Fedora core 2 server platform security settings unveiling 2 (1)

Source: Internet
Author: User

#!/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/bin

# L Internet Nic interface connecting to the Internet
EXTIF=”eth0”
# Set the IP address of the Internet Nic.
EXTIFIPADDR=”219.150.46.98”

# Interface for connecting the Intranet Nic of the LAN
INIF=”eth1”
# Intranet CIDR Block
INNET="192.168.1.0/24"
# Enable the IP forwarding function of the system kernel to change Linux to a vro.
echo "1" >/proc/sys/net/ipv4/ip_forward

# Prevent syn flood attacks
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Sort out the list of modules supported by the kernel
/sbin/depmod –a
# Load the list of supported modules
modprobe ip_tablesmodprobe iptable_natmodprobe ip_nat_ftpmodprobe ip_nat_ircmodprobe ip_conntrackmodprobe ip_conntrack_ftpmodprobe ip_conntrack_irc
# Clear the rules and restore them to the State without a firewall
iptables -Fiptables -Xiptables –Ziptables -F -t natiptables -X -t natiptables -Z -t natiptables -P INPUT DROPiptables -P OUTPUT DROPiptables -P FORWARD ACCEPTiptables -t nat -P PREROUTING ACCEPTiptables -t nat -P POSTROUTING ACCEPTiptables -t nat -P OUTPUT ACCEPT

# Set the host Security
# Allow communication on local loopback Devices
iptables –A INPUT -i lo -p all -j ACCEPTiptables -A OUTPUT -o lo -p all -j ACCEPT

# Let response packets that have been established or related to our host pass through
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH remote host Management
iptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# Limit the number of IP fragmentation to prevent IP fragmentation attacks
iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
# Set the icmp protocol to allow the host to perform the ping operation to test the network, but other hosts are not allowed to ping the host.
iptables –A OUTPUT-p icmp --icmp-type echo-request –j ACCEPTiptables –A INPUT –p icmp --icmp-type echo-reply –j ACCEPT

# Next we will configure NAT
# If you want Intranet access to the Internet, you must set SNAT.
iptables -t nat -A POSTROUTING –p all -s $INNET -o $EXTIF -j SNAT --to $EXTIFIPADDR
# If you have a web server IP Address: 192.168.1.10 in the internal network, you must configure DNAT to access the Internet.
iptables –t nat –A PREROUTING –p tcp –i $EXTIF --dport 80 –j DNAT --to 192.168.1.10:80


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.