#!/bin/bash # A simple iptables firewall configuration PATH=/sbin:/bin:/usr/sbin:/usr/bin; export PATH #flush/erase original rules iptables -F #清除所有已制定的rule iptables -X #清除用户自定义的chain/table iptables -Z #将所有的chain的计数和流量统计归零 #Accept localhost connetting, no matter what it is iptables -A INPUT -i lo -j ACCEPT #Accept any response package which is initiated from inside iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #block most common network attacks(recon packets and syn-flood attack) iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP #open ports for different services #必须开启22端口,以便于通过ssh连接服务器 iptables -A INPUT -p tcp --dport 22 -j ACCEPT #SSH #WEB服务通常还需开启 80 和 443 iptables -A INPUT -p tcp --dport 80 -j ACCEPT #HTTP iptables -A INPUT -p tcp --dport 443 -j ACCEPT #HTTPS #如下端口根据对外开放服务自行决定,如果需开启,请删除开头的#号 #iptables -A INPUT -p tcp --dport 3306 -j ACCEPT #MYSQL #iptables -A INPUT -p tcp --dport 25 -j ACCEPT #SMTP #iptables -A INPUT -p tcp --dport 465 -j ACCEPT #Secure SMTP #iptables -A INPUT -p tcp --dport 110 -j ACCEPT #POP3 #iptables -A INPUT -p tcp --dport 995 -j ACCEPT #Secure POP #常用的安全防护策略,如不需要,去哪个在 #ICMP configuration #To prevent ICMP DDOS,we do not allow ICMP type 8(echo-request) or limit this request with 1/second #some ICMP requests are allowed. icmp_type="0 3 4 8 11 12 14 16 18" for ticmp in $icmp_type do iptables -A INPUT -p icmp --icmp-type $ticmp -j ACCEPT done #必须的默认策略:default policies iptables -P OUTPUT ACCEPT iptables -P INPUT DROP #保存以上配置为系统默认配置save to /etc/sysconfig/iptables /etc/init.d/iptables save #重启防护墙 /etc/init.d/iptables restart