《防火墙金牌课程》word版.doc

关闭telnet服务service xinetd stop关闭ip6tables服务service ip6tables stop iptables更新下载最新的iptables版本（），下载后的文件为tar.bz2格式。解压命令：rootlinux-test root# tar xvjf iptables-1.4.6.tar.tarrootlinux-test root# cd /iptables-1.4.6rootlinux-test root# ./configurerootlinux-test root# makerootlinux-test root# make install将iptables服务停止rootlinux-test root# service iptables stop用/usr/local/sbin/iptables新文件替换/sbin/iptables（这个是老版本的连接位置）并同时替换ip6tables、ip6tables-restore、ip6tables-save、iptables、iptables-restore和iptables-saverootlinux-test root# cp /usr/local/sbin/iptables /sbin/iptablesiptables就升级完成了，使用下列命令查看rootlinux-test root# iptables -Viptables v1.4.6rootlinux-test root# service iptables restart完成！ (tar xvf 只能解*.tar的包，tar jxvf 是bzip2的，tar zxvf 是gzip的。)以下用iptables服务控制防火墙使用snat.sh脚本在开机时自动开启防火墙设置#echo /etc/rc.d/snat.sh/etc/rc.d/rc.local将snat.sh防火墙脚本放在/etc/rc.d目录中添加snat.sh文件的可执行权限#chmod u+x /etc/rc.d/snat.sh#echo 1 /proc/sys/net/ipv4/ip_forward或是修改/etc/sysctl.conf把net.ipv4.ip_forward = 0改为= 1以下为防火墙脚本snat.sh内容：#!/bin/bashecho 1 /proc/sys/net/ipv4/ip_forwardinet_iface=eth0（设置对外网络设备名称变量）inet_ip=*.*.*.*（设置对外网络设备固定IP变量，动态IP去掉）lan_iface=eth1（设置局域网络设备名称变量）lan_ip=*.*.*.*（设置局域网络设备IP变量）lan_ip_range=/”（设置局域网IP号段）dns1=*.*.*.*dns2=*.*.*.*ntp=*.*.*.*（设置本机允许外网DNS解析及ntp服务器的IP地址utc）ipt=/sbin/iptables/sbin/depmod a（整理内核所支持的模块清单）（加载所用模块）/sbin/modprobe ipt_MASQUERADE/sbin/modprobe ip_tables/sbin/modprobe ip_conntrack（是状态检测机制）/sbin/modprobe ip_conntrack_ftp（本机做FTP时用的）/sbin/modprobe ip_conntrack_irc/sbin/modprobe iptable_nat/sbin/modprobe ip_nat_ftp（是通过本机的FTP需要用到的，路由转发）/sbin/modprobe ipt_connlimit/sbin/modprobe ipt_limit/sbin/modprobe ipt_LOG$ipt -P INPUT DROP$ipt -P FORWARD DROP$ipt -P OUTPUT ACCEPT$ipt -t nat -P PREROUTING ACCEPT$ipt -t nat -P POSTROUTING ACCEPT$ipt -t nat -P OUTPUT ACCEPT（初始化防火墙状态）for TABLE in filter nat mangle ; do$ipt -t $TABLE -F$ipt -t $TABLE -Xdone（清除预设表filter(nat mangle)中所有规则链中的规则和清除预设表filter(nat mangle)使用者自定义链中的规则）$ipt -t filter -A INPUT -s $lan_ip_range -i $inet_iface -j DROP（关闭内网区段IP混入内网）$ipt -t filter -A INPUT -s /24 -i $inet_iface -j DROP（关闭虚拟网区段IP混入虚拟内网）$ipt -t filter -A INPUT -s /16 -i $inet_iface -j DROP$ipt -t filter -A INPUT -s /8 -i $inet_iface -j DROP$ipt -t filter -A INPUT -s /12 -i $inet_iface -j DROP$ipt -t filter -A INPUT -s /8 -i $inet_iface -j DROP（关闭内网其他区段进入内网）$ipt -t filter -A INPUT -p udp -i $lan_iface -dport 67 -sport 68 -j DROP（关闭内网DHCP端口）$ipt -t filter -A INPUT -p icmp -icmp-type echo-request -j DROP（禁止回波探测和Dos请求的icmp封包）$ipt -t filter -A INPUT -p tcp -tcp-flags SYN,ACK,FIN,RST RST -m limit -limit 1/s -j ACCEPT（防止DDOS攻击）$ipt -t filter -A INPUT -p icmp -icmp-type any -m limit -limit 1/sec -limit-burst 10 -j ACCEPT（设置ICMP包过滤,允许每秒1个包,限制触发条件是10个包）$ipt -t filter -A INPUT -f -m limit -limit 100/sec -limit-burst 150 -j ACCEPT（处理IP碎片数量,防止攻击,起始为150个后允许每秒100个）（以上4行防止洪水攻击）$ipt -t filter -A INPUT ! -i lo -m state -state NEW,INVALID -j LOG -log-prefix iniptables:（记录除进入lo的新建和无效链接查找犯罪分子）$ipt -t filter -A INPUT -p tcp -tcp-flags ALL ALL -j DROP$ipt -t filter -A INPUT -p tcp -tcp-flags ALL NONE -j DROP$ipt -t filter -A INPUT -p tcp -tcp-flags ALL FIN,URG,PSH -j DROP$ipt -t filter -A INPUT -p tcp -tcp-flags SYN,RST SYN,RST -j DROP$ipt -t filter -A INPUT -i $inet_iface -m state -state ESTABLISHED,RELATED -j ACCEPT$ipt -t filter -A INPUT -p tcp ! -syn -m state -state NEW -j DROP（防止网络扫描）$ipt -t filter -A INPUT -i lo -j ACCEPT(允许环网连接)$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p udp -dport 53 -j ACCEPT$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -dport 53 -j ACCEPT$ipt -t filter -A INPUT -s $dns1 -i $inet_iface -p udp -sport 53 -j ACCEPT$ipt -t filter -A INPUT -s $dns1 -i $inet_iface -p tcp -sport 53 -j ACCEPT$ipt -t filter -A INPUT -s $dns2 -i $inet_iface -p udp -sport 53 -j ACCEPT$ipt -t filter -A INPUT -s $dns2 -i $inet_iface -p tcp -sport 53 -j ACCEPT(内外网Domain域名服务访问)$ipt -t filter -N LOGJOIN$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m tcp -dport 22 -j LOGJOIN$ipt -t filter -A LOGJOIN -j LOG -log-prefix iptenter:$ipt -t filter -A LOGJOIN -j ACCEPT(记录ssh登录用户信息)$ipt -t filter -A INPUT -i $lan_iface -p udp -dport 67 -j ACCEPT$ipt -t filter -A INPUT -i $lan_iface -p tcp -dport 67 -j ACCEPT(服务器做DHCP开启)$ipt -t filter -A INPUT -i $inet_iface -p tcp -m multiport -dports 1863,1723,443,113,110,80,25,21,20 -j ACCEPT$ipt -t filter -A INPUT -i $inet_iface -p udp -m multiport -dports 1863,443,113,110,80,25,21,20 -j ACCEPT$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p tcp -m multiport -dports 1863,1723,445,443,139,113,110,80,25,21,20 -j ACCEPT$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p udp -m multiport -dports 1863,445,443,139,123,113,110,80,25,21,20 -j ACCEPT$ipt -t filter -A INPUT -p udp -s $ntp -i $inet_iface -dport 123 -j ACCEPT$ipt -t filter -A INPUT -i $inet_iface -p gre -j ACCEPT$ipt -t filter -A INPUT -s $lan_ip_range -i $lan_iface -p gre -j ACCEPT$ipt -t filter -A INPUT -s /24 -i virbr0 -p gre -j ACCEPT$ipt -t filter -A INPUT -s /24 -i virbr0 -p tcp -m multiport -dports 1863,1723,445,443,139,113,110,80,25,22,21,20 -j ACCEPT$ipt -t filter -A INPUT -s /24 -i virbr0 -p udp -m multiport -dports 1863,445,443,139,123,113,110,80,25,21,20 -j ACCEPT（开启外网进入的许可端口允许HTTP、FTP、E-mail、vpn、NTP、DHCP服务）$ipt -t filter -A INPUT -s /24 -i virbr0 -p udp -dport 53 -j ACCEPT$ipt -t filter -A INPUT -s /24 -i virbr0 -p tcp -dport 53 -j ACCEPT(虚拟机对Domain域名服务访问)$ipt -t filter -A INPUT -i virbr0 -p udp -dport 67 -j ACCEPT$ipt -t filter -A INPUT -i virbr0 -p tcp -dport 67 -j ACCEPT(服务器对虚拟系统做DHCP开启)$ipt -t filter -A FORWARD -s $lan_ip_range -i $inet_iface -j DROP$ipt -t filter -A FORWARD -s /24 -i $inet_iface -j DROP$ipt -t filter -A FORWARD -s /16 -i $inet_iface -j DROP$ipt -t filter -A FORWARD -s /8 -i $inet_iface -j DROP$ipt -t filter -A FORWARD -s /12 -i $inet_iface -j DROP$ipt -t filter -A FORWARD -s /8 -i $inet_iface -j DROP(防止外网用内网区段IP转发数据包)$ipt -t filter -A FORWARD -p icmp -icmp-type echo-request -j DROP$ipt -t filter -A FORWARD -p icmp -icmp-type echo-reply -j DROP$ipt -t filter -A FORWARD -p tcp -tcp-flags SYN,ACK,FIN,RST RST -m limit -limit 1/s -j ACCEPT$ipt -t filter -A FORWARD -p icmp -icmp-type any -m limit -limit 1/sec -limit-burst 10 -j ACCEPT$ipt -t filter -A FORWARD -f -m limit -limit 100/sec -limit-burst 150 -j ACCEPT$ipt -t filter -A FORWARD ! -i lo -m state -state NEW,INVALID -j LOG -log-prefix foriptables:$ipt -t filter -A FORWARD -p tcp -tcp-flags ALL ALL -j DROP$ipt -t filter -A FORWARD -p tcp -tcp-flags ALL NONE -j DROP$ipt -t filter -A FORWARD -p tcp -tcp-flags ALL FIN,URG,PSH -j DROP$ipt -t filter -A FORWARD -p tcp -tcp-flags SYN,RST SYN,RST -j DROP$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -m state -state RELATED,ESTABLISHED -j ACCEPT$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d /24 -m state -state RELATED,ESTABLISHED -j ACCEPT$ipt -t filter -A FORWARD -p tcp ! -syn -m state -state NEW -j DROP$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o lo -j ACCEPT$ipt -t filter -A FORWARD -s /24 -i virbr0 -o lo -j ACCEPT$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o $inet_iface -p tcp -m multiport -dports 8000,1863,1723,445,443,113,110,80,25,21,20 -j ACCEPT$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -p tcp -m multiport -dports 8000,1863,1723,445,443,113,110,80,25,21,20 -j ACCEPT$ipt -t filter -A FORWARD -s $lan_ip_range -i $lan_iface -o $inet_iface -p udp -m multiport -dports 8000,1863,445,443,113,110,80,25,21,20 -j ACCEPT$ipt -t filter -A FORWARD -i $inet_iface -o $lan_iface -d $lan_ip_range -p udp -m multiport -dports 8000,1863,445,443,113,110,80,25,21,20 -j ACCEPT$ipt -t filter -A FORWARD -p gre -i $inet_iface -o $lan_iface -d $lan_ip_range -j ACCEPT$ipt -t filter -A FORWARD -p gre -s $lan_ip_range -i $lan_iface -o $inet_iface -j ACCEPT$ipt -t filter -A FORWARD -p udp -i $inet_iface -o $lan_iface -d $lan_ip_range -j ACCEPT$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d /24 -p tcp -m multiport -dports 8000,1863,1723,445,443,113,110,80,25,21,20 -j ACCEPT$ipt -t filter -A FORWARD -s /24 -i virbr0 -o $inet_iface -p tcp -m multiport -dports 8000,1863,1723,445,443,113,110,80,25,21,20 -j ACCEPT$ipt -t filter -A FORWARD -i $inet_iface -o virbr0 -d /24 -p udp -m multiport -dports 8000,1863,445,443,113,110,80,25,21,20 -j ACCEPT$ipt -t filter -A FORWARD -s /24 -i virbr0 -o $inet_iface -p udp -m multiport -dports 8000,1863,445,443,113,110,80,25,21,20 -j ACCEPT$ipt -t filter -A FORWARD -p gre -i $inet_iface -o virbr0 -d /24 -j ACCEPT$ipt -t filter -A FORWARD -p gre -s /24 -i virbr0 -o $inet_iface -j ACCEPT$ipt -t filter -A FORWARD -p udp -i $inet_iface -o virbr0 -d /24 -j ACCEPT$ipt -t filter -A FORWARD -o virbr0 -j REJECT -reject-with icmp-port-unreachable$ipt -t filter -A FORWARD -i virbr0 -j REJECT -reject-with icmp-port-unreachable$ipt -t filter -A OUTPUT -p icmp -icmp-type echo-reply -j DROP$ipt -t filter -A OUTPUT -o lo -j ACCEPT$ipt -t filter -A OUTPUT -p tcp -m multiport -dports 8000,1863,1723,443,113,110,80,53,25,21,20 -j ACCEPT$ipt -t filter -A OUTPUT -p udp -m multiport -dports 8000,1863,443,123,113,110,80,53,25,21,20 -j ACCEPT$ipt -t filter -A OUTPUT -p tcp -sport 53 -j ACCEPT$ipt -t filter -A OUTPUT -p