#!/bin/bash # establish a static firewall Open_ports="80 25 110 10" # Server对外开放的端口 Allow_ports="53 80 20 21" # internet的数据可以进入Server的端口 #init iptables -F //--flush -F [chain] Delete all rules in chain or all chains iptables -X //Delete a user-defined chain iptables -t nat -F //-t table table to manipulate (default: `filter') iptables -t nat -X # The follow is comment , for make it better # iptables -P INPUT DROP //drop all #授受所以来源不是eth0的数据,假如eth0是internet接口,也就是开通本地访问 iptables -A INPUT -i ! eth0 -j ACCEPT # define ruler so that some data can come in. echo "设置允许访问internet服务" for Port in $Allow_ports ; do iptables -A INPUT -i eth0 -p tcp --sport $Port -j ACCEPT -v iptables -A INPUT -i eth0 -p udp --sport $Port -j ACCEPT -v done echo "设置本机开放端口" for Port in $Open_ports ; do iptables -A INPUT -i eth0 -p tcp --dport $Port -j ACCEPT -v iptables -A INPUT -i eth0 -p udp --dport $Port -j ACCEPT -v #如果初始 iptables -P OUTPUT DROP #那么要加上iptables -A OUTPUT -i eth0 -p tcp --sport $Port -j ACCEPT -v #比如:iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT #可以过滤没有通过请求回应的数据包,统统把它们堵住掉。 #iptables 提供了一个参数 是检查状态的,防止无效的数据包。 #iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT done # This is the last ruler , it can make you firewall better # iptables -A INPUT -i eth0 -p tcp -j REJECT --reject-with tcp-reset -v # iptables -A INPUT -i eth0 -p udp -j REJECT --reject-with icmp-port-unreachable -v 参考: #!/bin/bash # # ======================================================== # # dos2unix iptables.rule # # chmod 755 iptables.rule # /usr/local/virus/iptables # mkdir -p /usr/local/virus/iptables # mv / /iptables.rule /usr/local/virus/iptables # /usr/local/virus/iptables/iptables.rule # iptables -L -n # /etc/rc.d/rc.local # /usr/local/virus/iptables/iptables.rule # # iptables -F # iptables -X # iptables -t nat -F # iptables -t nat -X # ########################################################################################### # English: Please input your networks parameters ( including your LAN NIC ) EXTIF="eth1" INIF="eth0" INNET="192.168.1.0/24" export EXTIF INIF INNET # These settings is about yourself's paramters. allowname='' allowip="" if [ "$allowname" != "" ]; then for siteiptmp in `echo $allowname` do siteip=`/usr/bin/host $siteiptmp 168.95.1.1 | grep address|tail -n 1 | awk '{print $4}'` testip=`echo $siteip | grep [^0-9.]` if [ "$testip" == "" ]; then allowip="$allowip $siteip" fi done fi export allowip ########################################################## # First, your server's firewall settings. # 1. the kernel's firewall settings. # TCP Flooding's setting. this setting is no good for high loading servers echo "1" > /proc/sys/net/ipv4/tcp_syncookies # unset reply of ping. echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "1" > $i done # record some problems packets. for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo "1" > $i done # for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo "0" > $i done # for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo "0" > $i done # for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo "0" > $i done # 2. clear rule, set the policy rule and allow lo connect. PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH iptables -F iptables -X iptables -Z iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state RELATED -j ACCEPT # 3. other shell scripts, written by VBird. if [ -f /usr/local/virus/iptables/iptables.deny ]; then sh /usr/local/virus/iptables/iptables.deny fi # if [ -f /usr/local/virus/iptables/iptables.allow ]; then sh /usr/local/virus/iptables/iptables.allow fi # if [ -f /usr/local/virus/httpd-err/iptables.http ]; then sh /usr/local/virus/httpd-err/iptables.http fi iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT # 4. allow some types of ICMP # AICMP="0 3 3/4 4 11 12 14 16 18" # for tyicmp in $AICMP # do # iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT # done # 5. # iptables -A INPUT -p TCP -i $EXTIF --dport 22 -j ACCEPT # SSH # iptables -A INPUT -p TCP -i $EXTIF --dport 25 -j ACCEPT # SMTP # iptables -A INPUT -p UDP -i $EXTIF --dport 53 -j ACCEPT # DNS # iptables -A INPUT -p TCP -i $EXTIF --dport 53 -j ACCEPT # DNS # iptables -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT # WWW # iptables -A INPUT -p TCP -i $EXTIF --dport 110 -j ACCEPT # POP3 # iptables -A INPUT -p TCP -i $EXTIF --dport 443 -j ACCEPT # HTTPS ######################################################## # Second, the NAT settings. # 1. loading some good modules of iptables. modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack ip_conntrack_ftp ip_conntrack_irc" for mod in $modules do testmod=`lsmod | grep "^${mod} " | awk '{print $1}'` if [ "$testmod" == "" ]; then modprobe $mod fi done # 2. clean NAT table's rule iptables -F -t nat iptables -X -t nat iptables -Z -t nat iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT # 3. NAT server's settings if [ "$INIF" != "" ]; then iptables -A INPUT -i $INIF -j ACCEPT echo "1" > /proc/sys/net/ipv4/ip_forward if [ "$INNET" != "" ]; then for innet in $INNET do #iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE iptables -t nat -A POSTROUTING -s $innet -j MASQUERADE done fi fi # iptables -A FORWARD -s 192.168.1.195 -d www.sina.com.cn -j ACCEPT # iptables -A FORWARD -s 192.168.1.195 -j DROP iptables -A FORWARD -s 192.168.1.195 -m mac --mac-source 00:E0:4C:77:1B:C8 -m limit --limit 25/s -j ACCEPT # iptables -A FORWARD -m iprange --src-range 192.168.1.196-192.168.1.200 -j DROP i=196; while [ $i -le 200 ]; do iptables -A FORWARD -s 192.168.1.$i -j DROP i=`expr $i + 1` done iptables -A FORWARD -s 192.168.1.0/24 -j DROP # iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu # 4. # iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 -j DNAT --to 192.168.1.210:80 # WWW 参考: |
郑重声明:资讯 【iptable基本防火墙设置脚本_CentOS@Ubuntu:~# ./blog_百度空间】由 发布,版权归原作者及其所在单位,其原创性以及文中陈述文字和内容未经(企业库qiyeku.com)证实,请读者仅作参考,并请自行核实相关内容。若本文有侵犯到您的版权, 请你提供相关证明及申请并与我们联系(qiyeku # qq.com)或【在线投诉】,我们审核后将会尽快处理。
—— 相关资讯 ——
