请帮忙测试安全状况如何

serpron

下面是我的iptables脚本,花了很长时间配置的,请帮忙分析一下安全漏洞,先谢了!

#! /bin/bash
#Enable Ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Starting iptables......."

#Preparing .......
echo "preparing..........."
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp


#flush all
echo "Flushing .........."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

#DROP all filter and Enable others
echo "Droping.............."
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

#INPUT
echo "Preparing INPUT.................."
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i eth0 -s ! 192.168.0.0/24 -d 192.168.0.0/24 -j DROP
iptables -A INPUT -j MIRROR

#OUTPUT
echo "Preparing OUTPUT..............."
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT

#FORWARD
echo "Preparing FORWARD...................."
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -i eth0 -s ! 192.168.0.0/24 -d 192.168.0.0/24 -j DROP

#NAT
echo "Preparing NAT..............."
#iptables -t nat -A PREROUTING -s 192.168.0.0/24 -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 7788
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

#ftp
echo "About Ftp Preparing................."
#iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

serpron

最后的ftp段中注释的两条是我认为多余的