[linux教程] 拒绝sql蠕虫,骚扰....

以下是代码：1 J+ Y; ]% d- i2 G

4 H) E* \/ F; r3 _#!/bin/sh* {) I, @! J) l' O8 U2 z
#6 j5 ^: v2 R1 V/ ^8 L0 |) u
#GeneratediptablesfirewallscriptfortheLinux2.4kernel
# v" _1 r9 r4 Z8 A6 B' p' B#ScriptgeneratedbyEasyFirewallGeneratorforIPTables# Y! \  b* k. Z+ Y: p7 M
#copyright2002TimothyScottMorizot
, K1 k' g7 h* e+ y1 I#
. @8 R! ^$ B; q4 S& l: |1 q, m#Redhatchkconfigcomments-firewallappliedearly,# \! `  ]$ Q) H
#removedlate
" t9 j$ ]; i" g, K( Q# L#chkconfig:23450892
0 M2 L/ B; [& O* B#description:Thisscriptappliesorremovesiptablesfirewallrules
$ w* X& [3 ~% t#
% y+ o4 U( B7 q1 A7 Y#ThisgeneratorisprimarilydesignedforRedHatinstallations,' [6 [8 T2 r0 d% \
#althoughitshouldbeadaptableforothers.1 l5 _6 o9 P+ j! u# q
#' Y! c5 M/ I$ }9 e0 ^/ l9 j
#Itcanbeexecutedwiththetypicalstartandstoparguments.( h- f2 ~7 a, a, c& z
#Ifusedwithstop,itwillstopafterflushingthefirewall.: \2 Z% J# p" m$ d/ s& b
#Thesaveandrestoreargumentswillsaveorrestoretherules8 J; o# W( I$ b' w# p# K6 O
#fromthe/etc/sysconfig/iptablesfile.
9 E7 ?" F$ m: x+ {, ^- @) L! ^6 Z. ?1 e5 L7 o, ]
#Redhatinstallationinstructions: w) H8 ^7 l' n" T+ E: B
#
( a2 Q4 ^$ J) A$ m& S) I8 c! G#1.Ensurethatipchainswillnotautomaticallystart.
0 l4 m. c  x8 H- C/ a9 u# j7 E3 r#chkconfig--level0123456ipchainsoff
+ k) P& [0 |" d, l. _% T# F#Thiswillmakesurethattheipchainsinit.dscript
* `/ W' _: i/ c" ]3 G, ?! R#isnotlinkedtoanSfileinanyofthercdirectories.# f# d4 j2 o5 `8 `
#
4 R. H7 U9 M7 `/ `* f#2.Stopipchainsifit'srunning.
+ _" s/ }) b( {5 W* a#serviceipchainsstop4 h6 j4 a6 m2 v
#
4 o2 N, q, [6 M! `/ V8 j4 ]#3.Executelsmodtoseeiftheipchainskernelmoduleisstillloaded.& ^+ {1 O/ A+ ]/ e" a& u: d, u1 I1 d
#Ifitis,usermmodtounloadit.--rmmodipchains
2 Y! F* {- M% D: G#; M% s2 ^. D2 _# S
#4.Havethesystemlinktheiptablesinit.dstartupscriptintorunstates
4 B. D! H8 O' F+ c#2,3,and5.! c: C' S1 p5 k- e& h7 c2 ~
#chkconfig--level235iptableson/ V/ C  U7 G8 B
#
3 F4 g3 c6 ~, o1 A4 ?& W#5.Savethisscriptandexecuteittoloadtherulesetfromthisfile.
. c( |* E4 L( {' K: A1 A#Youmayneedtorunthedos2unixcommandonittoremovecarraigereturns.+ W9 Z, E) M8 ^0 j
## m  F( x  v0 G- M/ z. F2 U8 p% R$ E
#6.Savetherulesetto/etc/sysconfig/iptables.Thiscanbedonetwoways.
8 U4 Y6 P& g7 y9 Z: {* ^" W#serviceiptablessave- P7 E' C; l! H- {
#iptables-save%26gt;/etc/sysconfig/iptables# l2 g+ g9 n2 k. G  V
#
/ o1 u; K1 [* Y7 Z# d#7.Therulesetwillberestoredbythe/etc/init.d/iptablesscriptonboot.
5 R$ M+ z' b* F#5 y8 S7 g# _8 q% o0 @; a1 N
#8.Alternatively,savethe/etc/init.d/iptablesscriptandcopythisscript
% g0 N: l$ w) ]8 o) M; c" v( }#to/etc/init.d/iptables.Itacceptsstop,start,save,andrestore
) I3 ?+ j, Q, g! j8 y6 q6 o#arguments.
% N2 P) D' n: d+ \5 |; b! F#6 S. p1 v/ }, w
#NOTE:The/etc/init.d/iptablesscriptcanbemodifiedtorunthisscript$ Z% M  A, h  K4 `/ N; k$ N5 _
#instead.Ifyoudoso,saveacopysoyoucanreapplyyourmodifications! @7 Q8 V- Y9 B+ q' R2 c& k! _
#afterupgradingtheiptablespackage.Theadvantageofusingthisscriptfor" q/ g1 e' o* |1 o  u, j
#theongoingoperationofthefirewallisitgivesyougreatercontrolover
, T+ B* l/ n/ U" R#themodulesandrulesetsused.Theaboveissimpler,however.
% {' }4 s! c- E" \& v, [5 u. q/ r; m! y+ z
###############################################################################& u! ?: p+ \+ t! o% Z
#
/ k' @) v7 U: {4 C#LocalSettings
0 P( C: r/ P: |, q3 \' W. K- b#
0 C4 s( K  R. Z+ G
6 ~& n6 _5 C" P8 o/ F- Y, {#sysctllocation.Ifset,itwillusesysctltoadjustthekernelparameters.
, ^) o: ?2 m" |; F2 I6 _4 \#Ifthisissettotheemptystring(orisunset),theuseofsysctl
/ C/ T' |6 u+ T8 F3 S#isdisabled.
: d7 j$ v4 Q% x) C+ g  C0 A% o$ `% `3 t6 s3 C+ y  y5 [5 X
SYSCTL="/sbin/sysctl-w"
1 P8 F4 F9 n" @7 }6 P, {# T* A, N
- T5 N' w) c3 ~( F' d#Toechothevaluedirectlytothe/procfileinstead6 |& U7 O5 z1 v2 `
#SYSCTL=""
" Z) a! F; u$ S* Y- l5 f! c) `# s9 e- a" I
#IPTablesLocation-adjustifneeded
3 S( X5 d) _* O& M' u+ N
$ ]+ P5 C( V% v; h  {* rIPT="/sbin/iptables"5 |- \; y/ D( H$ f& }
IPTS="/sbin/iptables-save"
8 e+ ?, E/ E2 p3 U6 dIPTR="/sbin/iptables-restore"
8 T% f% i# \& y' o5 C" \6 y7 M% [6 V9 b1 D/ T" E) u
#InternetInterface
, M* J- L2 @: {3 MINET_IFACE="eth0"  t0 m' s* a% w7 k8 S9 _
#INET_ADDRESS="192.168.2.150"* ]. H4 v  c- j/ K0 H
' y. q; H+ R3 a' f
#LocalhostInterface
/ m1 `& I# [% k7 P8 u+ F5 ^6 p2 @! y- K7 ]* z% K
LO_IFACE="lo"  H: g% j# \4 D  M" `4 K( E
LO_IP="127.0.0.1"7 O, k; p7 g$ }7 p7 p+ r
1 W3 j/ ]4 n- @' \( v5 h! [2 y

6 d! C" E9 |4 G0 W2 i* s
: e0 t8 G, p. v6 p###############################################################################0 v( B! `  Q& \# `# T2 a* J: r
#, {, F6 J! t1 F5 ]! X/ l
#LoadModules4 X8 o/ R4 o% M7 F
#
, a! c0 `! e' ?+ O- [7 t- b  G: f6 Z7 k7 N, c2 F+ L
echo"Loadingkernelmodules..."7 ?% `8 X( U( P9 l6 ~' \  G/ I  O

2 d9 U. b2 j7 j" L+ t& k#Youshoulduncommentthelinebelowandrunitthefirsttimejustto
3 b1 E+ M; J: X5 a4 D#ensureallkernelmoduledependenciesareOK.Thereisnoneedtorun
% o9 ^. q, B7 h#everytime,however.
" K+ V* V9 r# U' _# c% |! h0 e+ P/ t( R8 c; a0 s
#/sbin/depmod-a2 h4 I, z- \5 j& G7 }( O
0 P# i$ F8 a9 e* R4 v& e9 f
#Unlessyouhavekernelmoduleauto-loadingdisabled,youshouldnot
* q4 ]) b/ @1 E* i% B1 @5 t$ J#needtomanuallyloadeachofthesemodules.Otherthanip_tables,
9 M0 M5 }! T1 _" C$ q* @! n( a#ip_conntrack,andsomeoftheoptionalmodules,I'veleftthese
6 c! W0 H# a% _7 j#commentedbydefault.Uncommentifyouhaveanyproblemsorif; G2 ]" `2 w; J$ M9 Z9 Q: A- o3 g
#youhavedisabledmoduleautoload.Notethatsomemodulesmust2 _, h5 \( r" F
#beloadedbyanotherkernelmodule.
" E$ M) ^4 b- N
* W" X' P) s$ O#corenetfiltermodule
! U( S2 R; U1 [( D- m& A0 y/sbin/modprobeip_tables+ `9 V) O  `) b8 ]
$ r) ~% y% [# k; a( M
#thestatefulconnectiontrackingmodule* Z6 U! w- q. d2 {
/sbin/modprobeip_conntrack0 T% [5 p% _9 n1 O1 `5 J$ B) z
* R6 d, y8 h1 c
#filtertablemodule$ w. r& G# B4 ]; f, j! u
/sbin/modprobeiptable_filter; F' W/ D/ F9 A5 o! x% o2 u" C( n
6 b4 p7 f* r: U% P
#mangletablemodule
& r; X, V" u2 i0 X#/sbin/modprobeiptable_mangle* ?( L8 A3 a  b, g: @
, l) v; l- z, T! K
#nattablemodule
2 [: G7 a" A+ d. e3 W' E4 M/ P5 l# q#/sbin/modprobeiptable_nat$ h& q# T: _1 b/ H- M
9 d/ z$ \: b- ?% D
#LOGtargetmodule" Q' f* k: M; d# a4 J/ F
/sbin/modprobeipt_LOG
+ a" {$ I  c+ R7 L8 C
8 y4 V, C1 b7 v0 Q; `#Thisisusedtolimitthenumberofpacketspersec/min/hr7 y( u' w6 \4 _+ S8 O
/sbin/modprobeipt_limit" m" |9 r9 \6 u) V, l6 {
7 _8 \5 Q1 @) S- u' Z. J
#masqueradetargetmodule- d" m6 s8 }" j% e0 B3 j" u
#/sbin/modprobeipt_MASQUERADE
/ j$ u3 x" n$ C1 m3 @  B% q& i, Q  s) u, t/ }# k0 g4 {
#filterusingowneraspartofthematch
4 E$ G+ f2 }5 I: U& O#/sbin/modprobeipt_owner: i. F/ w0 p* F5 F9 ?

0 Y" y  q% x, W6 i#REJECTtargetdropsthepacketandreturnsanICMPresponse.* E) a4 I5 G8 s
#Theresponseisconfigurable.Bydefault,connectionrefused.: z6 _2 u; L0 x6 p* a4 p9 {2 |
#/sbin/modprobeipt_REJECT
. z* E  c. H' q, K1 j) t4 ?
  x. e2 Q. ~. n# @- ?# }% v#Thistargetallowspacketstobemarkedinthemangletable
% h0 y9 e  i6 ^6 `3 M4 K- |- |#/sbin/modprobeipt_mark
# ^+ q6 n. |% ]# L! D$ b+ L1 k( t# ]1 ]" v! P1 g' v& l
#ThistargetaffectstheTCPMSS
1 _5 O% q6 `& Y# k, C# I9 R, S6 o#/sbin/modprobeipt_tcpmss/ _% D3 [4 A; u5 b
% z9 \3 {$ Z4 {) U/ Y8 H( p) y* ?
#Thismatchallowsmultipleportsinsteadofasingleportorrange
1 J/ a8 Y! f6 s0 h# _#/sbin/modprobemultiport2 |- O0 ]2 _6 S8 [
5 v/ m, z, r. f7 Q! ^& r% g" F  W
#ThismatchchecksagainsttheTCPflags$ |7 i; h4 r; ]0 |
/sbin/modprobeipt_state
% V- D8 T! l* h. Q5 O* P% }# s; F9 @: m$ G3 z5 v% x
#Thismatchcatchespacketswithinvalidflags. W7 i# J- {( W& s
/sbin/modprobeipt_unclean& o7 U9 i3 R$ r6 J0 i1 S
0 V7 \. L3 N3 D$ V
#Theftpnatmoduleisrequiredfornon-PASVftpsupport) ]$ x- _8 @1 ~* h4 n6 V& T
#/sbin/modprobeip_nat_ftp
" R$ v% N" P. Q- y2 K& N
5 P! ~* S) s* V9 e#themoduleforfullftpconnectiontracking% ]( e% D& W. g( i) U
#/sbin/modprobeip_conntrack_ftp* }5 ?" |- v% \
+ o2 a9 a( r7 f- u" X5 v4 e
#themoduleforfullircconnectiontracking4 L: O$ C, `( {
#/sbin/modprobeip_conntrack_irc2 ?' D- ]9 v  Z0 B8 x  R' {5 A

6 {! g: g  q9 J
- u! Z% L9 T9 l; `8 y8 y: d###############################################################################5 f+ R5 B' h: u: w5 Y/ W* ~
#) j$ w  T+ x. S( i
#KernelParameterConfiguration
! R5 P* k5 F% l3 v9 R2 P9 o#& ~% N2 l2 D( Y  N& j/ w  h2 V6 Q

: V4 t( g# v' ~#RequiredtoenableIPv4forwarding.- M# m% C0 t4 @+ p/ C& P3 B
#RedhatuserscantrysettingFORWARD_IPV4in/etc/sysconfig/networktotrue1 @* O: |9 |/ @7 K
#if["$SYSCTL"=""]: @9 q0 X6 z$ T7 a6 z
#then
2 ]% @* O& J4 X& N1 O#echo"1"%26gt;/proc/sys/net/ipv4/ip_forward+ f5 W1 B, \/ E  p+ f
#else
/ \. @/ m% ~" R* E% S#$SYSCTLnet.ipv4.ip_forward="1"
; w  E& _) k" Z2 {0 D#fi
7 A% ~, M: b2 s& q6 A1 D" H1 B( R% E& l
#Thisenablesdynamicaddresshacking.
! e1 v" m- f# u# I0 |& l- e#ThismayhelpifyouhaveadynamicIPaddress\(e.g.slip,ppp,dhcp\).
5 k$ a: c6 S  R' Tif["$SYSCTL"=""]2 s% T0 p2 {; q( n
then
/ i' b4 o% E- t/ K5 B$ u$ b8 Kecho"1"%26gt;/proc/sys/net/ipv4/ip_dynaddr
0 W# D) {! T  s0 S' felse
2 H+ \- b& U8 q  D$SYSCTLnet.ipv4.ip_dynaddr="1"
  y) Y$ e2 f/ M: V  P' {4 Ifi# i' y% j6 I! I& h

: Z, t: P: i2 J; A#ThisenablessourcevalidationbyreversedpathaccordingtoRFC1812.
6 |( }& {* }9 @; L) i2 a; [: |#Inotherwords,didtheresponsepacketoriginatefromthesameinterface
9 }$ \* k% P3 G) p9 S( R/ e. o, A* q! a#throughwhichthesourcepacketwassent?It'srecommendedforsingle-homed- d4 k1 Y9 Q. `" ]
#systemsandroutersonstubnetworks.Sincethosearetheconfigurations' i! k& A& D7 Z# `+ G2 z
#thisfirewallisdesignedtosupport,Iturnitonbydefault.
( m5 n9 x0 r, r& ?& t#TurnitoffifyouusemultipleNICsconnectedtothesamenetwork.
1 N7 {6 B% w# ^# L7 Sif["$SYSCTL"=""]- s6 Z" V) s8 |* O4 G, _* v
then
! i3 B5 t+ c/ q6 gecho"1"%26gt;/proc/sys/net/ipv4/conf/all/rp_filter, `0 t+ `# C  E0 U. s6 n. [) q
else
. h7 W5 V( Z4 B1 m2 I5 N. ^$SYSCTLnet.ipv4.conf.all.rp_filter="1"& ]/ ]6 @9 Z- a6 M8 J5 \! [1 q4 i
fi
! p- l6 T4 n4 G' z2 m6 R( I0 W6 R
#ThisoptionallowsasubnettobefirewalledwithasingleIPaddress.+ l  k* J) e6 _' d" J" f1 h
#It'susedtobuildaDMZ.Sincethat'snotafocusofthisfirewall
& w# F$ c2 h2 r#script,it'snotenabledbydefault,butisincludedforreference.
) ^1 V( Y; k& J; j# q#See:http://www.sjdjweis.com/linux/proxyarp/% H- p' n, P3 D: u( M' H% k
#if["$SYSCTL"=""]% V, e4 _7 p7 z# n& m2 T
#then
! L5 s/ @& A- x  |8 p# X0 K: T#echo"1"%26gt;/proc/sys/net/ipv4/conf/all/proxy_arp
% y) j( M: B7 N0 e# Q#else: r8 p+ N. ^+ F8 c6 d: O8 K
#$SYSCTLnet.ipv4.conf.all.proxy_arp="1"
" _" o7 N8 J, q2 s1 \#fi
& ~) V$ b( T2 D
6 ^4 F1 r. }4 U8 j- V) s
) @9 J5 x- O8 ^2 O1 v* Z5 s###############################################################################/ O+ h% P5 A6 U- A) Z8 r
#
, L  Y' a$ s8 B* J6 `% a#FlushAnyExistingRulesorChains
. x& u1 u/ F% Z0 J7 N; y+ S#
0 s$ [4 l, v3 C3 B, e3 m
/ q: t  E4 }) n# K) J+ X6 necho"FlushingTables..."4 Y7 S& {; f' O) U/ D+ ~! V1 ~
6 X7 t5 r% d+ e. W" Y* L6 b4 i; x
#ResetDefaultPolicies
% H$ x1 ^: v; a; }* z" V( |$IPT-PINPUTACCEPT- i7 T7 c' [, x; d' U* J. b
$IPT-PFORWARDACCEPT
' P7 b, }0 t' @6 O( u$IPT-POUTPUTACCEPT
" _+ H! a5 A: X) \& f9 N$IPT-tnat-PPREROUTINGACCEPT
+ n1 o5 }) d4 n* r/ [: v$IPT-tnat-PPOSTROUTINGACCEPT
1 c& ]# }" C9 k8 R( P( ~2 O$IPT-tnat-POUTPUTACCEPT
& p3 l$ |% Q& M+ g4 F( K- ?. b& N$IPT-tmangle-PPREROUTINGACCEPT
/ H& Q: ]# [4 X; H( o' t$IPT-tmangle-POUTPUTACCEPT' @3 T4 s. x8 ^* K9 A# k
) s, F  l) n% {+ J
#Flushallrules
4 G9 p  m& e& n2 t$IPT-F7 a4 o; r" @" u: U9 R* Y
$IPT-tnat-F
. D1 S; d% [. g9 X* ]$ V: E9 z$IPT-tmangle-F
, }4 ~/ ^  Y6 L2 \  }( H7 ]8 J. B7 L1 N4 n% ^
#Eraseallnon-defaultchains
$ c* [8 `7 _/ f( H$IPT-X/ @, D' _" Y2 c0 x  Z6 Q4 i3 T
$IPT-tnat-X4 f" y' i8 b# B
$IPT-tmangle-X4 n9 ?* W  \& C9 R
6 {$ F% c- o3 T7 ]/ I# `) K- w
###############################################################################1 f- b, X7 D! A5 ?3 e
#! S( D% d) G5 _$ f
#RulesConfiguration, f% R5 R) ^+ g/ C
#
1 d! J- u& r6 u! N! ~+ n$ _" p! @# h' L5 [: T$ f
###############################################################################3 b; g) V6 @& {" ^
#
' H, a" o- Z4 N: l7 w; K#FilterTable
1 D& H+ c5 I1 w1 ^3 j3 k#. j, {  y% W; r7 E, u& x
###############################################################################
9 G& S/ l# W$ E- T+ L
6 k) @* c. j( n#SetPolicies
8 ?+ n# f- D' e/ n9 ]# ?3 u6 P- M# j# b- }. n6 B# l% i0 K$ S
$IPT-PINPUTDROP
8 u, M! q$ S2 B1 v8 z$IPT-POUTPUTDROP4 ?/ |3 Y5 u0 `) @2 \
$IPT-PFORWARDDROP
+ ]$ g/ O7 b; J, \7 D; N& K
4 Y, Q1 N$ D7 W###############################################################################
4 f* q: O0 ~; {. e# D#, G0 b# ~! i% L- U0 H( ~
#User-SpecifiedChains
  p( p+ ?0 y  o/ b# E8 z/ t#
2 y; P+ A8 N1 K' h; I#Createuserchainstoreducethenumberofruleseachpacket
: m$ k% F1 B% C! d& ~#musttraverse., l8 N6 {: G  ]2 S% ^7 ]! ^9 E

! U7 {# S/ @( t# ~8 q- Decho"Createandpopulatecustomrulechains..."
8 _3 D9 {7 X) q! C$ ~9 _0 q- ?, I7 R; q2 U" C4 @. t) B8 ~  \  \# A
#CreateachaintofilterINVALIDpackets8 a2 h, Z* v0 E- w4 j- p6 X
* l+ T0 }/ P& q+ k% q) v
$IPT-Nbad_packets
6 ^5 s: G6 M/ l; ?3 D
; ~+ G$ U0 x5 w#Createanotherchaintofilterbadtcppackets
% `1 Y/ `& z& |! O& R6 m0 L* }: Z0 `$ f3 Q- t( Z
$IPT-Nbad_tcp_packets' \8 b6 `3 u7 m6 L  Z4 g
# v& @6 O! t3 l
#Createseparatechainsforicmp,tcp(incomingandoutgoing),
" S8 y1 [8 W0 l6 Q#andincomingudppackets.. l. j/ |. [' v
9 Q3 {0 |$ k6 M2 Y0 p" x% O0 b
$IPT-Nicmp_packets8 H! C0 k7 y2 C  B8 c% G' Q
) Q$ f& z8 K9 s( h
#UsedforUDPpacketsinboundfromtheInternet! u$ Y" y. P- a8 N5 H3 N
$IPT-Nudp_inbound
0 m# P' }, t5 X; v; w; a$ v# u  b$ m
- w" p5 X# Z+ f8 D# C: C6 O$ N#UsedtoblockoutboundUDPservicesfrominternalnetwork
. K/ E. A6 ?3 j& P. V#Defaulttoallowall
8 X# \. Y5 ^( j! b. G3 U- d$IPT-Nudp_outbound
5 K# ~- ^2 V& m0 w2 S! g) \4 L3 c% ?
2 |# b% b- l! y2 |. f9 b7 ~0 t#Usedtoallowinboundservicesifdesired
, z, T; V! z; N" c#Defaultfailexceptforestablishedsessions
. `$ S- g+ i* V  d$IPT-Ntcp_inbound; O( a2 k6 ^8 O

7 E% F6 p! D( A#Usedtoblockoutboundservicesfrominternalnetwork
: W# ]  y5 e( C2 z5 a#Defaulttoallowall
( Z' c+ `2 {9 P% ?0 g; v% h# f$IPT-Ntcp_outbound0 a. \9 L& J  I( x& {
4 N# X3 @/ k" ~9 |: x: Q
###############################################################################
2 @0 M$ e" [: s' g#
4 u( q2 q: S7 c! d5 A. [' q3 m#PopulateUserChains
- j7 l, v7 x6 ]; K* P5 j0 z2 K$ _#
3 ~6 b5 e; G; P: b
: j. K, B% m9 K. \. d% F. q0 B#bad_packetschain, E) r5 o- n" |# S/ Y5 R$ B  }" ?
#
* z9 q5 t2 r8 }7 T5 p* u2 R# _& Z#DropINVALIDpacketsimmediately& {% D1 c! r5 ~- A+ ^& E
3 @! \, Z) k. B( d
$IPT-Abad_packets-pALL-mstate--stateINVALID-jLOG\
' N" k+ D3 m3 x" h: W--log-prefix"Invalidpacket:"
* D" r& u4 s# B2 S0 [$IPT-Abad_packets-pALL-mstate--stateINVALID-jDROP
1 C! p1 a# Z% |1 u' k% R
, m1 }) M  K( t' U7 K  w#Thencheckthetcppacketsforadditionalproblems- R% f3 V# T- {# T2 T$ u+ x
$IPT-Abad_packets-ptcp-jbad_tcp_packets
; _: t6 F+ H1 K6 B$ u- B
  J7 n; c/ E) G1 y#Allgood,soreturn# a! c! y3 B5 k2 H: Y' Y; `
$IPT-Abad_packets-pALL-jRETURN
$ N  o4 f: F3 ^' X+ q0 h
' y9 O6 W- v. ?#bad_tcp_packetschain
! X: i/ P! f. z  a. H6 J#
. @/ z. s6 B" w#Alltcppacketswilltraversethischain./ \0 f! u( @) ~8 g9 t, N" `, e% }
#Everynewconnectionattemptshouldbeginwith
& ?* p/ R, T- O" |2 n6 L#asynpacket.Ifitdoesn't,itislikelya
' c7 Y0 c  c, s8 V#portscan.Thisdropspacketsinstate
+ W) [+ _- ]. E* N. p) s#NEWthatarenotflaggedassynpackets.
1 N9 ]; J% P( @9 L
/ t! ]9 D" k: {& W2 F8 T7 F3 x; H. E* v9 R
$IPT-Abad_tcp_packets-ptcp!--syn-mstate--stateNEW-jLOG\
+ W! M4 J3 c5 o8 Z* P3 |--log-prefix"Newnotsyn:". T2 D, B/ z& K" [6 k9 @
$IPT-Abad_tcp_packets-ptcp!--syn-mstate--stateNEW-jDROP
. P: I' Q- Z7 L& f- C
. ^" J- I% b9 Y( _) ^2 Y& }#Allgood,soreturn5 t2 N6 {! y: e) |" D; a; K
$IPT-Abad_tcp_packets-ptcp-jRETURN5 `) J/ U# _( g* K! G

6 C& ^" P9 X' r8 S#icmp_packetschain
& P  B/ e4 @4 x1 q5 e#
* A5 g; C4 D' ?% ]9 k#Thischainisforinbound(fromtheInternet)icmppacketsonly.
, j! v- j4 [+ A. h. B#Type8(EchoRequest)isnotacceptedbydefault+ \2 M% p* V5 p% K, G
#Enableitifyouwantremotehoststobeabletoreachyou.
: Q9 B+ Y% t: q7 ^& g#11(TimeExceeded)istheonlyoneaccepted
7 H* y2 D4 g# u& |#thatwouldnotalreadybecoveredbytheestablished
+ b8 o. D8 ]5 d, l3 C9 W#connectionrule.AppliedtoINPUTontheexternalinterface.
0 F% }( L6 ?9 A4 R% R: {# [#( R" t& g# ]. j1 C6 ?# ~
#See:http://www.ee.siue.edu/"rwalden/networking/icmp.html5 r  k7 \$ V3 h7 K3 g4 X4 y) ]
#formoreinfoonICMPtypes.& s" a" s3 t. E
#4 o/ [# k& ?9 ]# G$ J$ L, d- r7 Y
#NotethatthestatefulsettingsallowrepliestoICMPpackets.3 |/ z2 H: G1 h' K7 e) i4 `
#Theserulesallownewpacketsofthespecifiedtypes.- @+ p* o/ k3 \  w/ B
4 K3 }7 j  v' J, u% R
#Echo-uncommenttoallowyoursystemtobepinged.. S0 {2 n6 f  _/ {
#$IPT-Aicmp_packets-pICMP-s0/0--icmp-type8-jACCEPT' v9 y& K+ a3 }" m( U4 k$ [
. F$ B( f$ M+ U$ H: c* }) k, D* f
#TimeExceeded$ H9 Y8 e0 @, h4 N: T' \
#$IPT-Aicmp_packets-pICMP-s0/0--icmp-type11-jACCEPT. Q# @1 c# p. \0 Z! g* L  p
9 i, v' M5 r) i" [5 G0 `
#Notmatched,soreturnsoitwillbelogged
" F2 S5 J+ }1 x7 m8 W" {5 |* l#$IPT-Aicmp_packets-pICMP-jRETURN
" K+ @- U% n* x- |3 P* e& @* H9 e  H' S# R1 w5 i. z3 P
#TCP%26UDP9 z0 g2 Q& u& @& ?7 z
#Identifyportsat:# I1 [( I* ?+ [+ I9 X
#http://www.chebucto.ns.ca/"rakerman/port-table.html$ V* D) C/ G, K3 {' }
#http://www.iana.org/assignments/port-numbers
# X' D0 ?  U% {$ T. `
+ M0 a2 V' N8 Q5 U# K( i#udp_inboundchain
7 ?1 I. ]6 {6 N#
- t9 _/ I2 \7 e#ThischaindescribestheinboundUDPpacketsitwillaccept.) ?6 O3 S% y* y- F  `: @
#It'sappliedtoINPUTontheexternalorInternetinterface.  n! P) [- ~1 t, Y
#Notethatthestatefulsettingsallowreplies.
+ |* G$ Z' B3 |5 s) I; ~. K+ u#Theserulesarefornewrequests.1 S7 x4 s" y2 I- I
#Itdropsnetbiospackets(windows)immediatelywithoutlogging.
0 d% {% u  O1 w5 c$ g7 }2 C
$ O) @4 U8 \! Q4 _; Y5 O1 e#Dropnetbioscalls. H2 K8 H* Z4 C" {- U# K
#Pleasenotethattheserulesdonotreallychangethewaythefirewall
1 N, J9 w; R2 j3 V  H- g4 \1 k#treatsnetbiosconnections.Connectionsfromthelocalhostand  C( i$ |5 {# {
#internalinterface(ifoneexists)areacceptedbydefault.5 o, C4 q9 ~- o; R6 x' n: T
#ResponsesfromtheInternettorequestsinitiatedbyorthrough8 K3 I$ j. e- ^
#thefirewallarealsoacceptedbydefault.Togethere,the
0 V$ G1 t0 O9 Z8 Q; R$ z#packetswouldhavetobepartofanewrequestreceivedbythe, Z+ `* C# n& _! Z- r" i6 v
#Internetinterface.Youwouldhavetomanuallyaddrulesto
7 Z1 }" J# u' M6 J# P# W' ?#acceptthese.Iaddedtheserulesbecausesomenetworkconnections,1 D$ K  c$ Q  L& N$ e1 y
#suchasthoseviacablemodems,tendtobefilledwithnoisefrom
; H' _4 }) p, L/ o' o- \#unprotectedWindowsmachines.Theserulesdropthosepackets
7 w! x9 ]  T6 q9 E, v#quicklyandwithoutloggingthem.Thispreventsthemfromtraversing
, ~2 k/ w' Y1 p4 n#thewholechainandkeepsthelogfromgettingclutteredwith: \) V: P" I! F% k$ m
#chatterfromWindowssystems.8 t  B& H# N. R9 ]
#$IPT-Audp_inbound-pUDP-s192.168.2.0/24--destination-port137-jACCEPT
, c. M" h* J$ ^; }#$IPT-Audp_inbound-pUDP-s192.168.2.0/24--destination-port138-jACCEPT
; S+ a8 ?" j9 L/ I3 O$ n
( k5 d+ Q( O2 D
8 `5 E: `  s* V4 d#Notmatched,soreturnforlogging% r, Y4 i  n1 `
#$IPT-Audp_inbound-pUDP-jRETURN# @7 X; M* ?. I1 {& z
( r" f% b- L/ @3 e7 T. |. C( t9 a: a
#udp_outboundchain+ j% @! w) G9 Z5 V
#& Q4 L7 e3 S* t2 J' T- I8 X
#Thischainisusedwithaprivatenetworktopreventforwardingfor
6 _, p3 d- ?8 c( C+ P+ i8 B#UDPrequestsonspecificprotocols.AppliedtotheFORWARDrulefrom
8 Y) W# s: ^( c0 g#theinternalnetwork.EndswithanACCEPT
; M' q1 ?& a* F' t% ?4 \& U0 t3 I, o% g3 `$ |

/ w, L- T! k& \#Nomatch,soACCEPT) T1 Y: d. o& m% q
#$IPT-Audp_outbound-pUDP-d0/0-jACCEPT
' O/ i+ X- z& l5 w7 E& f" M" e3 `  ?! g
#tcp_inboundchain
6 ^; ^1 \7 f# }$ k#  M5 F5 ]8 k; M! L  o- t. {
#Thischainisusedtoallowinboundconnectionstothe3 u8 P) y! W' I! y$ D- F
#system/gateway.Usewithcare.Itdefaultstonone.* O, p" m, {1 C, p( E
#It'sappliedonINPUTfromtheexternalorInternetinterface.) r) k; J0 b* k

9 `- X# }3 J/ S( i. _% P) E' C#WebServer. h' r& d) R* U! C! Y' R; c% ]7 B

# _4 ]0 q) G% Y* v8 c#HTTP
5 }8 T9 G, m% |' Z# o+ d$IPT-Atcp_inbound-pTCP-s0/0--destination-port80-jACCEPT( w) z; }3 M# h; n9 d6 f4 O

* Q+ Y3 B( t9 e. S" g- o5 @! z#HTTPS(SecureWebServer)- {3 O2 _( z3 ?3 V5 d/ o" ]
#$IPT-Atcp_inbound-pTCP-s0/0--destination-port443-jACCEPT
# k: a9 p6 i5 J! }1 ~. r6 R' e
& l/ A# q, ?8 C5 p  b#FTPServer(Control)2 o( e# }1 S& Z& _
$IPT-Atcp_inbound-pTCP-s0/0--destination-port21-jACCEPT$ A6 g& L& n; J# h8 g8 @- |# U

. _( h3 d- f2 R#FTPClient(DataPortfornon-PASVtransfers)+ n5 o" O( J8 f' _2 }
$IPT-Atcp_inbound-pTCP-s0/0--source-port20-jACCEPT) j2 R5 }6 L9 G9 a/ G9 J

! U( \0 R$ O2 c( D#PassiveFTP: D$ l& r5 V5 [: M
#- X* V( {& d* [+ S2 l4 v, {
#WithpassiveFTP,theserverprovidesaporttotheclient+ [0 C' z9 |' I& R, I6 M# J( F
#andallowstheclienttoinitiatetheconnectionrather3 `6 R1 y+ [" W; U. K; R
#thaninitiatingtheconnectionwiththeclientfromthedataport.
) ?& t* E3 @% _/ {; w( d! W; \#Webbrowsersandclientsoperatingbehindafirewallgenerally
; @: t# Z( A" n7 r  ^- ?#usepassiveftptransfers.AgeneralpurposeFTPserver: c# Q; V; G0 D" k5 P) u$ D  e' X2 t
#willneedtosupportthem.
9 g* V2 d7 k# @1 P* b6 m) [- W#
- b- Q! f" X; I+ s: {#However,bydefaultanFTPserverwillselectaportfromtheentire7 d: M. I& {3 Q& B( U! z' o" {+ r
#rangeofhighports.Itisnotparticularlysafetoopenall
: G! e; \$ D$ ~) }4 p#highports.Fortunately,thatrangecanberestricted.This
$ H0 R; e1 ^" o4 o#firewallpresumesthattherangehasbeenrestrictedtoaspecific
, q) o0 N+ N) ?9 N6 Y, T#selectedrange.Thatrangemustalsobeconfiguredintheftpserver.
+ W( o' s& Q: x. @( [2 J6 i% v#
0 A5 F+ X6 M* b% G! r#Instructionsforspecifyingtheportrangeforthewu-ftpdserver# e2 p2 s5 e* l4 Q
#canbefoundhere:
2 \3 _3 H4 K# p#http://www.wu-ftpd.org/man/ftpaccess.html3 g" I3 E% w* @8 c+ V. [; K
#(Seethepassiveportsoption.)
! Q6 U4 L3 ]* p' F#
, \2 t5 s8 N+ M. b  f5 ~' u#InstructionsfortheProFTPDservercanbefoundhere:
1 {0 B' d& H0 t5 z8 A4 s3 k' P4 _#http://proftpd.linux.co.uk/localsite/Userguide/linked/x861.html
/ w0 y- O* W, I9 V- J" \" _! i
6 u$ m1 ^9 Y# w8 N" t/ y$ o$IPT-Atcp_inbound-pTCP-s0/0--destination-port58000:64000-jACCEPT& u  U, |6 L7 W( \" o$ b+ B7 q9 i

; m2 r, i$ n" O: \2 A9 |! c* Q#sshd2 T1 P$ h( m9 ]7 l1 A4 |: E7 p
$IPT-Atcp_inbound-pTCP-s0/0--destination-port22-jACCEPT
! @( B  q3 X$ _( r0 }6 a0 N6 E8 v/ B1 o: p
& D" q, M7 i0 Y. }

4 ?6 w* A* C, {+ Z7 j9 h/ c. `
- S! c( u1 p1 @5 C# t9 H#mysql
( D0 n  l, V4 h( S/ a" j3 z#$IPT-Atcp_inbound-pTCP-s0/0--destination-port3306-jACCEPT+ ~+ L6 P: p3 M

- R) X% _$ H: P2 u4 J* `8 p6 }
$ k5 n& o- o2 M4 j. T" o3 h3 q; l#netbios
% G  w/ I6 r! r9 P" p" d5 x#$IPT-Atcp_inbound-pTCP-s192.168.2.0/24--destination-port139-jACCEPT
9 Y2 E+ F# R+ i: @  X2 i2 w+ X
/ |) M4 i1 r; F2 ^( C1 P+ m1 E$ h$ F; h, a5 i
#Notmatched,soreturnsoitwillbelogged$ Q# t/ b1 U& u& p& M
$IPT-Atcp_inbound-pTCP-jRETURN
& O( p3 \7 a4 Q) M# `/ L9 b- ~$ n1 g5 e* ]& G
#tcp_outboundchain
/ t1 O2 n1 d" Y5 W  _1 I#6 h, Q6 I: N. Y- M
#Thischainisusedwithaprivatenetworktopreventforwardingfor
% X5 b0 b" e# y#requestsonspecificprotocols.AppliedtotheFORWARDrulefrom/ j8 v7 j8 N& x) R  V* W; e
#theinternalnetwork.EndswithanACCEPT5 S" [- N' T6 e; O( A

: {: V# k6 t2 e
- ?- r/ y/ L/ k) y) f#Nomatch,soACCEPT2 Z& o3 k4 a1 C
#$IPT-Atcp_outbound-pTCP-s0/0-jACCEPT  U4 N1 O- O# ^$ m$ A

/ T# W" F4 i+ R) q###############################################################################
( N! M2 m# |. j! C+ L#
2 K" D, W! G" N7 [4 l. S6 @. k) E#INPUTChain( [$ E0 M- t) k
#4 O, b0 A; q! n8 ]$ U
$ X3 C; |$ C7 Y; t1 T' ^$ {- }" z, R, P
echo"ProcessINPUTchain..."7 G9 Y5 o1 x4 V; L6 M. T
( V8 z4 C, ?- c: y& A: h
#Allowallonlocalhostinterface, P" B' X% A7 {4 @
$IPT-AINPUT-pALL-ilo-s127.0.0.1-jACCEPT4 U. B7 I3 W7 X! H) H& r8 D( I
$IPT-AINPUT-pALL-s192.168.0.0/16-jDROP, k0 a# D) I) n# f: n4 Z
$IPT-AINPUT-pALL-s10.0.0.0/8-jDROP0 j' _8 s& [& j: f# }
$IPT-AINPUT-pALL-s172.16.0.0/12-jDROP
4 o2 q- H, C' Y$ h1 c4 B$IPT-AINPUT-pALL-s127.0.0.0/8-jDROP
0 T/ x: @1 [9 M2 Z* G+ o
6 u0 g& q6 s0 @9 P1 g#Dropbadpackets- }# H- k1 X/ F7 k' f
$IPT-AINPUT-pALL-jbad_packets
& g7 a" n/ Z* O1 t2 Y* O
0 H8 A) l- {* k5 \/ L$ U#DOCSIScompliantcablemodems9 ^0 m9 _0 H% j" L' F  M
#SomeDOCSIScompliantcablemodemssendIGMPmulticaststofind
9 i8 K6 W+ O5 \- P/ c#connectedPCs.Themulticastpacketshavethedestinationaddress$ N/ t  k5 K4 Q$ T" u
#224.0.0.1.Youcanacceptthem.Ifyouchoosetodoso,
) x4 M6 ^: G8 F+ _; w8 l) Z: ^8 T#UncommenttheruletoACCEPTthemandcommenttheruletoDROP
1 P% M1 n  g, T' Q# V5 }/ P8 G  ^#themThefirewallwilldropthemherebydefaulttoavoid, M8 d' I: h4 f
#clutteringthelog.Thefirewallwilldropallmulticasts. s( T' y7 I5 H2 Z- M4 n
#totheentiresubnet(224.0.0.1)bydefault.Toonlyaffect" R1 Z$ G( j! p# e' h
#IGMPmulticasts,change'-pALL'to'-p2'.Ofcourse,
0 }6 p5 n" r% l3 z#iftheyaren'tacceptedelsewhere,itwillonlyensurethat
% ?8 S  u! M4 ]/ S8 p#multicastsonotherprotocolsarelogged.3 {/ N. Q8 B9 q% j' W
#Dropthemwithoutlogging.5 e% C9 P) y+ _4 }. `# d
7 o$ A' t1 I! r% y) a4 J
#Theruletoacceptthepackets.
+ L  w( Q2 u; i4 e#$IPT-AINPUT-pALL-d224.0.0.1-jACCEPT
( k: {/ J! f. M9 g" T. _/ E$ |9 O( ~" W0 D

$ l1 Q9 E" x; d7 b9 u" |#InboundInternetPacketRules
8 p6 a; p  T; z- q
% M; D# Y+ k: r3 y4 C& N#AcceptEstablishedConnections
$ g+ f5 W& H% N: ~6 I# {1 h" J. D$IPT-AINPUT-pALL-i$INET_IFACE-mstate--stateESTABLISHED,RELATED\
* f4 }( U9 s) A+ a' \- s% a-jACCEPT" Y+ ~5 z. I4 p( F. t

) N; w! u  {: A5 u#Routetheresttotheappropriateuserchain
' p9 P  Q1 E2 X$IPT-AINPUT-pTCP-i$INET_IFACE-jtcp_inbound3 P0 W9 y% Y* D* O  M3 g( U+ E
$IPT-AINPUT-pUDP-i$INET_IFACE-judp_inbound
# K' ?- F  D* ~1 K! [" i#$IPT-AINPUT-pICMP-i$INET_IFACE-jicmp_packets
: R3 {1 Y  M7 k5 u4 U
* O$ [3 a; l* A2 O1 F, M#Dropwithoutloggingbroadcaststhatgetthisfar.
/ }/ N" h9 ^; J#Cutsdownonlogclutter.
. Y5 @3 J- c/ i- C: T% g# ?# Q#Commentthislineiftestingnewrulesthatimpact
4 X% s; S2 Q. ]#broadcastprotocols.9 r* Z  s1 _, C( l
#$IPT-AINPUT-pALL-d255.255.255.255-jDROP
  j" t5 @! N- G" C
9 m: G/ U: ^' R# Q* w7 m#Logpacketsthatstilldon'tmatch! _" ^; ^( o" w: P- @& ^) ]
$IPT-AINPUT-mlimit--limit1/second--limit-burst1-jLOG\+ U. N  C9 a7 K3 x3 I+ U  S! B
--log-prefix"INPUTpacketdied:"# c2 _% q4 v; w7 {
$IPT-AINPUT-mlimit--limit1/second--limit-burst1-jDROP( U3 b( |5 P0 j
###############################################################################
- Z0 c* h6 ^  o6 B#
' P* q. y  A( W, ]#FORWARDChain5 p( v& s7 R7 _
#  t5 h2 c, d9 w. P6 }
) D6 w4 `6 ~8 {4 B
echo"ProcessFORWARDchain..."
5 Y, n1 R* J2 u* w! q1 Q6 O0 |* Y" ^, W0 k1 c& B6 q) A) n' f
#Usedifforwardingforaprivatenetwork
+ ?8 a, _0 s2 C  R" O  a) J9 E) {+ ]! n/ p0 U3 N$ I( ]
$ s* [9 x4 g8 p- {9 }& |2 B% t
###############################################################################
$ L; r: c  D% O: V1 B#/ f* P+ f$ e3 d
#OUTPUTChain0 h  Y# P6 H3 d) @
#9 c# u; |+ ?: ~: `& {
- l  }: Q: g/ r# ^- l! C8 ?, ]
echo"ProcessOUTPUTchain..."
. K3 M/ ^0 v% T2 k! Z# e
" L# n# b' Z0 J#Generallytrustthefirewallonoutput& E5 x7 O4 q- u! @( n2 R% N2 ?

4 P2 |* w7 t& O$ @#However,invalidicmppacketsneedtobedropped
) m/ B$ a6 y4 D2 S9 ]/ j5 E#topreventapossibleexploit.- U# p! d% E5 T! M
$IPT-AOUTPUT-mstate-picmp--stateINVALID-jDROP
  ], T; l$ v* b. r
" h4 i; w% z6 i  a$ B#Localhost' [3 A8 [3 J. q+ \3 v! h. i' g
#$IPT-AOUTPUT-pALL-o$LO_IFACE-s127.0.0.1-jACCEPT8 c; z4 d; L; I# }5 ?

% Z; @- h8 z5 V" H#Tointernet
& w5 u* J! Y4 y$ r7 [% k#$IPT-AOUTPUT-pALL-o$INET_IFACE-jACCEPT
" x' e, m* T. R) v! B. X& T: a4 v6 |$IPT-AOUTPUT-pALL-jACCEPT0 S' q3 E0 H! \: h; v. D
#Logpacketsthatstilldon'tmatch
  G/ H* j  H: C' o$ y$ |; M#$IPT-AOUTPUT-mlimit--limit3/minute--limit-burst3-jLOG\2 h8 L7 V2 b8 l
#--log-prefix"OUTPUTpacketdied:"