还有多少tables可以来一下。
话说还是把本机防火墙配起来了,经历两次把自己关在门外后,开始小心翼翼了。
话说还是把本机防火墙配起来了,经历两次把自己关在门外后,开始小心翼翼了。
1 #!/bin/sh -e
2 IPTABLES="/sbin/iptables"
3 ARPTABLES="/sbin/arptables"
4
5 echo 1 > /proc/sys/net/ipv4/ip_forward
6 start(){
7 # flush
8 $IPTABLES -F
9
10 # set default policy
11 $IPTABLES -P INPUT ACCEPT
12 $IPTABLES -P OUTPUT ACCEPT
13 $IPTABLES -P FORWARD ACCEPT
14
15 # input chain
16
17 # state allow
18 $IPTABLES -A OUTPUT -m state --state INVALID -j REJECT
19 $IPTABLES -A INPUT -m state --state INVALID -j REJECT
20
21 $IPTABLES -A INPUT -p icmp -m limit --limit 20/minute --limit-burst 5 --icmp-type 8 -j ACCEPT
22 $IPTABLES -A INPUT -p icmp -m limit --limit 20/minute --limit-burst 5 --icmp-type 11 -j ACCEPT
23 $IPTABLES -A INPUT -p icmp -j REJECT --reject-with icmp-host-unreachable
24
25 #reject arping
26 $ARPTABLES -P INPUT DROP
27 $ARPTABLES -P OUTPUT DROP
28 $ARPTABLES -P FORWARD ACCEPT
29
30 $ARPTABLES -A INPUT --source-mac 00:d0:xx:xx:xx:xx -j ACCEPT
31 $ARPTABLES -A OUTPUT --destination-mac 00:d0:xx:xx:xx:xx -j ACCEPT
32 $ARPTABLES -A INPUT --opcode 2 -j ACCEPT
33 $ARPTABLES -A OUTPUT --opcode 1 -j ACCEPT
34 }
35
36 stop(){
37 $IPTABLES -F
38 $IPTABLES -P INPUT ACCEPT
39 $IPTABLES -P OUTPUT ACCEPT
40 $IPTABLES -P FORWARD ACCEPT
41
42 $ARPTABLES -F
43 $ARPTABLES -P INPUT ACCEPT
44 $ARPTABLES -P OUTPUT ACCEPT
45 $ARPTABLES -P FORWARD ACCEPT
46 }
47
48 case "$1" in
49 start)
50 start
51 ;;
52 stop)
53 stop
54 ;;
55 *)
56 echo "$0 {start|stop}"
57 exit 1
58 ;;
59 esac
60 exit 0
2 IPTABLES="/sbin/iptables"
3 ARPTABLES="/sbin/arptables"
4
5 echo 1 > /proc/sys/net/ipv4/ip_forward
6 start(){
7 # flush
8 $IPTABLES -F
9
10 # set default policy
11 $IPTABLES -P INPUT ACCEPT
12 $IPTABLES -P OUTPUT ACCEPT
13 $IPTABLES -P FORWARD ACCEPT
14
15 # input chain
16
17 # state allow
18 $IPTABLES -A OUTPUT -m state --state INVALID -j REJECT
19 $IPTABLES -A INPUT -m state --state INVALID -j REJECT
20
21 $IPTABLES -A INPUT -p icmp -m limit --limit 20/minute --limit-burst 5 --icmp-type 8 -j ACCEPT
22 $IPTABLES -A INPUT -p icmp -m limit --limit 20/minute --limit-burst 5 --icmp-type 11 -j ACCEPT
23 $IPTABLES -A INPUT -p icmp -j REJECT --reject-with icmp-host-unreachable
24
25 #reject arping
26 $ARPTABLES -P INPUT DROP
27 $ARPTABLES -P OUTPUT DROP
28 $ARPTABLES -P FORWARD ACCEPT
29
30 $ARPTABLES -A INPUT --source-mac 00:d0:xx:xx:xx:xx -j ACCEPT
31 $ARPTABLES -A OUTPUT --destination-mac 00:d0:xx:xx:xx:xx -j ACCEPT
32 $ARPTABLES -A INPUT --opcode 2 -j ACCEPT
33 $ARPTABLES -A OUTPUT --opcode 1 -j ACCEPT
34 }
35
36 stop(){
37 $IPTABLES -F
38 $IPTABLES -P INPUT ACCEPT
39 $IPTABLES -P OUTPUT ACCEPT
40 $IPTABLES -P FORWARD ACCEPT
41
42 $ARPTABLES -F
43 $ARPTABLES -P INPUT ACCEPT
44 $ARPTABLES -P OUTPUT ACCEPT
45 $ARPTABLES -P FORWARD ACCEPT
46 }
47
48 case "$1" in
49 start)
50 start
51 ;;
52 stop)
53 stop
54 ;;
55 *)
56 echo "$0 {start|stop}"
57 exit 1
58 ;;
59 esac
60 exit 0
