[转]一段使用 iptable 设置防火墙的设置
面的代码是一段设置 iptable 的脚本,copy 下来,存为一个脚本文件,修改可以执行,再执行一下
Code:
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 >/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
iptables -F
iptables -X
iptables -Z
#iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
#iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
##
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## SYN-Flooding
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 30/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
## Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
## HTTP
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
## CVS
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2401 -j ACCEPT
## IP packets limit
iptables -A INPUT -f -m limit --limit 100/s --limit-burst 5 -j ACCEPT
# LOG --log-level INFO --log-prefix "IPT INPUT packet died: "
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT
## FTP service
iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 30001:50000 -j ACCEPT
## SSH login
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP
## Anything else not allowed
iptables -A INPUT -i eth0 -j DROP
上面是打开了 www / ftp / ssh2 / cvs 服务,如果你不想打开,请删除相应项
限制一个 ip 不能同时有 30 以上访问
面的代码是一段设置 iptable 的脚本,copy 下来,存为一个脚本文件,修改可以执行,再执行一下
Code:
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 >/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
iptables -F
iptables -X
iptables -Z
#iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
#iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
##
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## SYN-Flooding
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 30/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
## Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
## HTTP
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
## CVS
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2401 -j ACCEPT
## IP packets limit
iptables -A INPUT -f -m limit --limit 100/s --limit-burst 5 -j ACCEPT
# LOG --log-level INFO --log-prefix "IPT INPUT packet died: "
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT
## FTP service
iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 30001:50000 -j ACCEPT
## SSH login
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP
## Anything else not allowed
iptables -A INPUT -i eth0 -j DROP
上面是打开了 www / ftp / ssh2 / cvs 服务,如果你不想打开,请删除相应项
限制一个 ip 不能同时有 30 以上访问
作者:admin@常来吧
地址:http://www.chl8.com/post/644/
版权所有!转载时请必须遵守以链接形式署名-非商业性使用-完整方式共享!
欢迎在常来吧留言&评论!
文章来自: 本站原创
Tags: 上一篇: 
全面保护Office文档四种有
全面保护Office文档四种有下一篇: 
捕获过度消耗CPU的SQL步骤
捕获过度消耗CPU的SQL步骤
.text:''):(d.getSelection?d.getSelection():'');void(keyit=window.open('http://my.poco.cn/fav/storeIt.php?t='+escape(d.title)+'&u='+escape(d.location.href)+'&c='+escape(t)+'&img=http://www.h-strong.com/blog/logo.gif','keyit','scrollbars=no,width=475,height=575,left=50,top=50status=no,resizable=yes'));keyit.focus();){kind=link}