[Linux] iptables for VPS 主機 @CentOs

mkdir /etc/firewall

touch /etc/firewall/iptables.sh

chmod 755 /etc/firewall

vi /etc/firewall/iptables.sh

寫入以下內容

#!/bin/bash

# 檔案存放的路徑
basedir=\”/etc/firewall\”

# Setup VPS main IP here
VPSIP=\”202.153.194.177\”

# DNS IP
DNSIP=\”168.95.1.1 139.175.55.244\” # NS1 NS2 of ISP

# ssh whitelist
sshWhitelist=\”202.153.194.130 220.130.226.181 220.135.28.160 59.120.206.94\”

# stop RedHAT linux iptables
service  iptables stop

# Setting default filter policy DROP ALL 😀
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allow unlinited traffic on both lo and venet0
iptables -A INPUT  -i venet0 -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o venet0 -d 127.0.0.1 -j ACCEPT

iptables -A INPUT  -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

# Drop all incoming fragments
iptables -A INPUT -f -j DROP

# Drop all incoming malformed XMAS packets
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

# Drop all incoming malformed NULL packets
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP

# 抵擋非法IP位址
iptables -A INPUT -s 0.0.0.0/8      -j DROP
iptables -A INPUT -s 127.0.0.0/8    -j DROP
iptables -A INPUT -s 10.0.0.0/8     -j DROP
iptables -A INPUT -s 172.16.0.0/12  -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 224.0.0.0/3    -j DROP

#iptables -A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
#iptables -A INPUT -p tcp -m tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

# deny chainsinc.com
iptables -A INPUT -p TCP -i venet0 -s 202.3.140.185  –dport 22 -j DROP

# 開放 允許使用的 IP for ssh
for mip in $sshWhitelist
do
iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d $mip –dport 22  -j ACCEPT
iptables -A OUTPUT -p tcp -s $mip –sport 22 -d 0/0 –dport 1024:65535 -j ACCEPT
done

# 開啟 webmin
iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d $VPSIP –dport 10000  -j ACCEPT
iptables -A OUTPUT -p tcp -s $VPSIP –sport 10000 -d 0/0 –dport 1024:65535 -j ACCEPT

# 載入黑名單
if [ -f \”$basedir\”/blacklist.sh ]; then
sh \”$basedir\”/blacklist.sh
fi

#outgoin ICMP
iptables -A OUTPUT -p icmp -s $VPSIP -d 0/0 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 -d $VPSIP  -j ACCEPT

#outgoing traceroute
iptables -A OUTPUT -p udp -s $VPSIP –sport 1024:65535 -d 0/0 –dport 33434:33523 -j ACCEPT

# 開啟FTP 服務
iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d $VPSIP –dport 21  -j ACCEPT
iptables -A OUTPUT -p tcp -s $VPSIP –sport 21 -d 0/0 –dport 1024:65535 -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d $VPSIP –dport 65400:65430  -j ACCEPT
iptables -A OUTPUT -p tcp -s $VPSIP –sport 65400:65430 -d 0/0 –dport 1024:65535 -j ACCEPT

# 開啟ssh 服務
iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d $VPSIP –dport 22  -j ACCEPT
iptables -A OUTPUT -p tcp -s $VPSIP –sport 22 -d 0/0 –dport 1024:65535 -j ACCEPT

# 開啟 mail 服務
#iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d $VPSIP –dport 25  -j ACCEPT
#iptables -A OUTPUT -p tcp -s $VPSIP –sport 25 -d 0/0 –dport 1024:65535 -j ACCEPT

# 開啟web 服務
iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d $VPSIP –dport 80  -j ACCEPT
iptables -A OUTPUT -p tcp -s $VPSIP –sport 80 -d 0/0 –dport 1024:65535 -j ACCEPT

# 開啟 MySQL 服務
#iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d $VPSIP –dport 3306  -j ACCEPT
#iptables -A OUTPUT -p tcp -s $VPSIP –sport 3306 -d 0/0 –dport 1024:65535 -j ACCEPT

#iptables -A INPUT -p tcp -s 59.120.206.94 –sport 1024:65535 -d $VPSIP –dport 3306  -j ACCEPT
#iptables -A OUTPUT -p tcp -s $VPSIP –sport 3306 -d 59.120.206.94 –dport 1024:65535 -j ACCEPT

# 允許本機存取遠端  ssh
iptables -A OUTPUT -p tcp -s $VPSIP  –sport 1024:65535 -d 0/0 –dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 –sport 22 -d $VPSIP –dport 1024:65535   -j ACCEPT

# 允許本機存取遠端  SMTP
iptables -A OUTPUT -p tcp -s $VPSIP –sport 1024:65535 -d 0/0 –dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 –sport 25 -d $VPSIP –dport 1024:65535  -j ACCEPT

# 允許本機存取遠端  DNS
for mip in $DNSIP
do
iptables -A OUTPUT -p udp -s $VPSIP –sport 1024:65535 -d $mip –dport 53 -j ACCEPT
iptables -A INPUT -p udp -s $mip –sport 53 -d $VPSIP –dport 1024:65535  -j ACCEPT
# tcp next
iptables -A OUTPUT -p tcp -s $VPSIP –sport 1024:65535 -d $mip –dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $mip –sport 53 -d $VPSIP –dport 1024:65535  -j ACCEPT
done

# 允許本機存取遠端  web
iptables -A OUTPUT -p tcp -s $VPSIP  –sport 1024:65535 -d 0/0 –dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 –sport 80 -d $VPSIP –dport 1024:65535   -j ACCEPT

# 開放 clara 使用snmp
iptables -A INPUT -p tcp -s 202.153.194.130 –sport 1024:65535 -d $VPSIP –dport 161  -j ACCEPT
iptables -A OUTPUT -p tcp -s $VPSIP –sport 161 -d 202.153.194.130 –dport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -s 202.153.194.130 –sport 1024:65535 -d $VPSIP –dport 161  -j ACCEPT
iptables -A OUTPUT -p udp -s $VPSIP –sport 161 -d 202.153.194.130 –dport 1024:65535 -j ACCEPT

# 抵擋服務
iptables -A INPUT -p TCP -i venet0 –dport 20 -j DROP
iptables -A INPUT -p TCP -i venet0 –dport 23 -j DROP
iptables -A INPUT -p TCP -i venet0 –dport 110 -j DROP
iptables -A INPUT -p TCP -i venet0 –dport 443 -j DROP
iptables -A INPUT -p TCP -i venet0 –dport 8080 -j DROP
iptables -A INPUT -p TCP -i venet0 –dport 53 -j DROP
iptables -A INPUT -p TCP -i venet0 –dport 3306 -j DROP
iptables -A INPUT -p TCP -i venet0 –dport 1433 -j DROP
iptables -A INPUT -p UDP -i venet0 –dport 53 -j DROP
iptables -A INPUT -p TCP -i venet0 –dport 1:1024 -j DROP
iptables -A INPUT -p UDP -i venet0 –dport 1:1024 -j DROP
iptables -A INPUT -s 0/0 -j DROP
iptables -A OUTPUT -d 0/0 -j DROP

# EOF SFW

參考資料:

http://www.cosa.org.tw/cosa_act/tm/firewall/fw_conf.txt

http://forums.vpslink.com/linux/865-iptables-error-weird-character-in-interface-venet0-0-a.html

http://blog.xuite.net/beavisliu/blog/15186574

shell 下載:\"下載檔案\"iptables.20080630.rar (1.29 KB , 下載:34次)

This entry was posted in linux and tagged , . Bookmark the permalink.

發表迴響

你的電子郵件位址並不會被公開。 必要欄位標記為 *