防火墙脚本也一并送上
#!/usr/bin/env bash
# Name :firewall.sh
# Authhor :purplegrape4@gmail.com
# Description:setup a simple host-based iptables firewall
if [ "$(id -u)" != "0" ]; then
echo "This script is designed to run as root" 1>&2
exit 1
fi
#only one net card
lan=192.168.0.0/16
# Load modules
modprobe ip_tables
modprobe iptable_filter
modprobe ipt_REJECT
modprobe ip_conntrack
modprobe xt_limit
modprobe xt_recent
modprobe xt_state
# Flush the current iptables rules
iptables -F
iptables -X
iptables -Z
# To prevent us blocked out of the server
# Set the INPUT policy to ACCEPT for the moment
iptables -P INPUT ACCEPT
# Allow related,established connection
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Limit the speed of ping,1 package per second
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
# Always trust lookback interface
iptables -A INPUT -i lo -j ACCEPT
# Allow ssh but limit 10 new connections per minute
# This will help to prevent too much password failure
iptables -A INPUT -s $lan -p tcp --dport 22 -m recent --set --name ssh --rsource
iptables -A INPUT -s $lan -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 10 --name ssh --rsource -j ACCEPT
# Open some port to local network only
iptables -A INPUT -s $lan --dport 53 -j ACCEPT
iptables -A INPUT -s $lan --dport 88 -j ACCEPT
iptables -A INPUT -s $lan --dport 389 -j ACCEPT
iptables -A INPUT -s $lan --dport 464 -j ACCEPT
iptables -A INPUT -s $lan -p udp --dport 137 -j ACCEPT
iptables -A INPUT -s $lan -p udp --dport 138 -j ACCEPT
iptables -A INPUT -s $lan -p tcp --dport 135 -j ACCEPT
iptables -A INPUT -s $lan -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s $lan -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -s $lan -p tcp --dport 636 -j ACCEPT
iptables -A INPUT -s $lan -p tcp --dport 1024 -j ACCEPT
iptables -A INPUT -s $lan -p tcp --dport 3268 -j ACCEPT
iptables -A INPUT -s $lan -p tcp --dport 3269 -j ACCEPT
iptables -A INPUT -s $lan -p udp --dport 123 -j ACCEPT
# Set the global polciy now
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Drop some output request
iptables -A OUTPUT -s 224.0.0.0/8 -j DROP
iptables -A OUTPUT -d 224.0.0.0/8 -j DROP
iptables -A OUTPUT -s 255.255.255.255/32 -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Save rules to /etc/sysconfig/iptables
/etc/init.d/iptables save
# Restart iptables service
/etc/init.d/iptables restart
# Show the final rules on the screen
iptables -n -v -L