|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 |
# sample configuration for iptables service # # you can edit this manually or use system-config-firewall # # please do not ask us to add additional ports/services to this default configuration ################# # NAT # ################# *nat :PREROUTING ACCEPT [27:11935] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [598:57368] :POSTROUTING ACCEPT [591:57092] :DOCKER - [0:0] #所有内网服务器通过本机上网 #-A POSTROUTING -s 10.x.x.0/24 -p tcp -j SNAT --to-source 0.x.x.x #OpenVPN -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE #-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER #-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER #-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE COMMIT ################# # filter # ################# *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #:DOCKER - [0:0] # 这里对已经建立连接的包直接放行,以提高iptables 效率(此条规则通常放在第一条) -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #允许ping -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT #本机设备放行 -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #开放sshd服务 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT #为内网机器上网转发 #-A FORWARD -i eth0 -d 10.x.x.0/24 -j ACCEPT #docker #-A INPUT -m state --state NEW -m tcp -p tcp --dport 139291:461018923 -j ACCEPT #-A FORWARD -o docker0 -j DOCKER #-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #-A FORWARD -i docker0 ! -o docker0 -j ACCEPT #-A FORWARD -i docker0 -o docker0 -j ACCEPT #openvpn -A INPUT -i eth0 -m state --state NEW -p tcp --dport 1194 -j ACCEPT -A OUTPUT -p tcp --sport 1194 -m state --state ESTABLISHED -j ACCEPT #openvpn web ui -A INPUT -i eth0 -m state --state NEW -p tcp --dport 8080 -j ACCEPT -A OUTPUT -p tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A FORWARD -i tun+ -j ACCEPT -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT #SMTP #-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT #允许 80 443 端口,http 和 https -A INPUT -i eth0 -m state --state NEW -p tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -m state --state NEW -p tcp --sport 80 -j ACCEPT -A OUTPUT -p tcp --sport 80 -j ACCEPT -A OUTPUT -p tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -m state --state NEW -p tcp --dport 443 -j ACCEPT -A INPUT -i eth0 -m state --state NEW -p tcp --sport 443 -j ACCEPT -A OUTPUT -p tcp --sport 443 -j ACCEPT -A OUTPUT -p tcp --dport 443 -j ACCEPT #dns -A OUTPUT -p udp --dport 53 -j ACCEPT -A INPUT -p udp --sport 53 -j ACCEPT -A INPUT -p udp --dport 53 -j ACCEPT -A OUTPUT -p udp --sport 53 -j ACCEPT #---ganglia的端口---- #ganglia展示web界面、解释php用的apache -A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT -A OUTPUT -p tcp --sport 81 -m state --state ESTABLISHED -j ACCEPT #ganglia gmond的端口 -A INPUT -p tcp -m multiport --dport 8649:8652 -j ACCEPT -A OUTPUT -p tcp -m multiport --sport 8649:8652 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p udp -m multiport --dport 8649:8652 -j ACCEPT -A OUTPUT -p udp -m multiport --sport 8649:8652 -m state --state ESTABLISHED -j ACCEPT #falcon-agent sent -A OUTPUT -p tcp --dport 6030 -j ACCEPT -A OUTPUT -p tcp --dport 8433 -j ACCEPT -A INPUT -s 10.x.x.x -p tcp --dport 1988 -j ACCEPT #nagios的端口 #-A INPUT -p udp -m multiport --dport 5666,12489 -j ACCEPT #-A OUTPUT -p tcp -m multiport --sport 5666:12489 -m state --state ESTABLISHED -j ACCEPT ###TCP ports for FreeIPA #-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT ###UDP ports for FreeIPA #-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT #-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT #-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT #-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT # ##nexus yum #-A INPUT -m state --state NEW -m tcp -p tcp --dport 8081 -j ACCEPT #pptp #-A INPUT -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT #处理IP碎片数量,防止攻击,允许每秒100个 -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT #允许来自外部的ping测试 #-A INPUT -p icmp --icmp-type echo-request -j ACCEPT #禁止ping -A INPUT -p icmp -i eth0 -j DROP #设置ICMP包过滤,允许每秒1个包,限制触发条件是10个包 -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT ##允许登录者 #sean's home #-A INPUT -s x.x.x.x -m state --state NEW -m tcp -p tcp -j ACCEPT #################### #DROP RULL #################### #丢弃坏的TCP包 #-A FORWARD -p TCP ! --syn -m state --state NEW -j DROP # Reject spoofed packets -A INPUT -s 169.254.0.0/16 -j DROP -A INPUT -s 172.16.0.0/12 -j DROP -A INPUT -s 127.0.0.0/8 -j DROP -A INPUT -s 224.0.0.0/4 -j DROP -A INPUT -d 224.0.0.0/4 -j DROP -A INPUT -s 240.0.0.0/5 -j DROP -A INPUT -d 240.0.0.0/5 -j DROP -A INPUT -s 0.0.0.0/8 -j DROP -A INPUT -d 0.0.0.0/8 -j DROP -A INPUT -d 239.255.255.0/24 -j DROP -A INPUT -d 255.255.255.255 -j DROP # Stop smurf attacks -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP # Drop all invalid packets -A INPUT -m state --state INVALID -j DROP #-A FORWARD -m state --state INVALID -j DROP -A OUTPUT -m state --state INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP #drop 3128端口是 squid 的默认端口 -A INPUT -p tcp --dport 3128 -j DROP # Drop excessive RST packets to avoid smurf attacks -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT # Attempt to block portscans # Anyone who tried to portscan us is locked out for an entire day. -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP # Once the day has passed, remove them from the portscan list -A INPUT -m recent --name portscan --remove -A FORWARD -m recent --name portscan --remove # These rules add scanners to the portscan list, and log the attempt. -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP #禁止其他未允许的规则访问 #-A INPUT -j REJECT --reject-with icmp-host-prohibited #-A FORWARD -j REJECT --reject-with icmp-host-prohibited -A INPUT -j DROP -A OUTPUT -j DROP -A FORWARD -j DROP COMMIT |
0 Comments