iptables.rar iptables 防火墻腳本,主要根據鳥哥的腳本改寫,可作為範例修改使用。
#!/bin/bash
#write
by Ethan xie 2011/05/04
#email:
ethan225@163.com
#init
settings
EXTIF="eth1" #wan interface
INIF="eth0" #lan interface
export
EXTIF INIF
#kernel
settings
echo
"1" > /proc/sys/net/ipv4/tcp_syncookies
echo
"1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for i
in /proc/sys/net/ipv4/conf/*/rp_filter;do
echo "1" > $i
done
for i
in /proc/sys/net/ipv4/conf/*/log_martians;do
echo "1" > $i
done
for i
in /proc/sys/net/ipv4/conf/*/accept_source_route;do
echo "0" > $i
done
for i
in /proc/sys/net/ipv4/conf/*/accept_redirects;do
echo "0" > $i
done
for i
in /proc/sys/net/ipv4/conf/*/send_redirects;do
echo "0" > $i
done
#Iptables
settings
PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin;
export PATH
iptables
-F
iptables
-X
iptables
-Z
iptables
-P INPUT DROP
iptables
-P OUTPUT ACCEPT
iptables
-P FORWARD ACCEPT
iptables
-A INPUT -i lo -j ACCEPT
iptables
-A INPUT -m state --state RELATED -j ACCEPT
iptables
-A INPUT -p tcp -i $EXTIF --sport 1:1023 -j DROP #deny 1-1023 port access
#Other
script to control other ip access this pc
#file
should place in /usr/local/virus/iptables/iptables.deny
#iptables.deny
file like follow
#!/bin/bash
#iptables
-A INPUT -i $EXTIF -s 140.116.43.0/24 -j DROP
#chmod
700 iptalbes.deny
if [ -f
/usr/local/virus/iptables/iptables.deny ];then
sh /usr/local/virus/iptables/iptables.deny
fi
#iptables.allow
file like follow
#!/bin/bash
#iptables
-A INPUT -i $EXTIF -s 140.116.43.0/24 -j ACCEPT
#chmod
700 iptables.allow
#file
should place in /usr/local/virus/iptables/iptables.allow
if [
-f /usr/local/virus/iptables/iptables.allow ];then
sh /usr/local/virus/iptables/iptables.allow
fi
#file
should place in /usr/local/virus/iptables/iptables.http
#It is
use to deny httpd-err ip
if [
-f /usr/local/virus/iptables/iptables.http ];then
sh /usr/local/virus/iptables/iptables.http
fi
iptables
-A INPUT -m state --state ESTABLISHED -j ACCEPT
#allow
icmp
AICMP="0
3 3/4 4 11 12 14 16 18"
for
tyicmp in $AICMP
do
iptables -A INPUT -i $EXTIF -p icmp
--icmp-type $tyicmp -j ACCEPT
done
#other
service
iptables
-A INPUT -p tcp -i $INIF -s 192.168.1.0/24 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
iptables
-A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT
iptables
-A INPUT -p tcp -i $EXTIF --sport 53 -m state --state RELATED,ESTABLISHED -j
ACCEPT #access wan dns server
iptables
-A INPUT -p udp -i $EXTIF --sport 53 -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables
-A INPUT -p tcp -i $EXTIF --dport 8000 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT
iptables
-A INPUT -p tcp -i $EXTIF --dport 8010 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT
iptables
-A INPUT -p udp -i $EXTIF --dport 8080 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT |