Portál AbcLinuxu, 25. dubna 2024 17:40
#!/bin/sh
WHITELIST=/root/fw/whitelist.txt
BLACKLIST=/root/fw/blacklist.txt
ALLOWED=""
IPTABLES="/sbin/iptables"
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
#whitelist
for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
echo -e "\033[1;32mpovoluji $x \033[0m"
$IPTABLES -A INPUT -t filter -s $x -j ACCEPT
done
#blacklist
for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do
echo -e "\033[1;31mzakazuji $x \033[0m"
$IPTABLES -A INPUT -t filter -s $x -j DROP
done
#whitelist port allowed
for port in $ALLOWED; do
echo "povoluji port $port"
$IPTABLES -A INPUT -t filter -p tcp --dport $port -j ACCEPT
done
#ostatni zadodit
$IPTABLES -A INPUT -t filter -p tcp --syn -j DROP
$IPTABLES -A INPUT -t filter -p UDP --sport 53 -j ACCEPT
$IPTABLES -A INPUT -t filter -p UDP --sport 123 -j ACCEPT
$IPTABLES -A INPUT -t filter -p UDP -j DROP
$IPTABLES -A INPUT -t filter -p ICMP -i eth0 --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -t filter -p ICMP -i eth0 --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -t filter -p ICMP -i eth0 --icmp-type 8 -m limit --limit 1/s --limit-burst 5 -j ACCEPT
$IPTABLES -A INPUT -t filter -p ICMP -i eth0 --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -t filter -p ICMP -i eth0 -j DROP
$IPTABLES -N syn_flood
$IPTABLES -A INPUT -i eth0 -p tcp --syn -j syn_flood
$IPTABLES -A syn_flood -m limit --limit 1/s --limit-burst 5 -j RETURN
$IPTABLES -A syn_flood -j DROP
$IPTABLES -I FORWARD -s 192.168.1.2 -m limit --limit 1/s --limit 100 -j ACCEPT
$IPTABLES -I FORWARD -d 192.168.1.2 -m limit --limit 1/s --limit 100 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.2 -j DROP
$IPTABLES -A FORWARD -d 192.168.1.2 -j DROP
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
#Turn NAT on.
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
ja to ve skriptu rozhodne mam
Tiskni
Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.