网络安全——Linux主机iptables策略脚本（抗DDOS）

#!/bin/bash

############################################################
IPT=/sbin/iptables
echo "Iptables Kurallari Guncelleniyor..."
Clear0() {
	clear
	$IPT -t mangle -F
	$IPT -t mangle -X
}
Clear0 2>/dev/null
# 放行已建立的连接 (保证服务正常运行)
$IPT -t mangle -A PREROUTING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# 丢弃无效连接
$IPT -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
# 拒绝非SYN新建连接
$IPT -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
# 限制MSS值
$IPT -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
# 拦截所有非法TCP标志位 (防XMAS/NULL/SYN洪水等)
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# 自动获取所有 Docker 网络的子网,把 Docker 子网 放行
docker network ls -q 2>/dev/null | while read NETID; do
	[ -z "$NETID" ] && continue
	SUBNET="$(docker inspect $NETID -f '{{range .IPAM.Config}}{{.Subnet}}{{end}}')"
	if [ -n "$SUBNET" ]; then
		echo "$SUBNET"
		$IPT -t mangle -A PREROUTING -s "$SUBNET" -j ACCEPT
	fi
done
# 内网IP ≠ 出口公网IP 时，放行本地网段
MSTCIP1=$(hostname -I | awk '{print $1}')
MSTCIP2=$(curl -4s ifconfig.me)
L_CIDR=$(ip -4 addr show $(ip -4 route get 1.1.1.1 | awk '{print $5}') | grep -oP 'inet \K[\d.]+/\d+' | head -n1)
if [ "${MSTCIP1:-'0'}" != "${MSTCIP2:-'1'}" ]; then
	if [ -n "$L_CIDR" ]; then
		echo "$L_CIDR"
		$IPT -t mangle -A PREROUTING -s "$L_CIDR" -j ACCEPT
	fi
fi
# 拦截私有/保留IP段 (防伪造IP)
$IPT -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
$IPT -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
$IPT -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
$IPT -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
$IPT -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
$IPT -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPT -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
$IPT -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
$IPT -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
# 禁用ICMP (禁ping) + 丢弃IP分片
$IPT -t mangle -A PREROUTING -p icmp -j DROP
$IPT -t mangle -A PREROUTING -f -j DROP
Limit0() {
	# 单IP最大TCP连接数 111
	$IPT -t mangle -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
	# 限制RST包频率
	$IPT -t mangle -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
	$IPT -t mangle -A INPUT -p tcp --tcp-flags RST RST -j DROP
	# 限制新建TCP连接速率
	$IPT -t mangle -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
	$IPT -t mangle -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
	# SSH防暴力破解 (60秒内最多10次连接)
	$IPT -t mangle -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
	$IPT -t mangle -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
}
#Limit0
# 端口扫描防护
$IPT -t mangle -N port-scanning
$IPT -t mangle -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
$IPT -t mangle -A port-scanning -j DROP
sleep 1
echo "IPTABLES BASARILI!"