您好,登錄后才能下訂單哦!
這篇文章給大家分享的是有關(guān)超級(jí)實(shí)用的iptables防火墻腳本怎么用的內(nèi)容。小編覺(jué)得挺實(shí)用的,因此分享給大家做個(gè)參考,一起跟隨小編過(guò)來(lái)看看吧。
創(chuàng)建 iptables.sh 腳本
[root@Jaking ~]# vim iptables.sh #!/bin/bash #清空 filter 表和 nat 表 iptables -F iptables -t nat -F #關(guān)掉 firewalld systemctl stop firewalld &>/dev/null systemctl disable firewalld &>/dev/null #以下兩行允許某些調(diào)用 localhost 的應(yīng)用訪問(wèn) iptables -A INPUT -i lo -j ACCEPT #規(guī)則1 iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #規(guī)則2 #以下一行允許從其他地方 ping iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #規(guī)則3 #以下一行允許從其他主機(jī)、網(wǎng)絡(luò)設(shè)備發(fā)送 MTU 調(diào)整的報(bào)文 #在一些情況下,例如通過(guò) IPSec VPN 隧道時(shí),主機(jī)的 MTU 需要?jiǎng)討B(tài)減小 iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT #規(guī)則4 #以下兩行分別允許所有來(lái)源訪問(wèn) TCP 80,443 端口 iptables -A INPUT -p tcp --dport 80 -j ACCEPT #規(guī)則5 iptables -A INPUT -p tcp --dport 443 -j ACCEPT #規(guī)則6 #以下一行允許所有來(lái)源訪問(wèn) UDP 80,443 端口 iptables -A INPUT -p udp -m multiport --dports 80,443 -j ACCEPT #規(guī)則7 #以下一行允許 192.168.1.63 來(lái)源的 IP 訪問(wèn) TCP 22 端口(OpenSSH) iptables -A INPUT -p tcp -s 192.168.1.63 --dport 22 -j ACCEPT #規(guī)則8 #以下一行允許 192.168.1.3(發(fā)起SSH連接的系統(tǒng)對(duì)應(yīng)網(wǎng)卡的IP) 來(lái)源的 IP 訪問(wèn) TCP 22 端口(OpenSSH) #如果是在遠(yuǎn)程終端跑本腳本,最好開啟以下一行以防被踢掉 #另一種更加簡(jiǎn)便的方式:iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.1.3 --dport 22 -j ACCEPT #規(guī)則9 #以下一行允許 192.168.1.26 來(lái)源的 IP 訪問(wèn) UDP 161 端口(SNMP) iptables -A INPUT -p udp -s 192.168.1.26 --dport 161 -j ACCEPT #規(guī)則10 #配置 NAT #啟用內(nèi)核路由轉(zhuǎn)發(fā)功能 echo 1 > /proc/sys/net/ipv4/ip_forward echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf sysctl -p &>/dev/null #配置源地址轉(zhuǎn)換 SNAT #將 192.168.2.0/24 轉(zhuǎn)換成 192.168.1.63 iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to 192.168.1.63 #規(guī)則11 #配置目的地址轉(zhuǎn)換 DNAT #將 192.168.1.63 的 80 端口請(qǐng)求轉(zhuǎn)發(fā)到 192.168.2.2 的 80 端口 iptables -t nat -A PREROUTING -d 192.168.1.63 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80 #規(guī)則12 #以下一行禁止所有其他的進(jìn)入流量 iptables -A INPUT -j DROP #規(guī)則13 #以下一行允許本機(jī)響應(yīng)規(guī)則編號(hào)為 1-12 的數(shù)據(jù)包發(fā)出 iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT #規(guī)則14 #以下一行禁止本機(jī)主動(dòng)發(fā)出外部連接 iptables -A OUTPUT -j DROP #規(guī)則15 #以下一行禁止本機(jī)轉(zhuǎn)發(fā)數(shù)據(jù)包 iptables -A FORWARD -j DROP #規(guī)則16 #固化 iptables iptables-save > /etc/sysconfig/iptables [root@Jaking ~]# chmod 755 iptables.sh
測(cè)試
[root@Jaking ~]# ./iptables.sh [root@Jaking ~]# [root@Jaking ~]# [root@Jaking ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- localhost localhost ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT udp -- anywhere anywhere multiport dports http,https ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED DROP all -- anywhere anywhere [root@Jaking ~]# iptables -L --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT all -- localhost localhost 3 ACCEPT icmp -- anywhere anywhere icmp echo-request 4 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed 5 ACCEPT tcp -- anywhere anywhere tcp dpt:http 6 ACCEPT tcp -- anywhere anywhere tcp dpt:https 7 ACCEPT udp -- anywhere anywhere multiport dports http,https 8 ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh 9 ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh 10 ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp 11 DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere state ESTABLISHED 2 DROP all -- anywhere anywhere [root@Jaking ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63 [root@Jaking ~]# iptables -t nat -L --line-number Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63
iptables 的清空和恢復(fù)
[root@Jaking ~]# iptables -F [root@Jaking ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@Jaking ~]# iptables -t nat -F [root@Jaking ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination [root@Jaking ~]# iptables-restore < /etc/sysconfig/iptables [root@Jaking ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- localhost localhost ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT udp -- anywhere anywhere multiport dports http,https ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED DROP all -- anywhere anywhere [root@Jaking ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63
感謝各位的閱讀!關(guān)于“超級(jí)實(shí)用的iptables防火墻腳本怎么用”這篇文章就分享到這里了,希望以上內(nèi)容可以對(duì)大家有一定的幫助,讓大家可以學(xué)到更多知識(shí),如果覺(jué)得文章不錯(cuò),可以把它分享出去讓更多的人看到吧!
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。