超级实用的iptables防火墙脚本怎么用
这篇文章给大家分享的是有关超级实用的iptables防火墙脚本怎么用的内容。小编觉得挺实用的,因此分享给大家做个参考,一起跟随小编过来看看吧。
创新互联服务紧随时代发展步伐,进行技术革新和技术进步,经过十载的发展和积累,已经汇集了一批资深网站策划师、设计师、专业的网站实施团队以及高素质售后服务人员,并且完全形成了一套成熟的业务流程,能够完全依照客户要求对网站进行成都网站设计、成都网站制作、建设、维护、更新和改版,实现客户网站对外宣传展示的首要目的,并为客户企业品牌互联网化提供全面的解决方案。
创建 iptables.sh 脚本
[root@Jaking ~]# vim iptables.sh #!/bin/bash #清空 filter 表和 nat 表 iptables -F iptables -t nat -F #关掉 firewalld systemctl stop firewalld &>/dev/null systemctl disable firewalld &>/dev/null #以下两行允许某些调用 localhost 的应用访问 iptables -A INPUT -i lo -j ACCEPT #规则1 iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #规则2 #以下一行允许从其他地方 ping iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #规则3 #以下一行允许从其他主机、网络设备发送 MTU 调整的报文 #在一些情况下,例如通过 IPSec VPN 隧道时,主机的 MTU 需要动态减小 iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT #规则4 #以下两行分别允许所有来源访问 TCP 80,443 端口 iptables -A INPUT -p tcp --dport 80 -j ACCEPT #规则5 iptables -A INPUT -p tcp --dport 443 -j ACCEPT #规则6 #以下一行允许所有来源访问 UDP 80,443 端口 iptables -A INPUT -p udp -m multiport --dports 80,443 -j ACCEPT #规则7 #以下一行允许 192.168.1.63 来源的 IP 访问 TCP 22 端口(OpenSSH) iptables -A INPUT -p tcp -s 192.168.1.63 --dport 22 -j ACCEPT #规则8 #以下一行允许 192.168.1.3(发起SSH连接的系统对应网卡的IP) 来源的 IP 访问 TCP 22 端口(OpenSSH) #如果是在远程终端跑本脚本,最好开启以下一行以防被踢掉 #另一种更加简便的方式:iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.1.3 --dport 22 -j ACCEPT #规则9 #以下一行允许 192.168.1.26 来源的 IP 访问 UDP 161 端口(SNMP) iptables -A INPUT -p udp -s 192.168.1.26 --dport 161 -j ACCEPT #规则10 #配置 NAT #启用内核路由转发功能 echo 1 > /proc/sys/net/ipv4/ip_forward echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf sysctl -p &>/dev/null #配置源地址转换 SNAT #将 192.168.2.0/24 转换成 192.168.1.63 iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to 192.168.1.63 #规则11 #配置目的地址转换 DNAT #将 192.168.1.63 的 80 端口请求转发到 192.168.2.2 的 80 端口 iptables -t nat -A PREROUTING -d 192.168.1.63 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80 #规则12 #以下一行禁止所有其他的进入流量 iptables -A INPUT -j DROP #规则13 #以下一行允许本机响应规则编号为 1-12 的数据包发出 iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT #规则14 #以下一行禁止本机主动发出外部连接 iptables -A OUTPUT -j DROP #规则15 #以下一行禁止本机转发数据包 iptables -A FORWARD -j DROP #规则16 #固化 iptables iptables-save > /etc/sysconfig/iptables [root@Jaking ~]# chmod 755 iptables.sh
测试
[root@Jaking ~]# ./iptables.sh [root@Jaking ~]# [root@Jaking ~]# [root@Jaking ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- localhost localhost ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT udp -- anywhere anywhere multiport dports http,https ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED DROP all -- anywhere anywhere [root@Jaking ~]# iptables -L --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT all -- localhost localhost 3 ACCEPT icmp -- anywhere anywhere icmp echo-request 4 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed 5 ACCEPT tcp -- anywhere anywhere tcp dpt:http 6 ACCEPT tcp -- anywhere anywhere tcp dpt:https 7 ACCEPT udp -- anywhere anywhere multiport dports http,https 8 ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh 9 ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh 10 ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp 11 DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere state ESTABLISHED 2 DROP all -- anywhere anywhere [root@Jaking ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63 [root@Jaking ~]# iptables -t nat -L --line-number Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63
iptables 的清空和恢复
[root@Jaking ~]# iptables -F [root@Jaking ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@Jaking ~]# iptables -t nat -F [root@Jaking ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination [root@Jaking ~]# iptables-restore < /etc/sysconfig/iptables [root@Jaking ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- localhost localhost ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT udp -- anywhere anywhere multiport dports http,https ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED DROP all -- anywhere anywhere [root@Jaking ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63
感谢各位的阅读!关于“超级实用的iptables防火墙脚本怎么用”这篇文章就分享到这里了,希望以上内容可以对大家有一定的帮助,让大家可以学到更多知识,如果觉得文章不错,可以把它分享出去让更多的人看到吧!
当前文章:超级实用的iptables防火墙脚本怎么用
标题网址:http://pwwzsj.com/article/gdipdo.html