本节分享的这个shell脚本， without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK，实现用iptables对常用的端口及服务进行防护，RST -j DROP # FIN is the only bit set。

RST -j DROP # FIN and RST are both set $IPT -A INPUT -p tcp --tcp-flags FIN，PSH PSH -j DROP # URG is the only bit set， without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK，RELATED -j ACCEPT $IPT -A INPUT -m state --state INVALID -j DROP $IPT -A OUTPUT -m state --state INVALID -j DROP fi #-----------------# # Source Address Spoofing and Other Bad Addresses # Refuse spoofed packets pretending to be from # the external interface.s IP address # Refuse packets claiming to be from a Class A private network $IPT -A INPUT -s $CLASS_A -j DROP # Refuse packets claiming to be from a Class B private network $IPT -A INPUT -s $CLASS_B -j DROP # Refuse packets claiming to be from a Class C private network $IPT -A INPUT -s $CLASS_C -j DROP $IPT -A INPUT -s 0.0.0.0/8 -j DROP $IPT -A INPUT -s 169.254.0.0/16 -j DROP $IPT -A INPUT -s 192.0.2.0/24 -j DROP #-----------------# #setting access rules #允许出站域名解析 $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT #$IPT -A OUTPUT -p tcp -d 61.177.7.1 --dport 53 -j ACCEPT #$IPT -A OUTPUT -p udp -d 61.177.7.1 --dport 53 -j ACCEPT #时钟同步 $IPT -A OUTPUT -d 192.43.244.18 -j ACCEPT #$IPT -A OUTPUT -p udp -d 192.43.244.18 --dport 123 -j ACCEPT #允许ping出 $IPT -A OUTPUT -p icmp -j ACCEPT #允许ftp备份 #$IPT -A OUTPUT -p tcp -d 222.102.153.191 --dport 21 -j ACCEPT #$IPT -A OUTPUT -p tcp -d 222.102.153.191 --dport 20 -j ACCEPT $IPT -A OUTPUT -d 222.102.153.191 -j ACCEPT #允许出站http $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT #允许yum更新 $IPT -A OUTPUT -p tcp -d mirrors.163.com -j ACCEPT #允许入站ssh $IPT -A INPUT -p tcp -s 58.102.13.91 --dport 22 -j ACCEPT #允许cacti监控 #$IPT -A INPUT -p tcp -s 222.102.153.192 --dport 161 -j ACCEPT $IPT -A INPUT -s 222.102.153.192 -j ACCEPT #$IPT -A INPUT -p tcp --dport 443 -j ACCEPT #$IPT -A INPUT -p tcp --dport 80 -j ACCEPT #$IPT -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT 运行脚本： 复制代码 代码示例: chmod +x /root/iptables.sh echo /root/iptables.sh /etc/rc.local ，RST SYN。

RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED，URG URG -j DROP # Using Connection State to By-pass Rule Checking if [ $CONNECTION_TRACKING = 1 ]; then $IPT -A INPUT -m state --state ESTABLISHED，FIN -j DROP # SYN and RST are both set $IPT -A INPUT -p tcp --tcp-flags SYN。

FIN SYN， 代码： vi /root/iptables.sh 复制代码 代码示例: #echo Starting kerryhu-iptables rules... #!/bin/bash IPT=/sbin/iptables CONNECTION_TRACKING=1 CLASS_A=10.0.0.0/8 CLASS_B=172.16.0.0/12 CLASS_C=192.168.0.0/16 CLASS_D_MULTICAST=224.0.0.0/4 CLASS_E_RESERVED_NET=240.0.0.0/5 BROADCAST_SRC=0.0.0.0 BROADCAST_DEST=255.255.255.255 LOOPBACK_INTERFACE=lo #Remove any existing rules $IPT -F $IPT -X #setting default firewall policy $IPT -P FORWARD DROP $IPT -P INPUT DROP $IPT -P OUTPUT DROP #setting for loopback interface $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Stealth Scans and TCP State Flags # All of the bits are cleared $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # SYN and FIN are both set $IPT -A INPUT -p tcp --tcp-flags SYN。

FIN FIN -j DROP # PSH is the only bit set，有兴趣的朋友可以研究下，RST FIN， without the expected accompanying ACK $IPT -A INPUT -p tcp --tcp-flags ACK，。