{"id":898,"date":"2026-04-01T02:48:42","date_gmt":"2026-04-01T02:48:42","guid":{"rendered":"https:\/\/opshub.com.cn\/?p=898"},"modified":"2026-04-01T02:49:43","modified_gmt":"2026-04-01T02:49:43","slug":"%e7%bd%91%e7%bb%9c%e5%ae%89%e5%85%a8-linux%e4%b8%bb%e6%9c%baiptables%e7%ad%96%e7%95%a5%e8%84%9a%e6%9c%ac%ef%bc%88%e6%8a%97ddos%ef%bc%89","status":"publish","type":"post","link":"https:\/\/opshub.com.cn\/?p=898","title":{"rendered":"\u7f51\u7edc\u5b89\u5168\u2014\u2014Linux\u4e3b\u673aiptables\u7b56\u7565\u811a\u672c\uff08\u6297DDOS\uff09"},"content":{"rendered":"\n
#!\/bin\/bash\n\n############################################################\nIPT=\/sbin\/iptables\necho \"Iptables Kurallari Guncelleniyor...\"\nClear0() {\n\tclear\n\t$IPT -t mangle -F\n\t$IPT -t mangle -X\n}\nClear0 2>\/dev\/null\n# \u653e\u884c\u5df2\u5efa\u7acb\u7684\u8fde\u63a5 (\u4fdd\u8bc1\u670d\u52a1\u6b63\u5e38\u8fd0\u884c)\n$IPT -t mangle -A PREROUTING -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n# \u4e22\u5f03\u65e0\u6548\u8fde\u63a5\n$IPT -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP\n# \u62d2\u7edd\u975eSYN\u65b0\u5efa\u8fde\u63a5\n$IPT -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP\n# \u9650\u5236MSS\u503c\n$IPT -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP\n# \u62e6\u622a\u6240\u6709\u975e\u6cd5TCP\u6807\u5fd7\u4f4d (\u9632XMAS\/NULL\/SYN\u6d2a\u6c34\u7b49)\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP\n$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP\n# \u81ea\u52a8\u83b7\u53d6\u6240\u6709 Docker \u7f51\u7edc\u7684\u5b50\u7f51,\u628a Docker \u5b50\u7f51 \u653e\u884c\ndocker network ls -q 2>\/dev\/null | while read NETID; do\n\t[ -z \"$NETID\" ] && continue\n\tSUBNET=\"$(docker inspect $NETID -f '{{range .IPAM.Config}}{{.Subnet}}{{end}}')\"\n\tif [ -n \"$SUBNET\" ]; then\n\t\techo \"$SUBNET\"\n\t\t$IPT -t mangle -A PREROUTING -s \"$SUBNET\" -j ACCEPT\n\tfi\ndone\n# \u5185\u7f51IP \u2260 \u51fa\u53e3\u516c\u7f51IP \u65f6\uff0c\u653e\u884c\u672c\u5730\u7f51\u6bb5\nMSTCIP1=$(hostname -I | awk '{print $1}')\nMSTCIP2=$(curl -4s ifconfig.me)\nL_CIDR=$(ip -4 addr show $(ip -4 route get 1.1.1.1 | awk '{print $5}') | grep -oP 'inet \\K[\\d.]+\/\\d+' | head -n1)\nif [ \"${MSTCIP1:-'0'}\" != \"${MSTCIP2:-'1'}\" ]; then\n\tif [ -n \"$L_CIDR\" ]; then\n\t\techo \"$L_CIDR\"\n\t\t$IPT -t mangle -A PREROUTING -s \"$L_CIDR\" -j ACCEPT\n\tfi\nfi\n# \u62e6\u622a\u79c1\u6709\/\u4fdd\u7559IP\u6bb5 (\u9632\u4f2a\u9020IP)\n$IPT -t mangle -A PREROUTING -s 224.0.0.0\/3 -j DROP\n$IPT -t mangle -A PREROUTING -s 169.254.0.0\/16 -j DROP\n$IPT -t mangle -A PREROUTING -s 172.16.0.0\/12 -j DROP\n$IPT -t mangle -A PREROUTING -s 192.0.2.0\/24 -j DROP\n$IPT -t mangle -A PREROUTING -s 192.168.0.0\/16 -j DROP\n$IPT -t mangle -A PREROUTING -s 10.0.0.0\/8 -j DROP\n$IPT -t mangle -A PREROUTING -s 0.0.0.0\/8 -j DROP\n$IPT -t mangle -A PREROUTING -s 240.0.0.0\/5 -j DROP\n$IPT -t mangle -A PREROUTING -s 127.0.0.0\/8 ! -i lo -j DROP\n# \u7981\u7528ICMP (\u7981ping) + \u4e22\u5f03IP\u5206\u7247\n$IPT -t mangle -A PREROUTING -p icmp -j DROP\n$IPT -t mangle -A PREROUTING -f -j DROP\nLimit0() {\n\t# \u5355IP\u6700\u5927TCP\u8fde\u63a5\u6570 111\n\t$IPT -t mangle -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset\n\t# \u9650\u5236RST\u5305\u9891\u7387\n\t$IPT -t mangle -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2\/s --limit-burst 2 -j ACCEPT\n\t$IPT -t mangle -A INPUT -p tcp --tcp-flags RST RST -j DROP\n\t# \u9650\u5236\u65b0\u5efaTCP\u8fde\u63a5\u901f\u7387\n\t$IPT -t mangle -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60\/s --limit-burst 20 -j ACCEPT\n\t$IPT -t mangle -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP\n\t# SSH\u9632\u66b4\u529b\u7834\u89e3 (60\u79d2\u5185\u6700\u591a10\u6b21\u8fde\u63a5)\n\t$IPT -t mangle -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set\n\t$IPT -t mangle -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP\n}\n#Limit0\n# \u7aef\u53e3\u626b\u63cf\u9632\u62a4\n$IPT -t mangle -N port-scanning\n$IPT -t mangle -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1\/s --limit-burst 2 -j RETURN\n$IPT -t mangle -A port-scanning -j DROP\nsleep 1\necho \"IPTABLES BASARILI!\"\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-898","post","type-post","status-publish","format-standard","hentry","category-9"],"_links":{"self":[{"href":"https:\/\/opshub.com.cn\/index.php?rest_route=\/wp\/v2\/posts\/898","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opshub.com.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opshub.com.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opshub.com.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/opshub.com.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=898"}],"version-history":[{"count":1,"href":"https:\/\/opshub.com.cn\/index.php?rest_route=\/wp\/v2\/posts\/898\/revisions"}],"predecessor-version":[{"id":900,"href":"https:\/\/opshub.com.cn\/index.php?rest_route=\/wp\/v2\/posts\/898\/revisions\/900"}],"wp:attachment":[{"href":"https:\/\/opshub.com.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/opshub.com.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opshub.com.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}