代码: 全选
#!/bin/sh
#
echo "Module loading...."
echo "enabling IP FORWARDING......"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1">/proc/sys/net/ipv4/icmp_echo_ignore_all
echo "enabling iptables rules"
iptables -F
iptables -X
iptables -Z
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -A FORWARD -p tcp --dport 4444 -j DROP
iptables -A FORWARD -p udp --dport 4444 -j DROP
iptables -A FORWARD -p tcp --dport 445 -j DROP
iptables -A FORWARD -p udp --dport 445 -j DROP
iptables -A FORWARD -p tcp --dport 69 -j DROP
iptables -A FORWARD -p udp --dport 69 -j DROP
iptables -A FORWARD -p tcp --dport 135 -j DROP
iptables -A FORWARD -p udp --dport 135 -j DROP
iptables -A FORWARD -p tcp --dport 139 -j DROP
iptables -A FORWARD -p udp --dport 139 -j DROP
iptables -A FORWARD -p tcp --dport 3 -j DROP
iptables -A FORWARD -p udp --dport 3 -j DROP
iptables -A FORWARD -p tcp --dport 111 -j DROP
iptables -A FORWARD -p udp --dport 111 -j DROP
iptables -A FORWARD -p tcp --dport 587 -j DROP
iptables -A FORWARD -p udp --dport 587 -j DROP
#allow loopback access
iptables -A INPUT -p icmp -i lo -j ACCEPT
iptables -A OUTPUT -p icmp -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#allow ping LAN
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -p ALL -o eth1 -d 192.168.0.0/24 -j ACCEPT
#wan to lan
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
#deny local cheat
#iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
#deny DHCP_packets from LAN
iptables -A INPUT -p udp -i eth1 --dport 67 --sport 68 -j DROP
#TCP gui'ze
iptables -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED,NEW -j ACCEPT
#port to potr
iptables -A FORWARD -i eth1 -j ACCEPT
#wan to lan huixingfengbao
iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
#fengbaozuduan
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "IPT INPUT packets died:"
#all ip sui'pian
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#255.255.255.255
iptables -A INPUT -s 255.255.255.255 -i eth0 -j DROP
iptables -A INPUT -s 224.0.0.0/224.0.0.0 -i eth0 -j DROP
iptables -A INPUT -d 0.0.0.0 -i eth0 -j DROP
#ICMP
iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP
#iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
#ping lei'xing
#iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP
#iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT
#DDOS
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
sysctl -w net.ipv4.tcp_syncookies=1 &>/dev/null
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 &>/dev/null
echo "flags SYN,ACK,FIN,RST RST DDOS ......"
#SYN
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
iptables -A syn-flood -j REJECT
#TCP bad
iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
#drop www
#iptables -I FORWARD -d www.baidu.com -j DROP
# allow UDP
iptables -A FORWARD -p udp -d 192.168.0.0/24 -i eth0 -j ACCEPT
#MAC kongzhi
#iptables -t nat -I PREROUTING -m mac --mac-source 4C:00:10:D8:57:F3 -j DROP
#SSH
iptables -A INPUT -p tcp -i eth0 --dport 24681 -j ACCEPT
#http port 80
#iptables -A OUTPUT -o eth0 -p tcp -s 125.76.111.111 --sport 1024:65535 -d any/0 --dport 80 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 80 -d 125.76.111.111 --dport 1024:65535 -j ACCEPT
#DNS
#iptables -A OUTPUT -o eth0 -p udp -s 125.76.111.111 --sport 1024:65535 -d any/0 --dport 53 -j ACCEPT
#iptables -A INPUT -i eth0 -p udp -s any/0 --sport 53 -d 125.76.111.111 --dport 1024:65535 -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp -s 125.76.111.111 --sport 1024:65535 -d any/0 --dport 53 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 53 -d 125.76.111.111 --dport 1024:65535 -j ACCEPT
#MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#SNAT
#iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 125.76.111.111
#port ying'she
#iptables -t nat -A PREROUTING -d 125.76.111.111 -p tcp -m tcp --dport 5555 -j DNAT --to-destination 192.168.0.245:3389
#iptables -t nat -A POSTROUTING -d 192.168.0.245 -p tcp -m tcp --dport 3389 -j SNAT --to-source 192.168.0.250
#iptables -t nat -A PREROUTING -d 125.76.111.111 -p tcp -m tcp --dport 2121 -j DNAT --to-destination 192.168.3.253:21
#iptables -t nat -A POSTROUTING -d 192.168.3.253 -p tcp -m tcp --dport 21 -j SNAT --to-source 192.168.3.254
#iptables -t nat -A PREROUTING -d 125.76.111.111 -p tcp -m tcp --dport 2120 -j DNAT --to-destination 192.168.3.250:21
#iptables -t nat -A POSTROUTING -d 192.168.3.250 -p tcp -m tcp --dport 21 -j SNAT --to-source 192.168.3.254
#iptables -t nat -A PREROUTING -d 125.76.111.111 -p tcp -m tcp --dport 96 -j DNAT --to-destination 192.168.3.251:21
#iptables -t nat -A POSTROUTING -d 192.168.3.251 -p tcp -m tcp --dport 21 -j SNAT --to-source 192.168.3.254