iptables -A INPUT -s IP -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 开放端口 -j ACCEPT
预防攻击的防火墙脚本:
#!/bin/bash
netstat -an|grep SYN_RECV|awk '{print$5}'|awk -F: '{print$1}'|sort|uniq -c|sort -rn|awk '{if ($1>5) print$2}'>/shell_files/dropip
for i in $(cat /shell_files/dropip)
do
/sbin/iptables -I INPUT -s $i -j DROP
echo “$i kill at `date`” >>/shell_files/ddos
done
#!/bin/bash
for i in `netstat -an | grep -i ':80' |grep 'EST' | awk '{print $5}' | cut -d : -f1 | sort | uniq -c | awk '{if($1 > 50) {print $2}}'`;do
echo $i
echo $i >> /shell_files/banip
/sbin/iptables -A INPUT -p tcp -j DROP -s $i
done