Linux使用Iptables防范半连接攻击
作者:linux120 发布时间:November 27, 2012 分类:服务器配置
#!/bin/bash
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
rm /root/.dyn*
echo "Setting kernel tcp parameters to reduct DoS effects"
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
#ANTISPOOFING
for a in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 > $a
done
##
#NO SOURCE ROUTE
for z in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $z
done
#SYN COOKIES
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo $ICMP_ECHOREPLY_RATE > /proc/sys/net/ipv4/icmp_echoreply_rate
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# NUMBER OF CONNECTIONS TO TRACK
echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max
# Set default policies
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -X
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -d 127.0.0.0/8 -j REJECT
/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
### chains to DROP too many SYN-s ######
/sbin/iptables -N syn-flood
/sbin/iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
/sbin/iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
/sbin/iptables -A syn-flood -j DROP
评论已关闭