lajunta · October 23, 2013 06:54
diff --git a/firewall b/firewall
 #!/bin/sh 
 iptables -F
 iptables -X
 iptables -P INPUT DROP
 iptables -P FORWARD ACCEPT
 iptables -P OUTPUT ACCEPT
 iptables -t nat -F
 iptables -t nat -P PREROUTING ACCEPT
 iptables -t nat -P POSTROUTING ACCEPT
 iptables -t nat -P OUTPUT ACCEPT

 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -s 172.16.1.12 -d 172.16.1.12 -j ACCEPT
 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

 iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 iptables -A INPUT -p tcp --dport 20 -j ACCEPT
 iptables -A INPUT -p tcp --dport 21 -j ACCEPT
 iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
 iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 iptables -A INPUT -p tcp --dport 60000:60010 -j ACCEPT
 #iptables -A INPUT -p tcp --dport 137:139 -j ACCEPT
 #iptables -A INPUT -p tcp --dport 445 -j ACCEPT
 #iptables -A INPUT -p tcp --dport 6969 -j ACCEPT
 #iptables -A INPUT -p tcp --dport 6881:6999 -j ACCEPT

 #syn
 #iptables -N syn-flood 
 #iptables -A INPUT -p tcp --syn -j syn-flood 
 #iptables -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN 
 #iptables -A syn-flood -j REJECT

 #dos#allow external card 15 connlink 
 #iptables -A INPUT -i eth1 -p tcp --syn -m connlimit --connlimit-above 100 -j DROP 
 #iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

 #ddos
 #iptables -A INPUT  -p tcp --syn -m limit --limit 24/s --limit-burst 48 -j ACCEPT
 #iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

 #cc
 #singleipmaxconn
 #iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 100 -j REJECT 
 #singleipmaxconnwithintimes
 #iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60  --hitcount 100 -j REJECT
 #iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --set -j ACCEPT


 #some rules
 sysctl -w net.ipv4.tcp_synack_retries=3
 sysctl -w net.ipv4.tcp_syn_retries=3
 sysctl -w net.ipv4.ip_forward=0
 sysctl -w net.ipv4.conf.all.send_redirects=0
 sysctl -w net.ipv4.conf.default.send_redirects=0
 sysctl -w net.ipv4.tcp_max_syn_backlog=1280
 sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
 sysctl -w net.ipv4.conf.all.accept_source_route=0
 sysctl -w net.ipv4.conf.all.accept_redirects=0
 sysctl -w net.ipv4.conf.all.secure_redirects=0
 sysctl -w net.ipv4.conf.all.log_martians=1
 sysctl -w net.ipv4.conf.default.accept_source_route=0
 sysctl -w net.ipv4.conf.default.accept_redirects=0
 sysctl -w net.ipv4.conf.default.secure_redirects=0
 sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
 sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
 sysctl -w net.ipv4.tcp_syncookies=1
 sysctl -w net.ipv4.conf.all.rp_filter=1
 sysctl -w net.ipv4.conf.default.rp_filter=1
 sysctl -w net.ipv4.tcp_timestamps=0
 exit 0
	#!/bin/sh
	iptables -F
	iptables -X
	iptables -P INPUT DROP
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -t nat -F
	iptables -t nat -P PREROUTING ACCEPT
	iptables -t nat -P POSTROUTING ACCEPT
	iptables -t nat -P OUTPUT ACCEPT

	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -s 172.16.1.12 -d 172.16.1.12 -j ACCEPT
	iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

	iptables -A INPUT -p tcp --dport 80 -j ACCEPT
	iptables -A INPUT -p tcp --dport 20 -j ACCEPT
	iptables -A INPUT -p tcp --dport 21 -j ACCEPT
	iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
	iptables -A INPUT -p tcp --dport 22 -j ACCEPT
	iptables -A INPUT -p tcp --dport 60000:60010 -j ACCEPT
	#iptables -A INPUT -p tcp --dport 137:139 -j ACCEPT
	#iptables -A INPUT -p tcp --dport 445 -j ACCEPT
	#iptables -A INPUT -p tcp --dport 6969 -j ACCEPT
	#iptables -A INPUT -p tcp --dport 6881:6999 -j ACCEPT

	#syn
	#iptables -N syn-flood
	#iptables -A INPUT -p tcp --syn -j syn-flood
	#iptables -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
	#iptables -A syn-flood -j REJECT

	#dos#allow external card 15 connlink
	#iptables -A INPUT -i eth1 -p tcp --syn -m connlimit --connlimit-above 100 -j DROP
	#iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

	#ddos
	#iptables -A INPUT -p tcp --syn -m limit --limit 24/s --limit-burst 48 -j ACCEPT
	#iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

	#cc
	#singleipmaxconn
	#iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 100 -j REJECT
	#singleipmaxconnwithintimes
	#iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 100 -j REJECT
	#iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --set -j ACCEPT


	#some rules
	sysctl -w net.ipv4.tcp_synack_retries=3
	sysctl -w net.ipv4.tcp_syn_retries=3
	sysctl -w net.ipv4.ip_forward=0
	sysctl -w net.ipv4.conf.all.send_redirects=0
	sysctl -w net.ipv4.conf.default.send_redirects=0
	sysctl -w net.ipv4.tcp_max_syn_backlog=1280
	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
	sysctl -w net.ipv4.conf.all.accept_source_route=0
	sysctl -w net.ipv4.conf.all.accept_redirects=0
	sysctl -w net.ipv4.conf.all.secure_redirects=0
	sysctl -w net.ipv4.conf.all.log_martians=1
	sysctl -w net.ipv4.conf.default.accept_source_route=0
	sysctl -w net.ipv4.conf.default.accept_redirects=0
	sysctl -w net.ipv4.conf.default.secure_redirects=0
	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
	sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
	sysctl -w net.ipv4.tcp_syncookies=1
	sysctl -w net.ipv4.conf.all.rp_filter=1
	sysctl -w net.ipv4.conf.default.rp_filter=1
	sysctl -w net.ipv4.tcp_timestamps=0
	exit 0