Iptables 配置

tag-icon tag-icon linux networking firewall iptables tcp
Iptables 配置

这是我的 iptables 脚本。它还能更好吗?

提前致谢 !

#!/bin/bash
#iptables-restore < /etc/iptables.test.rules

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP 

## On drop les scans XMAS et NULL.
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP

# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Autorise les connexions déjà établies et localhost       
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT    
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT   
iptables -A INPUT -i lo -j ACCEPT


#TOR
iptables -A OUTPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT

# ICMP (Ping)                   
iptables -A INPUT -p icmp -j DROP           
iptables -A OUTPUT -p icmp -j DROP

# DNS                     
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT         
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT           

# HTTP                      
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

# HTTPS
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT          

# Mail SMTP 
iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT  

#Transmission
iptables -A INPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --sport 51413 -m state --state NEW -j ACCEPT

# NTP (horloge du serveur) 
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT  

# On log les paquets en entrée.
iptables -A INPUT -j LOG

# On log les paquets en sortie.
iptables -A OUTPUT -j LOG

# On log les paquets forward.
iptables -A FORWARD -j LOG 


ip6tables -F
ip6tables -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP 

## On drop les scans XMAS et NULL.
ip6tables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Dropper silencieusement tous les paquets broadcastés.
ip6tables -A INPUT -m pkttype --pkt-type broadcast -j DROP

# Droping all invalid packets
ip6tables -A INPUT -m state --state INVALID -j DROP
ip6tables -A FORWARD -m state --state INVALID -j DROP
ip6tables -A OUTPUT -m state --state INVALID -j DROP

# Autorise les connexions déjà établies et localhost       
ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT   
ip6tables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT  
ip6tables -A INPUT -i lo -j ACCEPT


ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m state --state UNTRACKED -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j DROP
ip6tables -A OUTPUT -p icmpv6 -j DROP

#TOR
ip6tables -A OUTPUT -p tcp -m tcp --dport 9050 -m state --state NEW -j ACCEPT

# DNS                     
ip6tables -A OUTPUT -p tcp --dport 53  -m state --state NEW -j ACCEPT         
ip6tables -A OUTPUT -p udp --dport 53  -m state --state NEW -j ACCEPT           

# HTTP                      
ip6tables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT        

# HTTPS
ip6tables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT         

# Mail SMTP 
ip6tables -A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

#Transmission
ip6tables -A INPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p udp --sport 51413 -m state --state NEW -j ACCEPT

# NTP (horloge du serveur) 
ip6tables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT 

# On log les paquets en entrée.
ip6tables -A INPUT -j LOG

# On log les paquets en sortie.
ip6tables -A OUTPUT -j LOG

# On log les paquets forward.
ip6tables -A FORWARD -j LOG 

exit 0

相关内容