欢迎进入Linux社区论坛,与200万技术人员互动交流 >>进入
最佳的方法:
为了更方便的修改和维护自己的iptables的设置,我一般是把所有的iptables的设置先写到一个单独文件中,测试没有问题后。然后再保存到iptable的配置文件中。
下面是我自己的iptables文件 ~/script/firewall.sh
</pre>
#!/bin/bash
# A simple iptables firewall configuration
PATH=/sbin:/bin:/usr/sbin:/usr/bin; export PATH
#flush/erase original rules
iptables -F #清除所有已制定的rule
iptables -X #清除用户自定义的chain/table
iptables -Z #将所有的chain的计数和流量统计归零
#Accept localhost connetting, no matter what it is
iptables -A INPUT -i lo -j ACCEPT
#Accept any response package which is initiated from inside
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
#block most common network attacks(recon packets and syn-flood attack)
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
#open ports for different services
iptables -A INPUT -p tcp –dport 22 -j ACCEPT #SSH
iptables -A INPUT -p tcp –dport 80 -j ACCEPT #HTTP
#iptables -A INPUT -p tcp –dport 443 -j ACCEPT #HTTPS
#iptables -A INPUT -p tcp –dport 25 -j ACCEPT #SMTP
#iptables -A INPUT -p tcp –dport 465 -j ACCEPT #Secure SMTP
#iptables -A INPUT -p tcp –dport 110 -j ACCEPT #POP3
#iptables -A INPUT -p tcp –dport 995 -j ACCEPT #Secure POP
#ICMP configuration
#To prevent ICMP DDOS,we do not allow ICMP type 8(echo-request) or limit this request with 1/second
#some ICMP requests are allowed.
icmp_type=”0 3 4 11 12 14 16 18″
for ticmp in $icmp_type
do
iptables -A INPUT -p icmp –icmp-type $ticmp -j ACCEPT
done
#iptables -A INPUT -p icmp –icmp-type 8 -m limit –limit 1/second -j ACCEPT
#default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
#save to /etc/sysconfig/iptables
/etc/init.d/iptables save
你可以根据你的需要进行相应的修改。
[1][2]
游手好闲会使人心智生锈
