软防火墙?脚本一段,cpanel Plesk DirectAdmin 也适用

winder

刚到处晃悠发现的,求加分
1) Download the script to your server. We provide pre-configured variants of the script to just work "out of the box" on your VPS. Choose the appropriate script and run the following command as root.
# no panel ports
wget -O /etc/init.d/firewall http://vpsinfo.nixhost.net/firewall.vps

# cpanel specific ports opened
wget -O /etc/init.d/firewall http://vpsinfo.nixhost.net/firewall.cpanel.vps

# DirectAdmin specific ports opened
wget -O /etc/init.d/firewall http://vpsinfo.nixhost.net/firewall.directadmin.vps

# Plesk specific ports opened
wget -O /etc/init.d/firewall http://vpsinfo.nixhost.net/firewall.psa.vps

This is where the security concious will not take our word for anything and thoroughly read the script first. Go ahead, we'll wait.

2) Make it executable

chmod +x /etc/init.d/firewall

3) Configure it to start at boot

/sbin/chkconfig firewall on

4) Start it.

/sbin/service firewall start
or
/etc/init.d/firewall start

5) See the rules

/sbin/service firewall status

1. #!/bin/bash
   
2. 
   
3. #
   
4. # firewall      This shell script takes care of setting up a firewall for a virtuosso based VPS
   
5. #               (no stateful rules/connection tracking or logging.
   
6. #               Borrows heavily from a script by Dmitry Konstantinov of sw-soft
   
7. #
   
8. #
   
9. # chkconfig: 2345 18 92
   
10. # description: setup firewall configuration
    
11. 
    
12. IPTABLES="/sbin/iptables"
    
13. SERVER_IPS=`/sbin/ifconfig | grep inet | cut -d : -f 2 | cut -d \  -f 1 | grep -v 127.0.0.1`
    
14. 
    
15. FWIN="${IPTABLES} -A INPUT"
    
16. FWOUT="${IPTABLES} -A OUTPUT"
    
17. OK="-j ACCEPT"
    
18. NO="-j DROP"
    
19. 
    
20. 
    
21. # Flush tables and change default policy to DROP
    
22. function initialize() {
    
23.         local TABLE="${1}"
    
24.         ${IPTABLES} -F ${TABLE}
    
25.         ${IPTABLES} -P ${TABLE} DROP
    
26. }
    
27. 
    
28. # Flush tables and change default policy to ACCEPT
    
29. function stop() {
    
30.         local TABLE="${1}"
    
31.         ${IPTABLES} -F ${TABLE}
    
32.         ${IPTABLES} -P ${TABLE} ACCEPT
    
33. }
    
34. 
    
35. # Verify call switch
    
36. case "$1" in
    
37. start|restart)
    
38. 
    
39.         initialize INPUT
    
40.         initialize OUTPUT
    
41.         initialize FORWARD
    
42.         
    
43.          # INPUT
    
44.          # 1) loopback
    
45.          ${FWIN} -i lo ${OK}
    
46.          ${FWIN} -d 127.0.0.0/8 ${NO}
    
47.          
    
48.          # 2) We allow incoming SSH connections and answers to
    
49.          # our own SSH connections:
    
50.          for OURIP in ${SERVER_IPS}; do
    
51.             ${FWIN} -p tcp -d ${OURIP} --dport 22 ${OK}
    
52.             ${FWIN} -p tcp --sport 22 -d ${OURIP} "!" --syn ${OK}
    
53.          done
    
54.          
    
55.          # 3) We allow incoming DNS queries as well as answers to our
    
56.          # DNS queries.
    
57.          for OURIP in ${SERVER_IPS}; do
    
58.             ${FWIN} -p tcp -d ${OURIP} --dport 53 ${OK}
    
59.             ${FWIN} -p udp -d ${OURIP} --dport 53 ${OK}
    
60.             ${FWIN} -p tcp --sport 53 -d ${OURIP} --dport 1024: "!" --syn ${OK}
    
61.             ${FWIN} -p udp --sport 53 -d ${OURIP} --dport 1024: ${OK}
    
62.          done
    
63.          
    
64.          # 4) We allow access to our SMTP server, as well as answers
    
65.          # to our SMTP connections and, temporarily, identd stuff:
    
66.          for OURIP in ${SERVER_IPS}; do
    
67.             ${FWIN} -p tcp -d ${OURIP} --dport 25 ${OK}
    
68.             ${FWIN} -p tcp --sport 25 -d ${OURIP} --dport 1024: "!" --syn ${OK}
    
69.             ${FWIN} -p tcp --sport 1024: -d ${OURIP} --dport 113 ${OK}
    
70.             #${FWIN} -p udp --sport 1024: -d ${OURIP} --dport 113 ${OK}
    
71.             ${FWIN} -p tcp --sport 113 -d ${OURIP} --dport 1024: "!" --syn ${OK}
    
72.             #${FWIN} -p udp --sport 113 -d ${OURIP} --dport 1024: ${OK}
    
73.          done
    
74.          
    
75.          # 5) We also allow access to our POP/sPOP server.
    
76.          for OURIP in ${SERVER_IPS}; do
    
77.            ${FWIN} -p tcp -d ${OURIP} --dport 110 ${OK}
    
78.            ${FWIN} -p tcp -d ${OURIP} --dport 995 ${OK}
    
79.          done
    
80.          
    
81.          # 6) and to IMAP/IMAPs
    
82.          for OURIP in ${SERVER_IPS}; do
    
83.             ${FWIN} -p tcp -d ${OURIP} --dport 143 ${OK}
    
84.             ${FWIN} -p tcp -d ${OURIP} --dport 993 ${OK}
    
85.          done
    
86.          
    
87.          # 7) we would like to be able to use lynx ;)
    
88.          for OURIP in ${SERVER_IPS}; do
    
89.          ${FWIN} -p tcp --sport 80 -d ${OURIP} --dport 1024: "!" --syn ${OK}
    
90.          done
    
91.          
    
92.          # 8) We allow incoming echo replies/requests from everywhere:
    
93.          for OURIP in ${SERVER_IPS}; do
    
94.             ${FWIN} -p icmp -d ${OURIP} --icmp-type 0 ${OK}
    
95.             ${FWIN} -p icmp -d ${OURIP} --icmp-type 3 ${OK}
    
96.             ${FWIN} -p icmp -d ${OURIP} --icmp-type 8 ${OK}
    
97.             ${FWIN} -p icmp -d ${OURIP} --icmp-type 11 ${OK}
    
98.          done
    
99.          
    
100.          # 9) We also would like to allow access to our web server:
     
101.          for OURIP in ${SERVER_IPS}; do
     
102.             ${FWIN} -p tcp -d ${OURIP} --dport 80 ${OK}
     
103.             ${FWIN} -p tcp -d ${OURIP} --dport 443 ${OK}
     
104.          done
     
105. 
     
106.          # 10) people are still crazy enough to use ftp
     
107.          for OURIP in ${SERVER_IPS}; do
     
108.            for PORT in 20 21; do
     
109.              ${FWIN} -p tcp -d ${OURIP} --dport ${PORT} ${OK}
     
110.              ${FWIN} -p tcp --sport  ${PORT} -d ${OURIP} --dport 1024: "!" --syn ${OK}
     
111.              ${FWIN} -p udp -d ${OURIP} --dport ${PORT} ${OK}
     
112.              ${FWIN} -p udp --sport ${PORT} -d ${OURIP} --dport 1024: ${OK}
     
113.            done
     
114.          done
     
115.         
     
116.          # allow answers on high ports
     
117.          ${FWIN} -p tcp -m tcp --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
     
118.          ${FWIN} -p udp -m udp --dport 1024:65535 -j ACCEPT
     
119. 
     
120.          # passive ftp
     
121.          # configure ftp server to allow passive ftp on ports outside of
     
122.          # the local range. Check local range with
     
123.          # cat /proc/sys/net/ipv4/ip_local_port_range
     
124.          #
     
125.          # for pure-ftpd, use --passiveportrange 61001:65535 in
     
126.          # /etc/sysconfig/pure-ftpd
     
127.          #
     
128.          # for proftpd use PassivePorts  61001 65535
     
129.          # in /etc/proftpd.conf
     
130.          #
     
131.          #${FWIN} -p tcp -m tcp --dport 61001:65535 ${OK}       
     
132.          
     
133.          # Everything else is denied by default - policy is DROP.
     
134.          
     
135.          # OUTPUT
     
136.          # 1) Loopback packets.
     
137.          ${FWOUT} -o lo ${OK}
     
138.          ${FWOUT} -s 127.0.0.0/8 ${NO}
     
139.          
     
140.          # 2) We allow all outgoing traffic:
     
141.          for OURIP in ${SERVER_IPS}; do
     
142.             ${FWOUT} -s ${OURIP} ${OK}
     
143.          done
     
144.         
     
145.         ;;
     
146. 
     
147. stop)
     
148.         # turn off the firewall, flush all rules
     
149.         echo "Flushing rulesets.."
     
150. 
     
151.         stop INPUT
     
152.         stop OUTPUT
     
153.         stop FORWARD
     
154. 
     
155.         ;;
     
156. 
     
157. status)
     
158.         # display the current status - both firewall rules and masquerading
     
159.         # connections
     
160. 
     
161.         # list rules. -n avoids DNS lookups
     
162.         $IPTABLES -nL
     
163. 
     
164.         ;;
     
165. 
     
166. *)
     
167.         echo "Usage: firewall {start|stop|restart|status}"
     
168.         exit 1
     
169. esac
     
170. 
     
171. exit 0

复制代码

[ 本帖最后由 winder 于 2011-5-3 17:46 编辑 ]

ATOM

cenots的导入防火墙规则的？

dreams777

偶现在不敢弄了，上次我弄了一个，把我弄的啪唧啪唧的。

winder

原帖由 ATOM 于 2011-5-3 17:42 发表
cenots的导入防火墙规则的？

编辑了下.重新看

walkman660

头晕

稀飯

我回铁是因为我蛋铜

DSN

具体啥作用？

gxfsasd

最怕脚本错误

winder

原帖由 DSN 于 2011-5-3 18:45 发表
具体啥作用？

具体已经更新上去了