zoukankan      html  css  js  c++  java
  • 超级实用的 iptables 防火墙脚本

    本文档详细介绍生产环境中超级实用的iptables脚本
    创建 iptables.sh 脚本
    [root@Jaking ~]# vim iptables.sh 
    #!/bin/bash
    
    #清空 filter 表和 nat 表
    iptables -F
    iptables -t nat -F
    
    #关掉 firewalld
    systemctl stop firewalld &>/dev/null
    systemctl disable firewalld &>/dev/null
    
    #以下两行允许某些调用 localhost 的应用访问
    iptables -A INPUT -i lo -j ACCEPT #规则1
    iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #规则2
    
    #以下一行允许从其他地方 ping
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #规则3
    
    #以下一行允许从其他主机、网络设备发送 MTU 调整的报文
    #在一些情况下,例如通过 IPSec VPN 隧道时,主机的 MTU 需要动态减小
    iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT #规则4
    
    #以下两行分别允许所有来源访问 TCP 80,443 端口
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT #规则5
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT #规则6
    
    #以下一行允许所有来源访问 UDP 80,443 端口
    iptables -A INPUT -p udp -m multiport --dports 80,443 -j ACCEPT #规则7
    
    #以下一行允许 192.168.1.63 来源的 IP 访问 TCP 22 端口(OpenSSH)
    iptables -A INPUT -p tcp -s 192.168.1.63 --dport 22 -j ACCEPT #规则8
    
    #以下一行允许 192.168.1.3(发起SSH连接的系统对应网卡的IP) 来源的 IP 访问 TCP 22 端口(OpenSSH)
    #如果是在远程终端跑本脚本,最好开启以下一行以防被踢掉
    #另一种更加简便的方式:iptables -I INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp -s 192.168.1.3 --dport 22 -j ACCEPT #规则9
    
    #以下一行允许 192.168.1.26 来源的 IP 访问 UDP 161 端口(SNMP)
    iptables -A INPUT -p udp -s 192.168.1.26 --dport 161 -j ACCEPT #规则10
    
    #配置 NAT
    #启用内核路由转发功能
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf
    sysctl -p &>/dev/null
    
    #配置源地址转换 SNAT 
    #将 192.168.2.0/24 转换成 192.168.1.63
    iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to 192.168.1.63 #规则11
    
    #配置目的地址转换 DNAT
    #将 192.168.1.63 的 80 端口请求转发到 192.168.2.2 的 80 端口
    iptables -t nat -A PREROUTING -d 192.168.1.63 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80 #规则12
    
    #以下一行禁止所有其他的进入流量
    iptables -A INPUT -j DROP #规则13
    
    #以下一行允许本机响应规则编号为 1-12 的数据包发出
    iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT #规则14
    
    #以下一行禁止本机主动发出外部连接
    iptables -A OUTPUT -j DROP #规则15
    
    #以下一行禁止本机转发数据包 
    iptables -A FORWARD -j DROP #规则16
    
    #固化 iptables
    iptables-save > /etc/sysconfig/iptables
    
    [root@Jaking ~]# chmod 755 iptables.sh
    
    测试
    [root@Jaking ~]# ./iptables.sh 
    [root@Jaking ~]# 
    [root@Jaking ~]# 
    [root@Jaking ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  localhost            localhost           
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
    ACCEPT     udp  --  anywhere             anywhere             multiport dports http,https
    ACCEPT     tcp  --  192.168.1.63         anywhere             tcp dpt:ssh
    ACCEPT     tcp  --  192.168.1.3          anywhere             tcp dpt:ssh
    ACCEPT     udp  --  192.168.1.26         anywhere             udp dpt:snmp
    DROP       all  --  anywhere             anywhere            
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             state ESTABLISHED
    DROP       all  --  anywhere             anywhere            
    [root@Jaking ~]# iptables -L --line-number
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    1    ACCEPT     all  --  anywhere             anywhere            
    2    ACCEPT     all  --  localhost            localhost           
    3    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    4    ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
    5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
    7    ACCEPT     udp  --  anywhere             anywhere             multiport dports http,https
    8    ACCEPT     tcp  --  192.168.1.63         anywhere             tcp dpt:ssh
    9    ACCEPT     tcp  --  192.168.1.3          anywhere             tcp dpt:ssh
    10   ACCEPT     udp  --  192.168.1.26         anywhere             udp dpt:snmp
    11   DROP       all  --  anywhere             anywhere            
    
    Chain FORWARD (policy ACCEPT)
    num  target     prot opt source               destination         
    1    DROP       all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    1    ACCEPT     all  --  anywhere             anywhere             state ESTABLISHED
    2    DROP       all  --  anywhere             anywhere            
    [root@Jaking ~]# iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    DNAT       tcp  --  anywhere             192.168.1.63         tcp dpt:http to:192.168.2.2:80
    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination         
    SNAT       all  --  192.168.2.0/24       anywhere             to:192.168.1.63
    [root@Jaking ~]# iptables -t nat -L --line-number
    Chain PREROUTING (policy ACCEPT)
    num  target     prot opt source               destination         
    1    DNAT       tcp  --  anywhere             192.168.1.63         tcp dpt:http to:192.168.2.2:80
    
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    num  target     prot opt source               destination         
    
    Chain POSTROUTING (policy ACCEPT)
    num  target     prot opt source               destination         
    1    SNAT       all  --  192.168.2.0/24       anywhere             to:192.168.1.63
    
    iptables 的清空和恢复
    [root@Jaking ~]# iptables -F
    [root@Jaking ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    [root@Jaking ~]# iptables -t nat -F
    [root@Jaking ~]# iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination 
    [root@Jaking ~]# iptables-restore < /etc/sysconfig/iptables
    [root@Jaking ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  localhost            localhost           
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
    ACCEPT     udp  --  anywhere             anywhere             multiport dports http,https
    ACCEPT     tcp  --  192.168.1.63         anywhere             tcp dpt:ssh
    ACCEPT     tcp  --  192.168.1.3          anywhere             tcp dpt:ssh
    ACCEPT     udp  --  192.168.1.26         anywhere             udp dpt:snmp
    DROP       all  --  anywhere             anywhere            
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere             state ESTABLISHED
    DROP       all  --  anywhere             anywhere            
    [root@Jaking ~]# iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    DNAT       tcp  --  anywhere             192.168.1.63         tcp dpt:http to:192.168.2.2:80
    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination         
    SNAT       all  --  192.168.2.0/24       anywhere             to:192.168.1.63
    
    总结

    以上就是生产环境中超级实用的iptables脚本,这个脚本可以直接拿去用,不过请谨慎操作!

    本文原创地址:https://www.linuxprobe.com/super-practical-iptables.html编辑:传棋,审核员:逄增宝

  • 相关阅读:
    poj 3261 Milk Patterns 后缀数组+二分
    poj 2774 Long Long Message(后缀数组入门题)
    hdu 5719 Arrange
    hdu 5720 Wool
    DROP TABLE 恢复
    MySQL数据库改名的三种方法
    MySQL 误操作后数据恢复(update,delete忘加where条件)
    MySQL常用SQL语句优化
    EXPLAIN 命令详解
    mysql sql语句大全
  • 原文地址:https://www.cnblogs.com/linuxprobe/p/12793566.html
Copyright © 2011-2022 走看看