CentOS7升级iptables
系统2年前 (2021-03-08)
现在使用iptables属于倒行逆施,源里的iptables版本又太低,尝试进行升级操作
禁用firewalld
systemctl stop firewalld && systemctl disable firewalld && systemctl mask --now firewalld sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config && setenforce 0 yum install iptables-services -y yum install epel-release vim wget net-tools bridge-utils -y
升级
#下载地址https://www.netfilter.org/pub/iptables/ wget https://www.netfilter.org/pub/iptables/iptables-1.8.7.tar.bz2 tar -xvf iptables-1.8.7.tar.bz2 yum install gcc gcc-c++ zlib zlib-devel openssl openssl-devel pcre pcre-devel -y cd iptables-1.8.7 ./configure --prefix=/usr \ --sbindir=/sbin \ --disable-nftables \ --enable-libipq \ --with-xtlibdir=/lib/xtables && make make install && ln -sfv ../../sbin/xtables-multi /usr/bin/iptables-xml && for file in ip4tc ip6tc ipq iptc xtables do mv -v /usr/lib/lib${file}.so.* /lib && ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so done iptables -V systemctl start iptables && systemctl enable iptables
设置规则
cat > /etc/rc.d/rc.iptables << "EOF" #!/bin/bash ##定义变量## ipt=/sbin/iptables echo=/bin/echo modprobe=/sbin/modprobe WAN=ens33 LAN=ens37 ##加载模块## $modprobe iptable_filter $modprobe ip_conntrack $modprobe ip_conntrack_ftp $modprobe ip_nat_ftp $modprobe ip_tables $modprobe iptable_nat ##内核参数## $echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all $echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts $echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route $echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects $echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects $echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses $echo "1" > /proc/sys/net/ipv4/conf/all/log_martians $echo "1" > /proc/sys/net/ipv4/ip_forward $echo "0" > /proc/sys/net/ipv4/tcp_ecn $echo "1" > /proc/sys/net/ipv4/tcp_syncookies $echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter ##其他参数## sysctl -w net.ipv4.tcp_keepalive_time=60 sysctl -w net.ipv4.tcp_synack_retries=1 sysctl -w net.ipv4.tcp_syn_retries=1 sysctl -w net.ipv4.tcp_max_syn_backlog=30000 sysctl -w net.netfilter.nf_conntrack_tcp_timeout_time_wait=5 sysctl -w net.ipv4.tcp_max_tw_buckets=2000000 sysctl -w net.ipv4.tcp_fin_timeout=10 sysctl -w net.ipv4.tcp_tw_reuse=1 sysctl -w net.ipv4.tcp_tw_recycle=0 sysctl -w net.ipv4.tcp_keepalive_intvl=15 sysctl -w net.ipv4.tcp_keepalive_probes=5 sysctl -w net.nf_conntrack_max=655360 sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=10800 ##刷新所有活动规则并删除所有自定义链## $ipt -F $ipt -t nat -F $ipt -t mangle -F $ipt -t security -F $ipt -X $ipt -t nat -X $ipt -t mangle -X $ipt -t security -X $ipt -Z $ipt -t nat -Z $ipt -t mangle -Z ##默认策略## $ipt -P INPUT ACCEPT $ipt -P FORWARD ACCEPT $ipt -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P INPUT ACCEPT $ipt -t mangle -P FORWARD ACCEPT $ipt -t mangle -P OUTPUT ACCEPT $ipt -t mangle -P POSTROUTING ACCEPT ##允许来自lo接口的数据包## $ipt -A INPUT -i lo -j ACCEPT #$ipt -A OUTPUT -o lo -j ACCEPT #允许外网访问本机的端口## $ipt -A INPUT -p tcp --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT $ipt -A INPUT -p tcp --dport 443 --sport 1024:65535 -m state --state NEW -j ACCEPT ##开启NAT## $ipt -t nat -A POSTROUTING -o $WAN -j MASQUERADE #允许DNS、SAMBA、FTP## $ipt -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ipt -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ipt -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A INPUT -s 172.16.0.0/24 -p udp -m udp --dport 137 -j ACCEPT $ipt -A INPUT -s 172.16.0.0/24 -p udp -m udp --dport 138 -j ACCEPT $ipt -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.0.0/24 --dport 139 -j ACCEPT $ipt -A INPUT -m state --state NEW -m tcp -p tcp -s 172.16.0.0/24 --dport 445 -j ACCEPT ##本地转发不受限制## $ipt -A INPUT -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A INPUT -i $LAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN -o $WAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ##允许ICMP## $ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT ##减少攻击## $ipt -A INPUT -i $WAN -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $ipt -A INPUT -i $WAN -p tcp --tcp-flags ALL ALL -j DROP $ipt -A INPUT -i $WAN -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets" $ipt -A INPUT -i $WAN -p tcp --tcp-flags ALL NONE -j DROP $ipt -A INPUT -i $WAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $ipt -A INPUT -i $WAN -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets" $ipt -A INPUT -i $WAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $ipt -A INPUT -i $WAN -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan" $ipt -A INPUT -i $WAN -p tcp --tcp-flags FIN,ACK FIN -j DROP $ipt -A INPUT -i $WAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $ipt -A INPUT -i $WAN -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync" $ipt -A INPUT -i $WAN -p tcp ! --syn -m state --state NEW -j DROP $ipt -A INPUT -i $WAN -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets" $ipt -A INPUT -i $WAN -f -j DROP ##端口映射## $ipt -t nat -A PREROUTING -p tcp -d 192.168.3.210 --dport 80 -j DNAT --to-destination 172.16.1.2:80 $ipt -t nat -A PREROUTING -p tcp -d 192.168.3.210 --dport 8080 -j DNAT --to-destination 172.168.1.3:8888 ##将局域网web请求转发到Squid## #$ipt -t nat -A PREROUTING -i $LAN -p tcp –dport 80 -j DNAT –to 172.16.1.1:3128 ##日志## $ipt -A INPUT -j LOG $ipt -A FORWARD -j LOG $ipt -A INPUT -j DROP EOF
执行
chmod 700 /etc/rc.d/rc.iptables sh /etc/rc.d/rc.iptables iptables-save
本站所有文章均可随意转载,转载时请保留原文链接及作者。