iptables

iptables/iptables_conntrack.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+## Iptables 2016-07-21
+## http://www.aqzt.com
+##email: [email protected]
+##robert yu
+##centos 7
+
+
+#查看
+#iptables -t raw -L -n
+
+/sbin/iptables -F
+
+##清除raw
+/sbin/iptables -t raw -F
+
+/sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
+/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
+
+##设置Iptables禁止对连接数较大的服务进行跟踪
+/sbin/iptables -A INPUT -m state --state UNTRACKED,ESTABLISHED,RELATED -j ACCEPT
+/sbin/iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK
+/sbin/iptables -t raw -A OUTPUT -p tcp --sport 80 -j NOTRACK
+
+/sbin/iptables -A OUTPUT -j ACCEPT
+/sbin/iptables -A INPUT   -s 192.168.10.12 -p tcp --dport 22  -j ACCEPT
+/sbin/iptables -A INPUT   -s 192.168.10.15 -p tcp --dport 22  -j ACCEPT
+/sbin/iptables -A INPUT   -s 192.168.10.0/255.255.255.0 -p icmp -j ACCEPT
+/sbin/iptables -A INPUT  -p tcp --dport 443  -j ACCEPT
+/sbin/iptables -A INPUT  -p tcp --dport 80  -j ACCEPT
+
+/sbin/iptables -A INPUT -j REJECT
+/sbin/iptables -A FORWARD -j REJECT
+
+/sbin/service iptables save
+echo ok

shell/ipv6.sh

@@ -3,13 +3,16 @@
 ## http://www.aqzt.com
 ##email: [email protected]
 ##robert yu
-##centos 6和centos 7
+##centos 7
 
 # /etc/sysctl.conf
 echo "NETWORKING_IPV6=no">>/etc/sysconfig/network
 
+echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
+echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
+
 # /etc/sysctl.conf
-cat >>/etc/sysctl.conf<<EOF
+cat >/etc/sysctl.conf<<EOF
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 net.ipv4.tcp_syn_retries = 1