Linux 服务器安全配置(5)
##disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
##reset default policies
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
##del all iptables rules
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
##clean all non-default chains
iptables -X
iptables -t nat -X
##iptables default rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
##allow ping packets
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -m limit --limit 5/s -j ACCEPT
iptables -A FORWARD -p ICMP -j ACCEPT
##enable forwarding
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
##STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##accept internal packets on the internal i/f
iptables -A INPUT -s $SERVER_IP -p tcp -j ACCEPT
##open ports on router for server/services
##TCP PORTS
for ATP in $TPORTS
do
iptables -A INPUT ! -s $SERVER_IP -d $SERVER_IP -p tcp --destination-port $ATP -j ACCEPT
iptables -A FORWARD -p tcp --destination-port $ATP -j ACCEPT
done
##UDP PORTS
for AUP in $UPORTS
do
iptables -A INPUT -p udp --destination-port $AUP -j ACCEPT
iptables -A FORWARD -p udp --destination-port $AUP -j ACCEPT
done
##bad_packets chain
##drop INVALID packets immediately
iptables -A INPUT -p ALL -m state --state INVALID -j DROP
##limit SYN flood
#iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
##deny all ICMP packets,eth0 is external net_eth
#iptables -A INPUT -i eth0 -s 0.0.0.0/0 -p ICMP -j DROP
##allow loopback
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
##enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
< --end-- >
7.2 ipchains类型防火墙:
7.2.1 ipchains概念:
Ipchains 被用来安装、维护、检查Linux内核的防火墙规则。规则可以分成四类:IP input链、IP output链、IP forward链、user defined 链。
一个防火墙规则指定包的格式和目标。当一个包进来时, 核心使用input链来决定它的命运。 如果它通过了, 那么核心将决定包下一步该发往何处(这一步叫路由)。假如它是送往另一台机器的, 核心就运用forward链。如果不匹配,进入目标值所指定的下一条链,那有可能是一条user defined链,或者是一个特定值: ACCEPT,DENY,REJECT,MASQ,REDIRECT,RETURN。