天天看點
傳回

iptables 腳本

#!/bin/sh

#

#############################################################################

# File: iptables.sh

# Purpose: To build a basic iptables policy with default log and drop rules.

# This script was written for the book "Linux Firewalls: Attack

# Detection and Response" published by No Starch Press.

# Copyright (C) 2006-2009 Michael Rash ([email protected])

# License (GNU Public License):

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307

# USA

# $Id: index.html 2884 2010-08-23 01:52:49Z mbr $

IPTABLES=/sbin/iptables

IP6TABLES=/sbin/ip6tables

MODPROBE=/sbin/modprobe

INT_NET=192.168.10.0/24

### flush existing rules and set chain policy setting to DROP

echo "[+] Flushing existing iptables rules..."

$IPTABLES -F

$IPTABLES -F -t nat

$IPTABLES -X

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

### this policy does not handle IPv6 traffic except to drop it.

echo "[+] Disabling IPv6 traffic..."

$IP6TABLES -P INPUT DROP

$IP6TABLES -P OUTPUT DROP

$IP6TABLES -P FORWARD DROP

### load connection-tracking modules

$MODPROBE ip_conntrack

$MODPROBE iptable_nat

$MODPROBE ip_conntrack_ftp

$MODPROBE ip_nat_ftp

###### INPUT chain ######

echo "[+] Setting up INPUT chain..."

### state tracking rules

$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPTABLES -A INPUT -m state --state INVALID -j DROP

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules

$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "

$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j DROP

### ACCEPT rules

$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

### default INPUT LOG rule

$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

### make sure that loopback traffic is accepted

$IPTABLES -A INPUT -i lo -j ACCEPT

###### OUTPUT chain ######

echo "[+] Setting up OUTPUT chain..."

$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connections out

$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

### default OUTPUT LOG rule

$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

$IPTABLES -A OUTPUT -o lo -j ACCEPT

###### FORWARD chain ######

echo "[+] Setting up FORWARD chain..."

$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPTABLES -A FORWARD -m state --state INVALID -j DROP

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "

$IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j DROP

$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 21 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 25 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 43 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 4321 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp --dport 53 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

### default LOG rule

$IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### NAT rules ######

echo "[+] Setting up NAT rules..."

$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.10.3:80

$IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.10.3:443

$IPTABLES -t nat -A PREROUTING -p udp --dport 53 -i eth0 -j DNAT --to 192.168.10.4:53

$IPTABLES -t nat -A POSTROUTING -s $INT_NET -o eth0 -j MASQUERADE

###### forwarding ######

echo "[+] Enabling IP forwarding..."

echo 1 > /proc/sys/net/ipv4/ip_forward

exit

### EOF ###

=========================================================================================

# 指令行放行某個端口

#/sbin/iptables -I INPUT -p tcp --dport 端口号 -j ACCEPT

#/etc/rc.d/init.d/iptables save

可是覺得指令行太複雜了怎麼辦?那就記住下面的腳本并讓它自動執行吧,詳細說明請看注釋

# iptables 防火牆腳本

#!/bin/bash  

sports="53 80 22 3306"  # 自己機器對外開放的端口  

dports="53 80 20 21 22 3306"  # internet的資料可以進入自己機器的端口

# 初始化

init(){

   iptables -F

   iptables -X

   iptables -t nat -F

   iptables -t nat -X

}

# 啟動

start(){

   echo " * Starting firewall and allowing everyone..."

   init

   iptables -A INPUT -i ! eth0 -j ACCEPT  

   # 開放端口

   for Port in $sports ; do  

       iptables -A INPUT -i eth0 -p tcp --sport $Port -j ACCEPT  

       iptables -A INPUT -i eth0 -p udp --sport $Port -j ACCEPT  

   done  

   for Port in $dports ; do  

       iptables -A INPUT -i eth0 -p tcp --dport $Port -j ACCEPT  

       iptables -A INPUT -i eth0 -p udp --dport $Port -j ACCEPT  

   iptables -A INPUT -i eth0 -p tcp -j REJECT --reject-with tcp-reset  

   iptables -A INPUT -i eth0 -p udp -j REJECT --reject-with icmp-port-unreachable

   echo "Done!"

# 停止

stop(){

   echo " * Stopping firewall and allowing everyone..."

   iptables -t mangle -F

   iptables -t mangle -X

   iptables -P INPUT ACCEPT

   iptables -P FORWARD ACCEPT

   iptables -P OUTPUT ACCEPT

# 重新開機

restart(){

   stop

   start

status(){

    iptables -L

case "$1" in

   start)

       start ;;

   stop)

       stop ;;

   restart)

       restart ;;

   status)

       status;;

   *)

       echo "Usage: iptables {start|stop|restart}"

       exit 1

esac

without default Michael Copyright published
上一篇: ant-design-vue中的a-directory-tree更換圖示
下一篇: element ui DatePicker 禁用目前日之前的時間

繼續閱讀