- 论坛徽章:
- 0
|
请教iptables如何只让给定的ip和mac上网?
我用的就是眼皮猪的方法,只是为了提高处理效能,在FORWARD链的第一句放行了所有已经建立的连接,只有新发起的请求才进行IP检测,通过统计数据可以看出只有很少的数据包穿过CHKIP链;同样为了提高效能,采用了分层的处理结构,也就是说单独定义了CHKIP链,只在需要的时候才查询IP。
- #! /bin/bash
- /sbin/modprobe ip_conntrack_ftp
- /sbin/modprobe ip_nat_ftp
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT ACCEPT
- /sbin/iptables -P FORWARD DROP
- /sbin/iptables -N RATELIMIT
- /sbin/iptables -N CHKIP
- # allow the third handshake
- /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- # NAT
- /sbin/iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -o ppp0 -j MASQUERADE
- # Redirect to CHKIP
- /sbin/iptables -A FORWARD -s 172.16.1.0/24 -i eth1 -o ppp0 -j CHKIP
- /sbin/iptables -A FORWARD -p icmp -j ACCEPT
- # CHKIP to allow autherised IP
- /sbin/iptables -A CHKIP -s 172.16.1.106/32 -j ACCEPT
- /sbin/iptables -A CHKIP -s 172.16.1.10/32 -j ACCEPT
- /sbin/iptables -A CHKIP -s 172.16.1.188/32 -j ACCEPT
- /sbin/iptables -A CHKIP -s 172.16.1.119/32 -j ACCEPT
- /sbin/iptables -A CHKIP -s 172.16.1.88/32 -j ACCEPT
- /sbin/iptables -A CHKIP -s 172.16.1.208/32 -j ACCEPT
- /sbin/iptables -A CHKIP -s 172.16.1.232/32 -j ACCEPT
- /sbin/iptables -A CHKIP -s 172.16.1.64/32 -j ACCEPT
- /sbin/iptables -A CHKIP -j DROP
- # Prevent Deny of Sevice attack.
- # Syn-flood protection:
- iptables -A RATELIMIT -p tcp --syn -m limit --limit 1/s -j ACCEPT
- # Furtive port scanner:
- iptables -A RATELIMIT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
- # Ping of death:
- iptables -A RATELIMIT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
- # enable packet forwarding
- echo 1 >; /proc/sys/net/ipv4/ip_forward
复制代码
统计信息
- Chain FORWARD (policy DROP 56 packets, 22225 bytes)
- pkts bytes target prot opt in out source destination
- 7627K 3517M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- 140K 11M CHKIP all -- eth1 * 172.16.1.0/24 0.0.0.0/0
- Chain CHKIP (2 references)
- pkts bytes target prot opt in out source destination
- 42 2057 ACCEPT all -- * * 172.16.1.106 0.0.0.0/0
- 0 0 ACCEPT all -- * * 172.16.1.10 0.0.0.0/0
- 0 0 ACCEPT all -- * * 172.16.1.188 0.0.0.0/0
- 59141 5951K ACCEPT all -- * * 172.16.1.119 0.0.0.0/0
- 15670 876K ACCEPT all -- * * 172.16.1.88 0.0.0.0/0
- 0 0 ACCEPT all -- * * 172.16.1.208 0.0.0.0/0
- 0 0 ACCEPT all -- * * 172.16.1.232 0.0.0.0/0
- 338 22881 ACCEPT all -- * * 172.16.1.64 0.0.0.0/0
- 83700 6693K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
复制代码 |
|