服务器放电信机房 配置了LAMP环境 用于提供网站服务 帮我看看下面的设置够吗? 要怎么改进?
#!/bin/bash
#Do iptables based masquerading and firewalling.
#~spot,07/05/2009
#Ser default PATH
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
#Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
#Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
#Disable response to broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Don't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Disable ICMP redirect acceptance.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log spoofed packets,source routed packets,redirect packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#Clean old iptables
iptables -F
iptables -X
iptables nat -F
iptables nat -X
#Allow forwarding through the internet interface
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#Default forward policy to DROP
iptables -P FORWARD DROP
#Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to-destination 192.168.1.111:22
#Firewall Rules
#Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
#Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp !--syn -m state --state NEW -j DROP
#Fragments: Don't trust the little buggers. Send'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix"IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP
#Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
#Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT
#DNS
#Allow UDP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
#SSH
#Allow all shhd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT
#HTTP
#Allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state -state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT
#FTP
#Allow all ftpd incoming connections
#iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT
#Enable active ftp transfers
#iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Enable passive ftp transfers
#iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Enable ident probes (IRC)
#iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT
#Allow ICMP in if it is related to other connections
#iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow bot traffic through
#iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT
#Enable dcc
#iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT
#LOGGING:
#UDP,log&drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix"IPTABLES UDP-IN:"
iptables -A INPUT -i eth0 -p udp -j DROP
#ICMP, log&drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix"IPTABLES ICMP-IN:"
iptables -A -INPUT -i eth0 -p icmp -j DROP
#Windows NetBIOS noise,log&drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix"IPTABLES NETBIOS-IN:"
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP
#IGMP noise, log&drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix"IPTABLES IGMP-IN:"
iptables -A INPUT -i eth0 -p 2 -j DROP
#TCP, log&drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix"IPTABLES TCP-IN:"
iptables -A INPUT -i eth0 -p tcp -j DROP
#Anything else not allowed, log&drop
iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix"IPTABLES UNKNOWN-IN:"
iptables -A INPUT -i eth0 -j DROP
