免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 IT运维 数据安全 iptables 防火墻腳本
最近访问板块 发新帖
查看: 872 | 回复: 0
打印 上一主题 下一主题

iptables 防火墻腳本 [复制链接]

xhb8413

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2011-12-21 08:43 |只看该作者 |倒序浏览
   iptables.rar  
iptables 防火墻腳本,主要根據鳥哥的腳本改寫,可作為範例修改使用。


#!/bin/bash

#write by Ethan xie 2011/05/04

#email: ethan225@163.com

#init settings

EXTIF="eth1" #wan interface

INIF="eth0"  #lan interface

export EXTIF INIF

#kernel settings

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

for i in /proc/sys/net/ipv4/conf/*/rp_filter;do

   echo "1" > $i

done

for i in /proc/sys/net/ipv4/conf/*/log_martians;do

   echo "1" > $i

done

for i in /proc/sys/net/ipv4/conf/*/accept_source_route;do

   echo "0" > $i

done

for i in /proc/sys/net/ipv4/conf/*/accept_redirects;do

   echo "0" > $i

done

for i in /proc/sys/net/ipv4/conf/*/send_redirects;do

   echo "0" > $i

done

#Iptables settings

PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin; export PATH

iptables -F

iptables -X

iptables -Z

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state RELATED -j ACCEPT

iptables -A INPUT -p tcp -i $EXTIF --sport 1:1023 -j DROP #deny 1-1023 port access

#Other script to control other ip access this pc

#file should place in /usr/local/virus/iptables/iptables.deny

#iptables.deny file like follow

#!/bin/bash

#iptables -A INPUT -i $EXTIF -s 140.116.43.0/24 -j DROP

#chmod 700 iptalbes.deny

if [ -f /usr/local/virus/iptables/iptables.deny ];then

   sh /usr/local/virus/iptables/iptables.deny

fi

#iptables.allow file like follow

#!/bin/bash

#iptables -A INPUT -i $EXTIF -s 140.116.43.0/24 -j ACCEPT

#chmod 700 iptables.allow

#file should place in /usr/local/virus/iptables/iptables.allow

if [ -f /usr/local/virus/iptables/iptables.allow ];then

   sh /usr/local/virus/iptables/iptables.allow

fi

#file should place in /usr/local/virus/iptables/iptables.http

#It is use to deny httpd-err ip

if [ -f /usr/local/virus/iptables/iptables.http ];then

   sh /usr/local/virus/iptables/iptables.http

fi

iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

#allow icmp

AICMP="0 3 3/4 4 11 12 14 16 18"

for tyicmp in $AICMP

do

  iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT

done

#other service

iptables -A INPUT -p tcp -i $INIF -s 192.168.1.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i $EXTIF --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT #access wan dns server

iptables -A INPUT -p udp -i $EXTIF --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i $EXTIF --dport 8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i $EXTIF --dport 8010 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -i $EXTIF --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP