- #!/bin/sh
- IPTABLES=/sbin/iptables
- # clear
- $IPTABLES -F
- # if pkg type is allow, then accept
- #$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # 如果同時在80端口的連接數大於10,就Drop掉這個ip
- netstat -an | grep :80 | awk -F: '{ print $8 }' | sort | uniq -c | awk -F\ '$1>10 && $2!="" { print $2 }' >> /etc/fw.list
- less /etc/fw.list | sort | uniq -c | awk -F\ '$2!="" { print $2 }' > /etc/fw.list2
- less /etc/fw.list2 > /etc/fw.list
- while read line
- do
- t=`echo "$line"`
- $IPTABLES -A INPUT -p tcp -s $t -j DROP
- done < /etc/fw.list2
- # IP轉發
- $IPTABLES -A INPUT -p tcp --dport 20002 -j ACCEPT
- $IPTABLES -A INPUT -d 172.16.204.7 -p tcp -m tcp --dport 20002 -i eth0 -j ACCEPT
- $IPTABLES -t nat -A PREROUTING -d 211.100.39.44 -p tcp -m tcp --dport 20002 -j DNAT --to-destination 172.16.204.7:20002
- $IPTABLES -t nat -A POSTROUTING -d 172.16.204.7 -p tcp -m tcp --dport 20002 -j SNAT --to-source 10.6.39.44
- # if pkg visit 80,7710 port then accept
- $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 873 -j ACCEPT
- # $IPTABLES -A INPUT -i eth0 -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 30/m --limit-burst 2 -j ACCEPT
- $IPTABLES -A FORWARD -p tcp --syn -m limit --limit 10/s -j ACCEPT
- $IPTABLES -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
- # if pkg from allow ip then accept
- $IPTABLES -A INPUT -p tcp -s 127.0.0.1 -j ACCEPT
- # if pkg not above then deny
- $IPTABLES -A INPUT -p tcp --syn -j DROP
- 下面這個防火牆測試結果更正確,能起到一定的防***的功能
- #!/bin/sh
- IPTABLES="/sbin/iptables"
- echo "1" > /proc/sys/net/ipv4/ip_forward
- $IPTABLES -P INPUT DROP
- $IPTABLES -P FORWARD DROP
- $IPTABLES -P OUTPUT DROP
- $IPTABLES -F
- $IPTABLES -X
- $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 80 --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 30/m --limit-burst 2 -j ACCEPT
- $IPTABLES -A OUTPUT -p tcp -s 127.0.0.1 -j ACCEPT
- $IPTABLES -A OUTPUT -p tcp -s 192.168.1.102 -j ACCEPT
- $IPTABLES -A OUTPUT -p udp -s 127.0.0.1 -j ACCEPT
- $IPTABLES -A OUTPUT -p udp -s 192.168.1.102 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --syn -j DROP