iptables 防火墻腳本

xhb8413 发表于 2011-12-21 08:43

<a href=".http://blog.chinaunix.net/attachment/attach/19/72/33/33197233020a43e67ad2c5779f061f9a586f689c.rar" target="_blank" target="_blank"><img src="/blog/image/attachicons/rar.gif" align="absmiddle" border="0"> iptables.rar </a>  iptables 防火墻腳本，主要根據鳥哥的腳本改寫，可作為範例修改使用。 #!/bin/bash

#write
by Ethan xie 2011/05/04

#email:
ethan225@163.com

#init
settings

EXTIF="eth1" #wan interface

INIF="eth0"  #lan interface

export
EXTIF INIF

#kernel
settings

echo
"1" > /proc/sys/net/ipv4/tcp_syncookies

echo
"1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

for i
in /proc/sys/net/ipv4/conf/*/rp_filter;do

   echo "1" > $i

done

for i
in /proc/sys/net/ipv4/conf/*/log_martians;do

   echo "1" > $i

done

for i
in /proc/sys/net/ipv4/conf/*/accept_source_route;do

   echo "0" > $i

done

for i
in /proc/sys/net/ipv4/conf/*/accept_redirects;do

   echo "0" > $i

done

for i
in /proc/sys/net/ipv4/conf/*/send_redirects;do

   echo "0" > $i

done

#Iptables
settings

PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin;
export PATH

iptables
-F

iptables
-X

iptables
-Z

iptables
-P INPUT DROP

iptables
-P OUTPUT ACCEPT

iptables
-P FORWARD ACCEPT

iptables
-A INPUT -i lo -j ACCEPT

iptables
-A INPUT -m state --state RELATED -j ACCEPT

iptables
-A INPUT -p tcp -i $EXTIF --sport 1:1023 -j DROP #deny 1-1023 port access

#Other
script to control other ip access this pc

#file
should place in /usr/local/virus/iptables/iptables.deny

#iptables.deny
file like follow

#!/bin/bash

#iptables
-A INPUT -i $EXTIF -s 140.116.43.0/24 -j DROP

#chmod
700 iptalbes.deny

if [ -f
/usr/local/virus/iptables/iptables.deny ];then

   sh /usr/local/virus/iptables/iptables.deny

fi

#iptables.allow
file like follow

#!/bin/bash

#iptables
-A INPUT -i $EXTIF -s 140.116.43.0/24 -j ACCEPT

#chmod
700 iptables.allow

#file
should place in /usr/local/virus/iptables/iptables.allow

if [
-f /usr/local/virus/iptables/iptables.allow ];then

   sh /usr/local/virus/iptables/iptables.allow

fi

#file
should place in /usr/local/virus/iptables/iptables.http

#It is
use to deny httpd-err ip

if [
-f /usr/local/virus/iptables/iptables.http ];then

   sh /usr/local/virus/iptables/iptables.http

fi

iptables
-A INPUT -m state --state ESTABLISHED -j ACCEPT

#allow
icmp 

AICMP="0
3 3/4 4 11 12 14 16 18"

for
tyicmp in $AICMP

do

  iptables -A INPUT -i $EXTIF -p icmp
--icmp-type $tyicmp -j ACCEPT

done

#other
service 

iptables
-A INPUT -p tcp -i $INIF -s 192.168.1.0/24 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT

iptables
-A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT

iptables
-A INPUT -p tcp -i $EXTIF --sport 53 -m state --state RELATED,ESTABLISHED -j
ACCEPT #access wan dns server

iptables
-A INPUT -p udp -i $EXTIF --sport 53 -m state --state RELATED,ESTABLISHED -j
ACCEPT

iptables
-A INPUT -p tcp -i $EXTIF --dport 8000 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT

iptables
-A INPUT -p tcp -i $EXTIF --dport 8010 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT

iptables
-A INPUT -p udp -i $EXTIF --dport 8080 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT

页: [1]

Chinaunix's Archiver

iptables 防火墻腳本