14-07-2015, 01:42 PM
|
#1
|
Guest
|
Iptables deny All scipt
Iptables deny All scipt
Bên dưới là mẩu iptables được cấu hình sẳn nhiều tính năng
- Harderning linux
- Deny All port not use
- Hạn chế ddos attack
- Open 1 số port phổ biến
......
1. Tạo file iptables.sh
#vi iptables.sh
2. Chạy file iptables.sh này
#sh iptables.sh
3. Tất các rule sau trong này sẽ update vào iptables service.
Trích dẫn:
|
#!/bin/sh
# My system IP/set ip address of server
SERVER_IP="125.212.219.53"
### Interfaces ###
PUB_IF="eth0" # public interface
LO_IF="lo" # loopback
LAN_IF="eth1" # VPS, LAN / private net
# Flushing all rules
iptables -F
iptables -X
IPT="/sbin/iptables"
SYSCTL="/sbin/sysctl"
#------------------------------------------------------------------------------------------------------------
#Hardening Linux http://www.cyberciti.biz/tips/linux-security.html
#yum update -y
#xoa cac pham ko bao mat
yum -y erase inetd xinetd ypserv tftp-server telnet-server rsh-serve
echo "Setting sysctl IPv4 settings..."
$SYSCTL net.ipv4.ip_forward=0
$SYSCTL net.ipv4.conf.all.send_redirects=0
$SYSCTL net.ipv4.conf.default.send_redirects=0
$SYSCTL net.ipv4.conf.all.accept_source_route=0
$SYSCTL net.ipv4.conf.all.accept_redirects=0
$SYSCTL net.ipv4.conf.all.secure_redirects=0
$SYSCTL net.ipv4.conf.all.log_martians=1
$SYSCTL net.ipv4.conf.default.accept_source_route=0
$SYSCTL net.ipv4.conf.default.accept_redirects=0
$SYSCTL net.ipv4.conf.default.secure_redirects=0
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1
$SYSCTL net.ipv4.tcp_syncookies=1
$SYSCTL net.ipv4.conf.all.rp_filter=1
$SYSCTL net.ipv4.conf.default.rp_filter=1
$SYSCTL kernel.exec-shield=1
$SYSCTL kernel.randomize_va_space=1
sysctl -p
#http://www.cyberciti.biz/tips/linux-...-security.html
#-----------------------------------------------------------------------------------------------------
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Unlimited VPN / LAN access
#$IPT -A INPUT -i ${LAN_IF} -j ACCEPT
#$IPT -A OUTPUT -o ${LAN_IF} -j ACCEPT
# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# ----------Allow incoming ssh only from IP 202.54.1.20-------------------
#iptables -A INPUT -p tcp -s 202.54.1.20 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp -s $SERVER_IP -d 202.54.1.20 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# Allow Ping
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
# Allow outbound DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
# Allow FTP
iptables -A OUTPUT -p tcp --sport 20:21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
# Allow HTTP and HTTPS
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -j ACCEPT
# Allow IMAP and IMAPS
iptables -A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 143,993 -j ACCEPT
# Allow Sendmail
iptables -A INPUT -p tcp -m multiport --dports 25,465,587 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 25,465,587 -j ACCEPT
#-----------------------------DDOS attacker----------------------------------------
# Prevent DoS attack
#iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
# Block sync
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Block Fragments
$IPT -A INPUT -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -f -j DROP
# Block bad stuff
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Log and block spoofed ips
$IPT -N spooflist
for ipblock in $SPOOFIP
do
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix " SPOOF List Block "
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
done
$IPT -I INPUT -j spooflist
$IPT -I OUTPUT -j spooflist
$IPT -I FORWARD -j spooflist
# Log and get rid of broadcast / multicast and invalid
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j LOG --log-prefix " Broadcast "
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j LOG --log-prefix " Multicast "
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j DROP
$IPT -A INPUT -i ${PUB_IF} -m state --state INVALID -j LOG --log-prefix " Invalid "
$IPT -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP
#Block 50 kết nói đồng thời ( concurrent connections) from the same IP address.
#Something to do as default is to limit using IPTABLES (linux firewall) the ammount of connections from the same IP in a short time (why would an user hook 150 times to your port 80 ?)
#Check trong vòng 60 giây, nếu package lớn hơn 50 thì sẽ Block
iptables -I INPUT -p tcp --dport 80 -i ${PUB_IF} -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i ${PUB_IF} -m state --state NEW -m recent --update --seconds 60 --hitcount 50 -j DROP
#-----------------------------------------------------------------------------------
# Allow download and install Applications - full outgoing connection but no incomming stuff
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Xem IP nao dang tan cong DDOS
#netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
#Kill All process of IP
#yum -y install dsniff
#tcpkill host xxx.xxx.xxx.xxx
# Block IP and Subnet, Port http://www.cyberciti.biz/faq/linux-iptables-drop/
#iptables -A INPUT -s 125.58.55.44 -j DROP ---> Block IP
#iptables -A INPUT -s 163.235.144.110 -p tcp --destination-port 25 -j DROP ---> Block IP truy cap vao Port 25
#### FILES Block IP from List#####
BLOCKED_IP_TDB=/root/blocked.ip.txt
SPOOFIP="127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24"
BADIPS=$( [[ -f ${BLOCKED_IP_TDB} ]] && egrep -v "^#|^$" ${BLOCKED_IP_TDB})
rpm -Uvh http://dl.fedoraproject.org/pub/epel...6-8.noarch.rpm
yum -y install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo service fail2ban restart
# Drop All - make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
# Save and Restart IPtable
/etc/init.d/iptables save
/etc/init.d/iptables restart
exit 0
|
|
|
|