Archive for September 13, 2013

CentOS iptables firewall configuration of a key

CentOS iptables firewall configuration of a key
Hands several VPS too complicated to configure iptables,Zhu brother LNMP saw a script to automatically configure iptables firewall script,Borrowed changed a bit,To those who need to use;
Only common port settings,If you have special needs or simply add their own to reduce the corresponding port;

how to use:

wget -c http://ph4ntasy.googlecode.com/files/iptables.sh
chmod +x iptables.sh
./iptables.sh
Setting iptables at startup:

chkconfig –level 345 iptables on
Complete Shell:

#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
function support_distro(){
if [ -from “`egrep -i “centos” /etc/issue`” ];then
echo “Sorry,iptables script only support centos system now.”
exit 1
be
}
support_distro
echo “============================iptables configure============================================”
# Created by Centos.bz Modified by ph4ntasy.com
# Only support CentOS system
# Get SSH port
if grep “^Port” /etc/ssh/sshd_config>/dev/null;then
sshdport=`grep “^Port” /etc/ssh/sshd_config | but “s/Ports//g” `
else
sshdport = 22
be
# Obtain DNS server IP
if [ -s /etc/resolv.conf ];then
nameserver1=`cat /etc/resolv.conf |grep nameserver |awk 'NR == 1{print $2 }’`
nameserver2=`cat /etc/resolv.conf |grep nameserver |awk 'NR == 2{print $2 }’`
be
IPT=”/sbin/iptables”
# Delete an existing rule
$IPT –delete-chain
$IPT –flush
# Feed ban,Allow the,Allow loopback adapter
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# Allow the passage of established or related connections
$IPT -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
# Limit a single IP port 80 the maximum number of connections to 10
$IPT -I INPUT -p tcp –dport 80 -m connlimit –connlimit-above 10 -j DROP
# Allow 80(HTTP)/873(RSYNC)/443(HTTPS)/20,21(FTP)/25(SMTP)Connection port
$IPT -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 873 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 20 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
# Allow SSH port connection,Script automatically detects the current SSH port,Otherwise, the default is 22 port
$IPT -A INPUT -p tcp -m tcp –dport $sshdport -j ACCEPT
# Allow ping
$IPT -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
$IPT -A INPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
# Allow DNS
[ ! -from “$nameserver1” ] && $IPT -A OUTPUT -p udp -m udp -d $nameserver1 –dport 53 -j ACCEPT
[ ! -from “$nameserver2” ] && $IPT -A OUTPUT -p udp -m udp -d $nameserver2 –dport 53 -j ACCEPT
# Save the rule and restart IPTABLES
service iptables save
service iptables restart
echo “============================iptables configure completed============================================”

Comments

Use iptables prevent php-ddos Foreign udp contract

Use iptables prevent php-ddos Foreign udp contract
Recently php-ddos flood,Especially weaving dreams bunch tunnel,you know,We can use iptables,Foreign prohibited php-ddos contract from the source。

Preferred need to allow UDP port services (such as DNS)

iptables -I OUTPUT -p udp –dport 53 -d 8.8.8.8 -j ACCEPT
iptables -I OUTPUT -p udp –dport 53 -d 8.8.4.4 -j ACCEPT
“53”,The desired UDP port DNS,"8.8.8.8" section of DNS IP,According to set up your server to set,If you do not know your current DNS IP server using,Get to execute the following command in the SSH:

cat /etc/resolv.conf |grep nameserver |awk 'NR == 1{print $2 }’
Inhibit the unit sends out a UDP packet

iptables -A OUTPUT -p udp -j DROP

Comments