Linux下IPv6的iptables防火墙脚本
时间:2014-12-05 02:38 来源:linux.it.net.cn 作者:IT
分享一个可用于IPv6的iptables防火墙脚本,适用于 CentOS/Debian/RHEL/及其它 Linux 平台。
代码:
#!/bin/bash
# IPv6 iptables防火墙脚本
# --------
IPT6="/sbin/ip6tables"
# Interfaces
PUB_IF="eth1"
PUB_LO="lo0"
PUB_VPN="eth0"
# Custom chain names
CHAINS="chk_tcp6_packets_chain chk_tcp_inbound chk_udp_inbound chk_icmp_packets"
HTTP_SERVER_6="2001:470:1f04:55a::2 2001:470:1f04:55a::3 2001:470:1f04:55a::4 2001:470:1f04:55a::5"
echo "Starting IPv6 firewall..."
# first clean old mess
$IPT6 -F
$IPT6 -X
$IPT6 -Z
for table in $(</proc/net/ip6_tables_names)
do
$IPT6 -t $table -F
$IPT6 -t $table -X
$IPT6 -t $table -Z
done
$IPT6 -P INPUT ACCEPT
$IPT6 -P OUTPUT ACCEPT
$IPT6 -P FORWARD ACCEPT
# Set default DROP all
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
# 创建一条链
for c in $CHAINS
do $IPT6 --new-chain $c
done
# 入口策略
$IPT6 -A INPUT -i $PUB_LO -j ACCEPT
$IPT6 -A INPUT -i $PUB_VPN -j ACCEPT
$IPT6 -A INPUT -i $PUB_IF -j chk_tcp6_packets_chain
$IPT6 -A INPUT -i $PUB_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT6 -A INPUT -i $PUB_IF -p tcp -j chk_tcp_inbound
$IPT6 -A INPUT -i $PUB_IF -p udp -j chk_udp_inbound
$IPT6 -A INPUT -i $PUB_IF -p icmp -j chk_icmp_packets
$IPT6 -A INPUT -i $PUB_IF -p ipv6-icmp -j chk_icmp_packets
$IPT6 -A INPUT -i $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT OUTPUT "
$IPT6 -A INPUT -i $PUB_IF -j DROP
# 出口策略
$IPT6 -A OUTPUT -o $PUB_LO -j ACCEPT
$IPT6 -A OUTPUT -o $PUB_VPN -j ACCEPT
$IPT6 -A OUTPUT -o $PUB_IF -j ACCEPT
$IPT6 -A OUTPUT -o $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "DROP OUTPUT "
### 普通链 ###
# 恶意数据包检测
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets"
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets"
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "BAD tcp"
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp"
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp "
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp "
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
$IPT6 -A chk_tcp6_packets_chain -p tcp -j RETURN
# 开放 TCP Ports
# 开放httpd端口
for h in $HTTP_SERVER_6
do
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 80 -d $h -j ACCEPT
done
# 开放 53 端口
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 53 -j ACCEPT
###############################
# Add your rules below to open other TCP ports
# 开放 smtp
# $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
# 开放 pop3
# $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 113 -j ACCEPT
# 开放 ssh
# $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
###############################
# 不要修改如下规则
$IPT6 -A chk_tcp_inbound -p tcp -j RETURN
# Open UDP Ports
# 打开dns的udp端口 53
$IPT6 -A chk_udp_inbound -p udp -m udp --dport 53 -j ACCEPT
###############################
# Add your rules below to open other UDP ports
#
###############################
# 不要修改以下规则
$IPT6 -A chk_udp_inbound -p udp -j RETURN
# ICMP - 是否允许ping
$IPT6 -A chk_icmp_packets -p ipv6-icmp -j ACCEPT
$IPT6 -A chk_icmp_packets -p icmp -j RETURN
(责任编辑:IT)
分享一个可用于IPv6的iptables防火墙脚本,适用于 CentOS/Debian/RHEL/及其它 Linux 平台。 代码:
#!/bin/bash
# IPv6 iptables防火墙脚本 # -------- IPT6="/sbin/ip6tables" # Interfaces PUB_IF="eth1" PUB_LO="lo0" PUB_VPN="eth0" # Custom chain names CHAINS="chk_tcp6_packets_chain chk_tcp_inbound chk_udp_inbound chk_icmp_packets" HTTP_SERVER_6="2001:470:1f04:55a::2 2001:470:1f04:55a::3 2001:470:1f04:55a::4 2001:470:1f04:55a::5" echo "Starting IPv6 firewall..." # first clean old mess $IPT6 -F $IPT6 -X $IPT6 -Z for table in $(</proc/net/ip6_tables_names) do $IPT6 -t $table -F $IPT6 -t $table -X $IPT6 -t $table -Z done $IPT6 -P INPUT ACCEPT $IPT6 -P OUTPUT ACCEPT $IPT6 -P FORWARD ACCEPT # Set default DROP all $IPT6 -P INPUT DROP $IPT6 -P OUTPUT DROP $IPT6 -P FORWARD DROP # 创建一条链 for c in $CHAINS do $IPT6 --new-chain $c done # 入口策略 $IPT6 -A INPUT -i $PUB_LO -j ACCEPT $IPT6 -A INPUT -i $PUB_VPN -j ACCEPT $IPT6 -A INPUT -i $PUB_IF -j chk_tcp6_packets_chain $IPT6 -A INPUT -i $PUB_IF -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT6 -A INPUT -i $PUB_IF -p tcp -j chk_tcp_inbound $IPT6 -A INPUT -i $PUB_IF -p udp -j chk_udp_inbound $IPT6 -A INPUT -i $PUB_IF -p icmp -j chk_icmp_packets $IPT6 -A INPUT -i $PUB_IF -p ipv6-icmp -j chk_icmp_packets $IPT6 -A INPUT -i $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT OUTPUT " $IPT6 -A INPUT -i $PUB_IF -j DROP # 出口策略 $IPT6 -A OUTPUT -o $PUB_LO -j ACCEPT $IPT6 -A OUTPUT -o $PUB_VPN -j ACCEPT $IPT6 -A OUTPUT -o $PUB_IF -j ACCEPT $IPT6 -A OUTPUT -o $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "DROP OUTPUT " ### 普通链 ### # 恶意数据包检测 $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets" $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets" $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "BAD tcp" $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp" $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp " $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp " $IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP $IPT6 -A chk_tcp6_packets_chain -p tcp -j RETURN # 开放 TCP Ports # 开放httpd端口 for h in $HTTP_SERVER_6 do $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 80 -d $h -j ACCEPT done # 开放 53 端口 $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 53 -j ACCEPT ############################### # Add your rules below to open other TCP ports # 开放 smtp # $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT # 开放 pop3 # $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 113 -j ACCEPT # 开放 ssh # $IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT ############################### # 不要修改如下规则 $IPT6 -A chk_tcp_inbound -p tcp -j RETURN # Open UDP Ports # 打开dns的udp端口 53 $IPT6 -A chk_udp_inbound -p udp -m udp --dport 53 -j ACCEPT ############################### # Add your rules below to open other UDP ports # ############################### # 不要修改以下规则 $IPT6 -A chk_udp_inbound -p udp -j RETURN # ICMP - 是否允许ping $IPT6 -A chk_icmp_packets -p ipv6-icmp -j ACCEPT $IPT6 -A chk_icmp_packets -p icmp -j RETURN (责任编辑:IT) |