几年前,我的一个朋友写了这个脚本来保护我的专用服务器。
但是我从来没有成功实现这一点。
几年前,当我启动它时,所有连接(包括我自己)都被阻止了。
我对IPTables一无所知。仅用于阻止,取消阻止和列出阻止的IP。
您能解释一下此脚本如何工作吗?
为什么会导致阻止所有连接尝试?
#!/bin/sh
###############################################################################
#
# Local Settings
#
echo "Setuping local settings..."
# Iptables Location
IPT="/usr/local/sbin/iptables"
IPTS="/usr/local/sbin/iptables-save"
IPTR="/usr/local/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth0"
# Trusted (network that bypass by all rules)
TRUSTED_NETWORK="X.X.X.X/24"
TRUSTED_IFACE=""
# Localhost Interface
LO_IFACE="lo"
# Private services (protected from syn flood and brutaforce attacks, generialy for admin services like ftp, ssh,etc)
TCP_PRIVATE_SERVICES="3306,8081,1327,1433"
UDP_PRIVATE_SERVICES=""
# Protected services (protected from syn floods, generialy for public game servers)
TCP_PROTECTED_SERVICES="9998,9999"
UDP_PROTECTED_SERVICES=""
# Unprotected services (to handle much connections from one ip, generially for web servers)
TCP_UNPROTECTED_SERVICES="80,666,3000,43"
UDP_UNPROTECTED_SERVICES=""
# Ban time in seconds
BAN_TIME="600"
# How many connections try is allowed
PRIVATE_SERVICES_MAX_1MIN="10"
PROTECTED_SERVICES_MAX_30SEC="20"
PROTECTED_SERVICES_MAX_1MIN="30"
PROTECTED_SERVICES_MAX_5MIN="100"
GLOBAL_MAX_1SEC="20"
GLOBAL_MAX_5SEC="60"
GLOBAL_MAX_10SEC="80"
# Enable max connections filtering? (ipt_connlimit is needed)
ENABLE_CONNLIMIT="1"
# How many connections estabilished per ip is allowed
PRIVATE_SERVICES_MAX_CONN="15"
PROTECTED_SERVICES_MAX_CONN="15"
GLOBAL_MAX_CONN="30"
# Reject banned ips packets
REJECT_BANNED="1"
###############################################################################
#
# Kernel Parameter Configuration
#
echo "Reconfiguring kernel parameters..."
# Required to enable IPv4 forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward
# This enables SYN flood protection.
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# This enables source validation
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# Reconfigure some services to minimize security risk
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
# Minimize timeouts to avoid system resources overloading under DDoS attacks
echo "300" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
# Disable TCP timestams (minimize traffic)
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
###############################################################################
#
# Load Modules
#
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ipt_conntrack
/sbin/modprobe ipt_recent ip_list_tot=8192 ip_pkt_list_tot=64
/sbin/modprobe ipt_multiport
test $ENABLE_CONNLIMIT = "1" && /sbin/modprobe ipt_connlimit
###############################################################################
#
# Flush Any Existing Rules or Chains
#
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
#---delete by Long---# /etc/init.d/monitorix restart
###############################################################################
#
# Rules Configuration
#
echo "Setting default policies roles..."
# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "Creating and populating custom rule chains..."
# Create custom chains
$IPT -N global_accept
$IPT -N private_service_accept
$IPT -N protected_service_accept
$IPT -N ban_and_drop
$IPT -N icmp_inbound
$IPT -N udp_inbound
$IPT -N tcp_inbound
###### global_accept ######
$IPT -A global_accept -m recent --set --name global_accept_iplist
$IPT -A global_accept -m recent --hitcount $GLOBAL_MAX_10SEC --rcheck --seconds 10 --name global_accept_iplist -j ban_and_drop
$IPT -A global_accept -m recent --hitcount $GLOBAL_MAX_5SEC --rcheck --seconds 5 --name global_accept_iplist -j ban_and_drop
$IPT -A global_accept -m recent --hitcount $GLOBAL_MAX_1SEC --rcheck --seconds 1 --name global_accept_iplist -j ban_and_drop
test $ENABLE_CONNLIMIT = "1" && $IPT -A global_accept -m connlimit --connlimit-above $GLOBAL_MAX_CONN -j DROP
$IPT -A global_accept -j ACCEPT
###### private_service_accept ######
$IPT -A private_service_accept -m recent --set --name private_service_iplist
$IPT -A private_service_accept -m recent --hitcount $PRIVATE_SERVICES_MAX_1MIN --rcheck --seconds 60 --name private_service_iplist -j ban_and_drop
test $ENABLE_CONNLIMIT = "1" && $IPT -A private_service_accept -m connlimit --connlimit-above $PRIVATE_SERVICES_MAX_CONN -j ban_and_drop
$IPT -A private_service_accept -j ACCEPT
###### protected_service_accept ######
$IPT -A protected_service_accept -m recent --set --name protected_service_iplist
$IPT -A protected_service_accept -m recent --hitcount $PROTECTED_SERVICES_MAX_5MIN --rcheck --seconds 300 --name protected_service_iplist -j ban_and_drop
$IPT -A protected_service_accept -m recent --hitcount $PROTECTED_SERVICES_MAX_1MIN --rcheck --seconds 60 --name protected_service_iplist -j ban_and_drop
$IPT -A protected_service_accept -m recent --hitcount $PROTECTED_SERVICES_MAX_30SEC --rcheck --seconds 30 --name protected_service_iplist -j ban_and_drop
test $ENABLE_CONNLIMIT = "1" && $IPT -A protected_service_accept -m connlimit --connlimit-above $PROTECTED_SERVICES_MAX_CONN -j ban_and_drop
$IPT -A protected_service_accept -j ACCEPT
###### ban_and_drop ######
$IPT -A ban_and_drop -j LOG --log-prefix "Banned ip: "
$IPT -A ban_and_drop -m recent --set --name ban_iplist -j DROP
###### icmp_inbound chain ######
$IPT -A icmp_inbound -p ICMP --icmp-type 0 -j ACCEPT
$IPT -A icmp_inbound -p ICMP --icmp-type 3 -j ACCEPT
$IPT -A icmp_inbound -p ICMP --icmp-type 11 -j ACCEPT
$IPT -A icmp_inbound -p ICMP --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A icmp_inbound -p ICMP -j RETURN
###### udp_inbound chain ######
test ! -z $UDP_PRIVATE_SERVICES && $IPT -A udp_inbound -p UDP -m multiport --destination-ports $UDP_PRIVATE_SERVICES -j private_service_accept
test ! -z $UDP_PROTECTED_SERVICES && $IPT -A udp_inbound -p UDP -m multiport --destination-ports $UDP_PROTECTED_SERVICES -j protected_service_accept
test ! -z $UDP_UNPROTECTED_SERVICES && $IPT -A udp_inbound -p UDP -m multiport --destination-ports $UDP_UNPROTECTED_SERVICES -j global_accept
$IPT -A udp_inbound -p UDP -j RETURN
###### tcp_inbound chain ######
$IPT -A tcp_inbound -p TCP ! --tcp-flags ALL SYN -j DROP
test ! -z $TCP_PRIVATE_SERVICES && $IPT -A tcp_inbound -p TCP -m multiport --destination-ports $TCP_PRIVATE_SERVICES -j private_service_accept
test ! -z $TCP_PROTECTED_SERVICES && $IPT -A tcp_inbound -p TCP -m multiport --destination-ports $TCP_PROTECTED_SERVICES -j protected_service_accept
test ! -z $TCP_UNPROTECTED_SERVICES && $IPT -A tcp_inbound -p TCP -m multiport --destination-ports $TCP_UNPROTECTED_SERVICES -j global_accept
$IPT -A tcp_inbound -p TCP -j RETURN
###############################################################################
#
# INPUT Chain
#
echo "Processing INPUT chain..."
# Allow all on localhost interface
$IPT -A INPUT -i $LO_IFACE -j ACCEPT
# Allow trusted networks
test ! -z $TRUSTED_NETWORK && $IPT -A INPUT -s $TRUSTED_NETWORK -j ACCEPT
test ! -z $TRUSTED_IFACE && $IPT -A INPUT -i $TRUSTED_IFACE -j ACCEPT
# Drop INVALID packets
$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
# Accept Established Connections
$IPT -A INPUT -i $INET_IFACE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Check if the ip is banned and drop it
$IPT -A INPUT -m recent --update --hitcount 1 --name ban_iplist --seconds $BAN_TIME -j DROP
# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_inbound
###############################################################################
#
# FORWARD Chain
#
echo "Process FORWARD chain ..."
###############################################################################
#
# OUTPUT Chain
#
echo "Process OUTPUT chain ..."
# Localhost
$IPT -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# Trusted networks
test ! -z $TRUSTED_NETWORK && $IPT -A OUTPUT -d $TRUSTED_NETWORK -j ACCEPT
test ! -z $TRUSTED_IFACE && $IPT -A OUTPUT -o $TRUSTED_IFACE -j ACCEPT
# Check if it was banned and reject it (for TCP packets)
test $REJECT_BANNED = "1" && $IPT -A OUTPUT -p TCP -m recent --rdest --rcheck --hitcount 1 --name ban_iplist --seconds $BAN_TIME -j REJECT --reject-with tcp-reset
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
###############################################################################
#
# nat table
#
###############################################################################
#
# PREROUTING chain
#
###############################################################################
#
# POSTROUTING chain
#
###############################################################################
#
# mangle table
#
###############################################################################
#
# Custom rules
#