zoukankan      html  css  js  c++  java
  • Simple IPTables Firewall with Whitelist and Blacklist

    Sections: 

    IPTables FirewallThe following is a simple IPTables firewall script that can be used for general purposes.  It includes a port list and whitelist/blacklist.  The script was tested on CentOS v6 and Ubuntu v12.

    Create the whitelist & blacklist files

    These can remain empty until needed.

    mkdir /etc/myfirewall
    touch /etc/myfirewall/whitelist.txt
    touch /etc/myfirewall/blacklist.txt

    Enter one IP or domain per line as needed to permit or deny.  For example, to permit 1.1.1.1 and somedomain.com

    nano /etc/myfirewall/whitelist.txt
    1.1.1.1
    ​somedomain.com

    Note about DNS domains and iptables.

    If your whitelist specifies a domain, it is the resolved IP address that is added to the ipables rule.  So any change in the IP address of a domain in a whitelist or blacklist will require the firewall script to be re-run.

    Create the firewall script

    Located IPtables on your distribution and alter the IPTABLES= line in the script accordingly.

    which iptables
    which iptables-save

    For non standard SSH port and to allow or deny other ports alter ALLOWED= line accordingly

    nano /etc/myfirewall/firewall.sh
    #!/bin/bash
    #
    ## Simple IPTables Firewall with Whitelist & Blacklist
    #
    ## List Locations
    #
    
    WHITELIST=/etc/myfirewall/whitelist.txt
    BLACKLIST=/etc/myfirewall/blacklist.txt
    
    #
    ## Specify ports you wish to use.
    ## For port listing reference see http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
    ## To add port range separate by ":" with no spaces.  Ie. "10000:20000"
    #
    
    ALLOWED="22 25 53 80 443 465 587 993"
    
    #
    ## Specify where IP Tables is located
    #
    
    IPTABLES=/sbin/iptables
    IPTABLES_SAVE=/sbin/iptables-save
    
    #
    ## Save current iptables running configuration in case we want to revert back
    ## To restore using our example we would run "/sbin/iptables-restore < /usr/src/iptables.last"
    #
    
    $IPTABLES_SAVE > /usr/local/etc/iptables.last
    
    #
    ## Clear current rules
    #
    ## If current INPUT policy is set to DROP we will be locked out once we flush the rules
    ## so we must first ensure it is set to ACCEPT.
    #
    $IPTABLES -P INPUT ACCEPT
    echo 'Setting default INPUT policy to ACCEPT'
    
    $IPTABLES -F
    echo 'Clearing tables'
    $IPTABLES -X
    echo 'Deleting user defined chains'
    $IPTABLES -Z
    echo 'Zero chain counters'
    
    #Always allow localhost.
    echo 'Allowing Localhost'
    $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
    
    #
    ##The following rule ensures that established connections are not checked.
    ##It also allows for things that may be related but not part of those connections such as ICMP.
    #
    
    $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    
    #
    ## Whitelist
    #
    
    for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
    echo "Permitting $x..."
    $IPTABLES -A INPUT -s $x -j ACCEPT
    done
    
    #
    ## Blacklist
    #
    
    for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do
    echo "Denying $x..."
    $IPTABLES -A INPUT -s $x -j DROP
    done
    
    #
    ## Permitted Ports
    #
    
    for port in $ALLOWED; do
    echo "Accepting port TCP $port..."
    $IPTABLES -A INPUT -p tcp --dport $port -j ACCEPT
    done
    
    for port in $ALLOWED; do
    echo "Accepting port UDP $port..."
    $IPTABLES -A INPUT -p udp --dport $port -j ACCEPT
    done
    
    #
    ## NOTE: Test this script first to make sure it works as expected.
    ## Run "iptables -vnL" to ensure the rules are as expected and that your SSH port is correct.
    ##
    ## When you are sure this script works properly uncomment the following 2 lines to enforce the rules.
    #
    
    # $IPTABLES -A INPUT -p udp -j DROP
    # $IPTABLES -A INPUT -p tcp --syn -j DROP
    
    #
    ## Save the rules so they are persistent on reboot.
    #
    /etc/init.d/iptables save
    Make the script executable and run.
    chmod +x /etc/myfirewall/firewall.sh
    /etc/myfirewall/firewall.sh
    Check rules.
    ​iptables -vnL

    Once you are sure the script is working properly with the proper SSH port allowed you can uncommend the two lines at the bottom of the script and run again to fully enable it.

    Ubuntu iptables persistence

    If using Ubuntu, install the persistent package.

    apt-get install iptables-persistent 

    Change the last line in the firewall script to:

    $IPTABLES_SAVE > /etc/iptables/rules.v4

    Reference: Howto: Quick N' Dirty IPtables-based Firewall

    copyright

    https://www.powerpbx.org/content/simple-iptables-firewall-whitelist-blacklist-v1

  • 相关阅读:
    《测试工作量的时间评估》方案梳理
    GitHub 生成密钥
    Jenkins+Jmeter持续集成(五、Ant+GitLab持续构建)
    Linux下查看文件和文件夹大小
    Java Runtime.exec()的使用
    如何启动/停止/重启MySQL
    浅析Java语言慢的原因
    chattr命令锁定账户敏感文件
    SOAP协议初级指南 (三)
    SOAP协议初级指南 (二)
  • 原文地址:https://www.cnblogs.com/dong1/p/14040139.html
Copyright © 2011-2022 走看看