!/bin/sh
/sbin/modprobe ip_conntrack_ftp
CONNECTION_TRACKING="1"
ACCEPT_AUTH="0"
SSH_SERVER="0"
FTP_SERVER="0"
WEB_SERVER="0"
SSL_SERVER="0"
DHCP_SERVER="1"
IPT="sbin/iptables" # Location of iptables on your system
INTERNET="eth0" # Internet-connected interface
LOOPBACK_INTERFACE="lo" # However your system names it
IPADDR="my.ip.address" # Your IP address
SUBNET_BASE="my.subnet.bcast" # ISP network segment base address
SUBNET_BROADCAST="my.subnet.bcast" # network segment broadcast address
MY_ISP="my.isp.address.range" # ISP server & NOC address range
NAMESERVER="isp.name.server.1" # address of a remote name server
POP_SERVER="isp.pop.server" # address of a remote pop server
MAIL_SERVER="isp.mail.server" # address of a remote mail gateway
NEWS_SERVER="isp.news.server" # address of a remote news server
TIME_SERVER="some.time.server" # address of a remote time server
DHCP_SERVER="isp.dhcp.server" # address of your ISP dhcp server
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # Class A private network
CLASS_B="172.0.0.0/12" # Class B private network
CLASS_C="192.168.0.0/16" # Class C private network
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast address
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved address
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well-know,privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
SSH_PORTS="1024:65535"
NFS_PORT="2049"
LOCKD_poRT="4045"
SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"
XWINDOWS_PORTS="6000:6063"
SQUID_PORT="3128"
#####################################################################################
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_routed;do
echo 0 > $f
done
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;do
echo 0 > $f
done
# Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects;do
echo 0 > $f
done
# Drop spoofed Packets coming in on interface,with,if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter;do
echo 1 > $f
done
# Log packets with impossible address.
for f in /proc/sys/net/ipv4/conf/*/log_martians;do
echo 1 > $f
done
#######################################################################################
# Remove any existing rules from all chains
$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT --policy INPUT ACCEPT
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT
if [ "$1" = "stop" ]
then
echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL RUNNING."
exit 0
fi
#Unlimited traffic on the loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$ Set the default policy to drop
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
$IPT -t nat --policy PREROUTING DROP
$IPT -t nat --policy OUTPUT DROP
$IPT -t nat --policy POSTROUTING DROP
$IPT -t mangle --policy PREROUTING DROP
$IPT -t mangle --policy OUTPUT DROP
#########################################################################################
# Stealth Scans and TCP state Flags
# Unclean
$IPT -A INPUT -m unclean -j DROP
# ALL of the bits are cleared
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set,without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# PSH is the only bit set,without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set,without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcl-flags ACK,URG URG -j DROP
##########################################################################################
#Using Connection State to By-pass Rule Checking
| 网站地图 |