#!/bin/bash
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
#加载相关模块
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ipt_limit
echo 1 >;/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 >;/proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 >;/proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 >;/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 >;/proc/sys/net/ipv4/conf/all/log_martians
echo 1 >;/proc/sys/net/ipv4/tcp_syncookies
iptables -F
iptables -X
iptables -Z
## 允许本地回路?Loopback - Allow
unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
## 防止SYN洪水?SYN-Flooding
Protection
iptables -N syn-flood
iptables -A INPUT -i ppp0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
## 确保新连接是设置了SYN标记的包?Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
## 允许HTTP的规则
iptables -A INPUT -i ppp0 -p tcp -s 0/0 --sport 80 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp -s 0/0 --sport 443 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp -d 0/0 --dport 443 -j ACCEPT
## 允许DNS的规则
iptables -A INPUT -i ppp0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED
-j ACCEPT
iptables -A INPUT -i ppp0 -p udp -d 0/0 --dport 53 -j ACCEPT
## IP包流量限制?IP packets limit
iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j DROP
## 允许SSH
iptables -A INPUT -p tcp -s ip1/32 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s ip2/32 --dport 22 -j ACCEPT
## 其它情况不允许?Anything else not
allowed
iptables -A INPUT -i eth0 -j DROP