# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
?
# Drop source routed packets
echo 0
/proc/sys/net/ipv4/conf/all/accept_source_route
?
# Enable TCP SYN cookie protection from SYN floods
echo 1
/proc/sys/net/ipv4/tcp_syncookies
?
# Don't accept ICMP redirect messages
echo 0
/proc/sys/net/ipv4/conf/all/accept_redirects
?
# Don't send ICMP redirect messages
echo 0
/proc/sys/net/ipv4/conf/all/send_redirects
?
# Enable source address spoofing protection
echo 1
/proc/sys/net/ipv4/conf/all/rp_filter
?
# Log packets with impossible source addresses
echo 1
/proc/sys/net/ipv4/conf/all/log_martians
?
# Flush all chains
/sbin/iptables --flush
?
# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
?
# Set default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
?
# Previously initiated and accepted exchanges bypass rule checking
# Allow unlimited outbound traffic
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
?
#Enable SSH port 22
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
?
# Drop all other traffic
/sbin/iptables -A INPUT -j DROP
?
以上实例为建立一个防火墙,向外只开启SSH端口,并关闭ICMP包。
