Chinaunix首页 | 论坛 | 博客
  • 博客访问: 885363
  • 博文数量: 254
  • 博客积分: 5350
  • 博客等级: 大校
  • 技术积分: 2045
  • 用 户 组: 普通用户
  • 注册时间: 2008-06-27 13:27
文章分类

全部博文(254)

文章存档

2015年(1)

2014年(9)

2013年(17)

2012年(30)

2011年(150)

2010年(17)

2009年(28)

2008年(2)

分类: 网络与安全

2011-05-05 08:01:01

   iptables.rar  
iptables 防火墻腳本,主要根據鳥哥的腳本改寫,可作為範例修改使用。


#!/bin/bash

#write by Ethan xie 2011/05/04

#email: ethan225@163.com

#init settings

EXTIF="eth1" #wan interface

INIF="eth0"  #lan interface

export EXTIF INIF

#kernel settings

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

for i in /proc/sys/net/ipv4/conf/*/rp_filter;do

   echo "1" > $i

done

for i in /proc/sys/net/ipv4/conf/*/log_martians;do

   echo "1" > $i

done

for i in /proc/sys/net/ipv4/conf/*/accept_source_route;do

   echo "0" > $i

done

for i in /proc/sys/net/ipv4/conf/*/accept_redirects;do

   echo "0" > $i

done

for i in /proc/sys/net/ipv4/conf/*/send_redirects;do

   echo "0" > $i

done

#Iptables settings

PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin; export PATH

iptables -F

iptables -X

iptables -Z

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state RELATED -j ACCEPT

iptables -A INPUT -p tcp -i $EXTIF --sport 1:1023 -j DROP #deny 1-1023 port access

#Other script to control other ip access this pc

#file should place in /usr/local/virus/iptables/iptables.deny

#iptables.deny file like follow

#!/bin/bash

#iptables -A INPUT -i $EXTIF -s 140.116.43.0/24 -j DROP

#chmod 700 iptalbes.deny

if [ -f /usr/local/virus/iptables/iptables.deny ];then

   sh /usr/local/virus/iptables/iptables.deny

fi

#iptables.allow file like follow

#!/bin/bash

#iptables -A INPUT -i $EXTIF -s 140.116.43.0/24 -j ACCEPT

#chmod 700 iptables.allow

#file should place in /usr/local/virus/iptables/iptables.allow

if [ -f /usr/local/virus/iptables/iptables.allow ];then

   sh /usr/local/virus/iptables/iptables.allow

fi

#file should place in /usr/local/virus/iptables/iptables.http

#It is use to deny httpd-err ip

if [ -f /usr/local/virus/iptables/iptables.http ];then

   sh /usr/local/virus/iptables/iptables.http

fi

iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

#allow icmp

AICMP="0 3 3/4 4 11 12 14 16 18"

for tyicmp in $AICMP

do

  iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT

done

#other service

iptables -A INPUT -p tcp -i $INIF -s 192.168.1.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i $EXTIF --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT #access wan dns server

iptables -A INPUT -p udp -i $EXTIF --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i $EXTIF --dport 8000 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -i $EXTIF --dport 8010 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -i $EXTIF --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

阅读(905) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~