vi /root/iptables.sh   #echo "Starting kerryhu-iptables rules..."   #!/bin/bash   # BY kerryhu   # QQ:263205768   # MAIL:king_819@163.com   # BLOG:http://kerry.blog.51cto.com   #this is a common firewall created by 2010-3-27   IPT="/sbin/iptables"   CONNECTION_TRACKING="1"   CLASS_A="10.0.0.0/8"   CLASS_B="172.16.0.0/12"   CLASS_C="192.168.0.0/16"   CLASS_D_MULTICAST="224.0.0.0/4"   CLASS_E_RESERVED_NET="240.0.0.0/5"   BROADCAST_SRC="0.0.0.0"   BROADCAST_DEST="255.255.255.255"   LOOPBACK_INTERFACE="lo"   #Remove any existing rules   $IPT -F   $IPT -X   #setting default firewall policy   $IPT -P FORWARD DROP   $IPT -P INPUT DROP   $IPT -P OUTPUT DROP   #setting for loopback interface   $IPT -A INPUT -i lo -j ACCEPT   $IPT -A OUTPUT -o lo -j ACCEPT   # Stealth Scans and TCP State Flags   # All of the bits are cleared   $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP   # SYN and FIN are both set   $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP   # SYN and RST are both set   $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP   # FIN and RST are both set   $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP   # FIN is the only bit set, without the expected accompanying ACK   $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP   # PSH is the only bit set, without the expected accompanying ACK   $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP   # URG is the only bit set, without the expected accompanying ACK   $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP   # Using Connection State to By-pass Rule Checking   if [ "$CONNECTION_TRACKING" = "1" ]; then   $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT   $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT   $IPT -A INPUT -m state --state INVALID -j DROP   $IPT -A OUTPUT -m state --state INVALID -j DROP   fi   ##################################################################   # Source Address Spoofing and Other Bad Addresses   # Refuse spoofed packets pretending to be from   # the external interface.s IP address   # Refuse packets claiming to be from a Class A private network   $IPT -A INPUT -s $CLASS_A -j DROP   # Refuse packets claiming to be from a Class B private network   $IPT -A INPUT -s $CLASS_B -j DROP   # Refuse packets claiming to be from a Class C private network   $IPT -A INPUT -s $CLASS_C -j DROP   $IPT -A INPUT -s 0.0.0.0/8 -j DROP   $IPT -A INPUT -s 169.254.0.0/16 -j DROP   $IPT -A INPUT -s 192.0.2.0/24 -j DROP   ###################################################################   #setting access rules   #允许出站域名解析   $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT   #$IPT -A OUTPUT -p tcp -d 61.177.7.1 --dport 53 -j ACCEPT   #$IPT -A OUTPUT -p udp -d 61.177.7.1 --dport 53 -j ACCEPT   #时钟同步   $IPT -A OUTPUT -d 192.43.244.18 -j ACCEPT   #$IPT -A OUTPUT -p udp -d 192.43.244.18 --dport 123 -j ACCEPT   #允许ping出   $IPT -A OUTPUT -p icmp -j ACCEPT   #允许ftp备份   #$IPT -A OUTPUT -p tcp -d 222.102.153.191 --dport 21 -j ACCEPT   #$IPT -A OUTPUT -p tcp -d 222.102.153.191 --dport 20 -j ACCEPT   $IPT -A OUTPUT -d 222.102.153.191 -j ACCEPT   #允许出站http   $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT   #允许yum更新   $IPT -A OUTPUT -p tcp -d mirrors.163.com -j ACCEPT   #允许入站ssh   $IPT -A INPUT -p tcp -s 58.102.13.91 --dport 22 -j ACCEPT   #允许cacti监控   #$IPT -A INPUT -p tcp -s 222.102.153.192 --dport 161 -j ACCEPT   $IPT -A INPUT -s 222.102.153.192 -j ACCEPT   #$IPT -A INPUT -p tcp --dport 443 -j ACCEPT   #$IPT -A INPUT -p tcp --dport 80 -j ACCEPT   #$IPT -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT   chmod +x /root/iptables.sh   echo "/root/iptables.sh" >> /etc/rc.local //shell/5354