座，有时间慢慢研究一下

[冲浪板]

想知道流速控制是怎样描述的

[BigSnake.NET]

想知道流速控制是怎样描述的

没有流速控制

[tongttt]

好像看不大懂。

[hcym]

看看有什么可学习学习


折腾了一下，好不容易才通过端口检测，

请问如何隐蔽IP地址

[qiang_liu8183]

顶起来看～～～