A typical iptables firewall must be used to configure data center security. Some server devices must expose public IP addresses and are vulnerable to attacks. Configure the hardware or software firewall to only open accessible ports and reject requests from other illegal IP addresses, including port scanning. Even refusing to ping... a typical iptables firewall must be considered when configuring data center security. Some server devices must expose public IP addresses and are vulnerable to attacks. Configure the hardware or software firewall to only open accessible ports and reject requests from other illegal IP addresses, including port scanning. Even ping is rejected. This will greatly improve server security. Www.2cto.com this script configures iptables to allow remote access to Hong Kong servers only in Beijing and Hong Kong. However, the web port is opened for access from any IP address. More strict restrictions can be imposed to allow access from only a few IP addresses. This avoids most arbitrary attacks. This script rejects all connections by default, so be careful. If iptables-F is used to clear all iptables rules, remote access to the server may fail. you must first change the default rule to ACCEPT. Therefore, there is an alternative method to add a rule to the end of the rule to drop any package. After the rules are cleared, no access is allowed. Centos 5.2 passes debugging. Linux code www.2cto.com #! /Bin/bash #2010.10.14 modified by zhouhh ### 1. allow Intranet 192.168.0.0 through all protocols of the internal network card ### 2. allow Beijing Telecom, China Netcom, China Telecom, and Hong Kong to access ssh ports over the Internet. allow any address to access the web port of the local machine through any network port ### 4. open all UDP ports if [$ UID! = 0]; then echo "must be root to run this script! "Exit fi ### define the subnet variable BJ_DXT = 218.249.75.128/26 BJ_DX = Assets/28 BJ_CNC = 123.127.24.128/25 HK_26 = 210.211.26.0/24 NET_LAN = 192.168.1.0/24 ## IP_LAN = 192.168.1. IP_WAN = 210.211.26. ### define the service port ssh_port = 60000 web_port = 80 sip_port = 5060 ### define the network interface ETH_LAN = eth0 ETH_WAN = eth1 ### define the program and path variable ipt =/sbin/ iptables ### specific rule echo "[+] Flushing all rules... "iptables -- flush service iptables stop echo" [+] Se T default policy... "# By default, all access requests are rejected. $ ipt-p input drop $ ipt-i INPUT 1-m state -- state ESTABLISHED, RELATED-j ACCEPT $ EPT-N TCP_ERR $ EPT-I INPUT 2-j TCP_ERR echo "[+] Creating rules for web port... "$ ipt-a INPUT-p tcp -- dport $ web_port-m state -- state NEW-j ACCEPT echo" [+] accept all UDP ports... "$ ipt-a INPUT-p udp-j ACCEPT ### allow Beijing and Hong Kong to ping the local machine, other dentions # ping is not restricted, zhouhh comment # echo" [+] Creatin G icmp rules... "# $ EPT-a input-I $ ETH_WAN-s $ BJ-DXT-p icmp -- cmp-type 8-j ACCEPT # $ EPT-a input-I $ ETH_WAN-s $ BJ-DX -p icmp -- cmp-type 8-j ACCEPT # $ EPT-a input-I $ ETH_WAN-s $ BJ-CNC-p icmp -- cmp-type 8-j ACCEPT # $ EPT- a input-I $ ETH_WAN-s $ HK-26-p icmp -- cmp-type 8-j ACCEPT # $ EPT-a input-I $ ETH_WAN-p icmp-j DROP $ EPT- a input-p icmp-j ACCEPT ### allow all intranet IP addresses to communicate with echo "[+] Permi T lan all... "$ ipt-a INPUT-I $ NET_LAN-s $ NET_LAN-j ACCEPT $ EPT-a input-I lo-j ACCEPT ### other rules start ### other rules end ### reject the incorrect TCP packet echo "[+] Creating TCP rules for new chain TCP_ERR... "$ ipt-i TCP_ERR 1-p tcp -- tcp-flags ALL-j DROP $ ipt-i TCP_ERR 2-p tcp -- tcp-flags all none-j DROP $ EPT- I TCP_ERR 3-p tcp -- tcp-flags ALL FIN, URG, PSH-j DROP $ ipt-i TCP_ERR 4-p tcp -- tcp-flags SYN, RST S YN, RST-j DROP $ EPT-I TCP_ERR 5-p tcp -- tcp-flags ALL FIN, URG, PSH-j LOG-m limit -- limit 1/s -- log-prefix "bad package" $ ipt-i TCP_ERR 6-p tcp -- tcp-flags all fin, URG, PSH-j DROP $ ipt-I TCP_ERR 7-p tcp! -- Syn-m state -- state NEW-j DROP ### allow access to ssh ports in Beijing and Hong Kong echo "[+] Creating ssh rules... "$ ipt-a INPUT-I $ ETH_WAN-s $ BJ_DXT-p tcp -- dport $ ssh_port-m state -- state NEW-j ACCEPT $ EPT-a input-I $ ETH_WAN- s $ BJ_DX-p tcp -- dport $ ssh_port-m state -- state NEW-j ACCEPT $ EPT-a input-I $ ETH_WAN-s $ BJ_CNC-p tcp -- dport $ ssh_port- m state -- state NEW-j ACCEPT $ EPT-a input-I $ ETH_WAN-s $ HK_25-p tcp -- dport $ ssh_port-m state -- state NEW-j ACCEPT ### save the configuration so that the rule starts service iptables save with the system
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
