防火墙iptables的简单使用

规则定义

# service iptables start

# chkconfig iptables on

想让规则生效，则shell命令行下执行

sh /bin/iptables.sh即可

[root@node3 ~]# cat /bin/iptables.sh

#!/bin/bash
# 清理防火墙规则
/sbin/iptables -F

# 放行已经建立的连接
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# for ssh
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# 放行 tcp 8555端口
/sbin/iptables -A INPUT -p tcp --dport 8555 -j ACCEPT

#for ping:
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#for DNS:
/sbin/iptables -A INPUT -p tcp --source-port 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp --source-port 53 -j ACCEPT
#for ntp:
/sbin/iptables -A INPUT -p udp --source-port 123 -j ACCEPT
/sbin/iptables -A INPUT -p udp --destination-port 123 -j ACCEPT


### 拒绝input和forward所有
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A FORWARD -j DROP

#!/bin/bash
### Required modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT

### Clean Rules
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
#iptables -t mangle -F
iptables -X
iptables -t nat -X
#iptables -t mangle -X

### Drop all pocket,first
iptables -P INPUT DROP
#iptables -P OUTPUT DROP
iptables -P FORWARD DROP

### Create New chains
iptables -N bad_tcp_packets
#iptables -N allowed
iptables -N icmp_packets

### Bad_tcp_packets chain
/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL ALL        -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ALL NONE         -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN  -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST  -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags FIN,RST FIN,RST  -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ACK,FIN FIN      -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ACK,PSH PSH      -j DROP
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags ACK,URG URG      -j DROP

### ICMP Rules
iptables -A icmp_packets -p icmp --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p icmp --icmp-type 11 -j ACCEPT
#iptables -A icmp_packets -p icmp -j DROP

### LookBack and Private interface
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -j ACCEPT

##keepalived
#iptables -A INPUT -i eth1 -p vrrp -s 192.168.254.122 -j ACCEPT

### INPUT chain
iptables -A INPUT -p tcp -j bad_tcp_packets
iptables -A INPUT -p icmp -j icmp_packets
iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

#限制源IP的访问数量
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable


# Count Limit
#iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "IPT INPUT PACKET DIED:"

iptables -I INPUT  -p udp --dport 1701 -j ACCEPT

### Open Ports
Public_access="80"
Server_access="873 1500"
Company_access="22"

### Allow Ips

Servers_ip="192.168.254.0/24 10.11.0.0/16"
Company_ip="1.1.1.1"
### Public access Rules
for port in $Public_access
do
        iptables -A INPUT -p tcp --dport $port -i eth0 -j ACCEPT
done

### Servers access Rules
for port in $Server_access
do
        for ip in $Servers_ip
        do
                iptables -A INPUT -p tcp --dport $port -s $ip -i eth0 -j ACCEPT
        done
done

### Company access Rules
for port in $Company_access
do
        for ip in $Company_ip
        do
                iptables -A INPUT -p tcp --dport $port -s $ip -i eth0 -j ACCEPT
        done
done

# 邮箱服务器将25端口映射到2500端口上
iptables -t nat -A PREROUTING -p tcp --dport 2500 -j REDIRECT --to-ports 25

# 25端口转到2500端口
iptables -t nat -A PREROUTING -p tcp --dport 25 -j REDIRECT --to-ports 2500

#####指定访问ip的 2500 to 25 #####
iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp -m tcp --dport 2500 -j REDIRECT --to-ports 25

# 将访问指定ip的25号端口映射到2500上
iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp -m tcp --dport 25 -j REDIRECT --to-ports 2500