这是我的 iptables 脚本。它还能更好吗?
提前致谢 !
#!/bin/bash
#iptables-restore < /etc/iptables.test.rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#TOR
iptables -A OUTPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT
# ICMP (Ping)
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
# DNS
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# HTTP
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# HTTPS
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Mail SMTP
iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#Transmission
iptables -A INPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --sport 51413 -m state --state NEW -j ACCEPT
# NTP (horloge du serveur)
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# On log les paquets en entrée.
iptables -A INPUT -j LOG
# On log les paquets en sortie.
iptables -A OUTPUT -j LOG
# On log les paquets forward.
iptables -A FORWARD -j LOG
ip6tables -F
ip6tables -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
ip6tables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
ip6tables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
ip6tables -A INPUT -m state --state INVALID -j DROP
ip6tables -A FORWARD -m state --state INVALID -j DROP
ip6tables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j DROP
ip6tables -A OUTPUT -p icmpv6 -j DROP
#TOR
ip6tables -A OUTPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT
# DNS
ip6tables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# HTTP
ip6tables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# HTTPS
ip6tables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Mail SMTP
ip6tables -A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT
#Transmission
ip6tables -A INPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p udp --sport 51413 -m state --state NEW -j ACCEPT
# NTP (horloge du serveur)
ip6tables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
# On log les paquets en entrée.
ip6tables -A INPUT -j LOG
# On log les paquets en sortie.
ip6tables -A OUTPUT -j LOG
# On log les paquets forward.
ip6tables -A FORWARD -j LOG
exit 0