I write a shell for iptables configuration but failed.
It's really strange here.
My shell
#!/bin/bash
#
# The interface that connect Internet
EXTIF="ppp0"
# the inside interface. if you don't have this one
# and you must let this be black ex> INIF=""
INIF="eth0"
INNET="192.168.1.0/24" # This is for NAT's network
IPTABLES="/sbin/iptables"
#flush/erase original rules
$IPTABLES -F #清除所有已制定的rule
$IPTABLES -X #清除用戶自定義的chain/table
$IPTABLES -Z #將所有的chain的計數(shù)和流量統(tǒng)計歸零
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
#default policies
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD DROP
#Accept localhost connetting, no matter what it is
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#Accept any response package which is initiated from inside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Drop invalid package
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
#block most common network attacks(recon packets and syn-flood attack)
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#open ports for different services
#SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
#HTTP
$IPTABLES -A INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
#HTTPS
$IPTABLES -A INPUT -p tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
#DNS
$IPTABLES -A INPUT -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m tcp --dport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
#DHCP
$IPTABLES -A INPUT -p udp -m udp --sport 67 --dport 68 -m state --state RELATED,ESTABLISHED -j ACCEPT
#8080
#$IPTABLES -A INPUT -p tcp -m tcp --sport 8080 -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT #SMTP
#$IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT #Secure SMTP
#$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT #POP3
#$IPTABLES -A INPUT -p tcp --dport 995 -j ACCEPT #Secure POP
#ICMP configuration
#To prevent ICMP DDOS,we do not allow ICMP type 8(echo-request) or limit this request with 1/second
#some ICMP requests are allowed.
icmp_type="0 3 4 11 12 14 16 18"
for ticmp in $icmp_type
do
$IPTABLES -A INPUT -p icmp --icmp-type $ticmp -j ACCEPT
done
#$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT
#FORWARD table
$IPTABLES -A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
$IPTABLES -A FORWARD -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
#mangle chain
$IPTABLES -A PREROUTING -s 10.0.0.0/8 -i eth0 -j DROP
$IPTABLES -A PREROUTING -s 172.16.0.0/12 -i eth0 -j DROP
$IPTABLES -A PREROUTING -s 192.168.0.0/16 -i eth0 -j DROP
#save
$IPTABLES-save
error log
: not foundh: 5: iptables7.sh:
: not foundh: 11: iptables7.sh:
: not foundh: 13: iptables7.sh: /sbin/iptables
: not foundh: 14: iptables7.sh: /sbin/iptables
: not foundh: 15: iptables7.sh: /sbin/iptables
: not foundh: 16: iptables7.sh: /sbin/iptables
: not foundh: 17: iptables7.sh: /sbin/iptables
: not foundh: 18: iptables7.sh: /sbin/iptables
: not foundh: 19: iptables7.sh:
: not foundh: 20: iptables7.sh:
: not foundh: 21: iptables7.sh:
: not foundh: 22: iptables7.sh:
: not foundh: 24: iptables7.sh: /sbin/iptables
: not foundh: 25: iptables7.sh: /sbin/iptables
: not foundh: 26: iptables7.sh: /sbin/iptables
: not foundh: 27: iptables7.sh:
: not foundh: 28: iptables7.sh:
: not foundh: 30: iptables7.sh: /sbin/iptables
: not foundh: 31: iptables7.sh: /sbin/iptables
: not foundh: 32: iptables7.sh:
: not foundh: 34: iptables7.sh: /sbin/iptables
: not foundh: 35: iptables7.sh: /sbin/iptables
: not foundh: 36: iptables7.sh:
: not foundh: 38: iptables7.sh: /sbin/iptables
: not foundh: 39: iptables7.sh: /sbin/iptables
: not foundh: 40: iptables7.sh:
: not foundh: 42: iptables7.sh: /sbin/iptables
: not foundh: 43: iptables7.sh: /sbin/iptables
: not foundh: 44: iptables7.sh: /sbin/iptables
: not foundh: 45: iptables7.sh:
: not foundh: 46: iptables7.sh:
: not foundh: 49: iptables7.sh: /sbin/iptables
: not foundh: 50: iptables7.sh: /sbin/iptables
: not foundh: 51: iptables7.sh:
: not foundh: 53: iptables7.sh: /sbin/iptables
: not foundh: 54: iptables7.sh: /sbin/iptables
: not foundh: 55: iptables7.sh:
: not foundh: 56: iptables7.sh:
: not foundh: 58: iptables7.sh: /sbin/iptables
: not foundh: 59: iptables7.sh: /sbin/iptables
: not foundh: 60: iptables7.sh:
: not foundh: 62: iptables7.sh: /sbin/iptables
: not foundh: 63: iptables7.sh: /sbin/iptables
: not foundh: 64: iptables7.sh: /sbin/iptables
: not foundh: 65: iptables7.sh: /sbin/iptables
: not foundh: 66: iptables7.sh:
: not foundh: 68: iptables7.sh: /sbin/iptables
: not foundh: 69: iptables7.sh:
: not foundh: 70: iptables7.sh:
: not foundh: 73: iptables7.sh:
: not foundh: 74: iptables7.sh:
: not foundh: 79: iptables7.sh:
: not foundh: 80: iptables7.sh:
iptables7.sh: 86: iptables7.sh: Syntax error: word unexpected (expecting "do")
We can find iptables in sbin directory.And then I can't understand the last message:there is true "do" on it.Why does it still expert a "do" ?
Any help will be appreciated.
Thanks.
PS:
more datails
If I use "ipatbles" instead of parameter "IPTABLES",the six rules following can be executed.
iptables -F
iptables -X
iptables -Z
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
but others still failed again.
I get this
But I think this is more inportant
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP6_NF_IPTABLES=m
I don't know how to active it.
Thank you again.
北大青鳥APTECH成立于1999年。依托北京大學(xué)優(yōu)質(zhì)雄厚的教育資源和背景,秉承“教育改變生活”的發(fā)展理念,致力于培養(yǎng)中國IT技能型緊缺人才,是大數(shù)據(jù)專業(yè)的國家
北大青鳥中博軟件學(xué)院創(chuàng)立于2003年,作為華東區(qū)著名互聯(lián)網(wǎng)學(xué)院和江蘇省首批服務(wù)外包人才培訓(xùn)基地,中博成功培育了近30000名軟件工程師走向高薪崗位,合作企業(yè)超4
中公教育集團(tuán)創(chuàng)建于1999年,經(jīng)過二十年潛心發(fā)展,已由一家北大畢業(yè)生自主創(chuàng)業(yè)的信息技術(shù)與教育服務(wù)機(jī)構(gòu),發(fā)展為教育服務(wù)業(yè)的綜合性企業(yè)集團(tuán),成為集合面授教學(xué)培訓(xùn)、網(wǎng)
達(dá)內(nèi)教育集團(tuán)成立于2002年,是一家由留學(xué)海歸創(chuàng)辦的高端職業(yè)教育培訓(xùn)機(jī)構(gòu),是中國一站式人才培養(yǎng)平臺、一站式人才輸送平臺。2014年4月3日在美國成功上市,融資1
曾工作于聯(lián)想擔(dān)任系統(tǒng)開發(fā)工程師,曾在博彥科技股份有限公司擔(dān)任項目經(jīng)理從事移動互聯(lián)網(wǎng)管理及研發(fā)工作,曾創(chuàng)辦藍(lán)懿科技有限責(zé)任公司從事總經(jīng)理職務(wù)負(fù)責(zé)iOS教學(xué)及管理工作。
浪潮集團(tuán)項目經(jīng)理。精通Java與.NET 技術(shù), 熟練的跨平臺面向?qū)ο箝_發(fā)經(jīng)驗,技術(shù)功底深厚。 授課風(fēng)格 授課風(fēng)格清新自然、條理清晰、主次分明、重點難點突出、引人入勝。
精通HTML5和CSS3;Javascript及主流js庫,具有快速界面開發(fā)的能力,對瀏覽器兼容性、前端性能優(yōu)化等有深入理解。精通網(wǎng)頁制作和網(wǎng)頁游戲開發(fā)。
具有10 年的Java 企業(yè)應(yīng)用開發(fā)經(jīng)驗。曾經(jīng)歷任德國Software AG 技術(shù)顧問,美國Dachieve 系統(tǒng)架構(gòu)師,美國AngelEngineers Inc. 系統(tǒng)架構(gòu)師。