CentOS / Redhat Iptables Firewall Configuration Tutorial

#!/bin/bash

# A sample firewall shell script

IPT=”/sbin/iptables”

SPAMLIST=”blockedip”

SPAMDROPMSG=”BLOCKED IP DROP”

SYSCTL=”/sbin/sysctl”

BLOCKEDIPS=”/root/scripts/blocked.ips.txt”

 

# Stop certain attacks

echo “Setting sysctl IPv4 settings…”

$SYSCTL net.ipv4.ip_forward=0

$SYSCTL net.ipv4.conf.all.send_redirects=0

$SYSCTL net.ipv4.conf.default.send_redirects=0

$SYSCTL net.ipv4.conf.all.accept_source_route=0

$SYSCTL net.ipv4.conf.all.accept_redirects=0

$SYSCTL net.ipv4.conf.all.secure_redirects=0

$SYSCTL net.ipv4.conf.all.log_martians=1

$SYSCTL net.ipv4.conf.default.accept_source_route=0

$SYSCTL net.ipv4.conf.default.accept_redirects=0

$SYSCTL net.ipv4.conf.default.secure_redirects=0

$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1

#$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1

$SYSCTL net.ipv4.tcp_syncookies=1

$SYSCTL net.ipv4.conf.all.rp_filter=1

$SYSCTL net.ipv4.conf.default.rp_filter=1

$SYSCTL kernel.exec-shield=1

$SYSCTL kernel.randomize_va_space=1

 

echo “Starting IPv4 Firewall…”

$IPT -F

$IPT -X

$IPT -t nat -F

$IPT -t nat -X

$IPT -t mangle -F

$IPT -t mangle -X

 

# load modules

modprobe ip_conntrack

 

[ -f “$BLOCKEDIPS” ] && BADIPS=$(egrep -v -E “^#|^$” “${BLOCKEDIPS}”)

 

# interface connected to the Internet

PUB_IF=”eth0″

 

#Unlimited traffic for loopback

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

 

# DROP all incomming traffic

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

 

if [ -f “${BLOCKEDIPS}” ];

then

# create a new iptables list

$IPT -N $SPAMLIST

 

for ipblock in $BADIPS

do

$IPT -A $SPAMLIST -s $ipblock -j LOG –log-prefix “$SPAMDROPMSG ”

$IPT -A $SPAMLIST -s $ipblock -j DROP

done

 

$IPT -I INPUT -j $SPAMLIST

$IPT -I OUTPUT -j $SPAMLIST

$IPT -I FORWARD -j $SPAMLIST

fi

 

# Block sync

$IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Drop Sync”

$IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -j DROP

 

# Block Fragments

$IPT -A INPUT -i ${PUB_IF} -f -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fragments Packets”

$IPT -A INPUT -i ${PUB_IF} -f -j DROP

 

# Block bad stuff

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL ALL -j DROP

 

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “NULL Packets”

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -j DROP # NULL packets

 

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

 

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “XMAS Packets”

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

 

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fin Packets Scan”

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

 

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

 

# Allow full outgoing connection but no incomming stuff

$IPT -A INPUT -i ${PUB_IF} -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -o ${PUB_IF} -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

 

# Allow ssh

$IPT -A INPUT -i ${PUB_IF} -p tcp –destination-port 22 -j ACCEPT

 

# Allow http / https (open port 80 / 443)

$IPT -A INPUT -i ${PUB_IF} -p tcp –destination-port 80 -j ACCEPT

#$IPT -A INPUT -o ${PUB_IF} -p tcp –destination-port 443 -j ACCEPT

 

# allow incomming ICMP ping pong stuff

$IPT -A INPUT -i ${PUB_IF} -p icmp –icmp-type 8 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

#$IPT -A OUTPUT -o ${PUB_IF} -p icmp –icmp-type 0 -m state –state ESTABLISHED,RELATED -j ACCEPT

 

# Allow port 53 tcp/udp (DNS Server)

$IPT -A INPUT -i ${PUB_IF} -p udp –dport 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

#$IPT -A OUTPUT -o ${PUB_IF} -p udp –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT

 

$IPT -A INPUT -i ${PUB_IF} -p tcp –destination-port 53 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

#$IPT -A OUTPUT -o ${PUB_IF} -p tcp –sport 53 -m state –state ESTABLISHED,RELATED -j ACCEPT

 

# Open port 110 (pop3) / 143

$IPT -A INPUT -i ${PUB_IF} -p tcp –destination-port 110 -j ACCEPT

$IPT -A INPUT -i ${PUB_IF} -p tcp –destination-port 143 -j ACCEPT

 

##### Add your rules below ######

#

#

##### END your rules ############

 

# Do not log smb/windows sharing packets – too much logging

$IPT -A INPUT -p tcp -i ${PUB_IF} –dport 137:139 -j REJECT

$IPT -A INPUT -p udp -i ${PUB_IF} –dport 137:139 -j REJECT

 

# log everything else and drop

$IPT -A INPUT -j LOG

$IPT -A FORWARD -j LOG

$IPT -A INPUT -j DROP

 

exit 0

评论

发表评论

此博客中的热门博文

FreeBSD安装Pure-FTPd及user manager for PureFTPd

1、首先安装需要配置好apache2/mysql/php等服务!前面有过笔记。 2、安装pure-ftpd cd /usr/ports/ftp/pure-ftpd/ make with_language=simplified-chinese install clean;rehash 安装时,会有选择项;勾选: MYSQL Support for users in mysql database PRIVSEP Enable privileges separation PERUSERLIMITS Per-user concurrency limits THROTTLING Bandwidth throttling BANNER Show pure-ftpd welcome upon session start UTF8 Support for charset conversion (expreimental) 安装完成后 添加pureftpd_enable=”YES”到/etc/rc.conf文件中。 3、创建MySQL数据库,登陆mysql INSERT INTO mysql.user (Host, User, Password, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, ssl_cipher, x509_issuer, x509_subject) VALUES(‘localhost’,’ftp’,PASSWORD(‘tmppasswd’),’Y’,’Y’,’Y’,’Y’,’N’,’N’,’N’,’N’,’N’,’N’,’N...
阅读全文

debian lighttpd php ssl

图片
apt update && sudo apt upgrade   apt-get install lighttpd   安装完成后,启动并启用该服务。 systemctl start lighttpd systemctl enable lighttpd apt-get install php php-cgi php-fpm php-mysql  nano /etc/php/*/fpm/php.ini  进行以下更改: cgi.fix_pathinfo=1(可将参数改为0)  file_uploads = On  upload_max_filesize = 100M  allow_url_fopen = On  short_open_tag = On  memory_limit = 256M  max_execution_time = 360  date.timezone = Africa/Nairobi  一旦进行了所需的更改,您需要将 Lighttpd 配置为使用 PHP-FPM 而不是默认的 PHP-CGI  进行以下更改: nano /etc/php/7.4/fpm/pool.d/www.conf listen = /run/php/php-fpm.sock  改为  listen = 127.0.0.1:9000  systemctl restart php*-fpm.service    现在修改 Lighttpd 配置以使用 PHP-FPM。  sudo vim /etc/lighttpd/conf-available/15-fastcgi-php.conf 在打开的文件中, 进行以下更改: 将  "bin-path" => "/usr/bin/php-cgi",  "socket" => "/var/run/lighttpd/php.socket",  改为  "host" => "127.0.0.1",  "port" => "9000",...
阅读全文

解决nginx出现File not found的问题

使用php-fpm解析PHP,”No input file specified”,”File not found”是令nginx新手头疼的常见错误,原因是php-fpm进程找不到SCRIPT_FILENAME配置的要执行的.php文件,php-fpm返回给nginx的默认404错误提示。 比如我的网站doucument_root下没有test.php,访问这个文件时通过抓包可以看到返回的内容。   HTTP/1.1 404 Not Found Date: Fri, 21 Dec 2012 08:15:28 GMT Content-Type: text/html Proxy-Connection: close Server: nginx/1.2.5 X-Powered-By: PHP/5.4.7 Via: 1.1 c3300 (NetCache NetApp/6.0.7) Content-Length: 16   File not found.   很多人不想用户直接看到这个默认的404错误信息,想自定义404错误. 给出解决办法前我们来先分析下如何避免出现这类404错误,然后再说真的遇到这种情况(比如用户输入一个错误不存在的路径)时该怎么办,才能显示自定义的404错误页。 一、错误的路径被发送到php-fpm进程 出现这类错误,十个有九个是后端fastcgi进程收到错误路径(SCRIPT_FILENAME),而后端fastcgi收到错误路径的原因大都是配置错误。   常见的nginx.conf的配置如下: server { listen [::]:80; server_name example.com www.example.com; access_log /var/www/logs/example.com.access.log;   location / { root /var/www/example.com; index index.html index.htm index.pl; }   location /images { autoindex on; }   location ~ \.php$ { fastcgi_pass 127.0.0.1:...
阅读全文