超級實用的 iptables 防火牆指令碼
| 本文件詳細介紹生產環境中超級實用的iptables 。 |
建立 iptables.sh
[root@Jaking ~]# vim iptables.sh #!/bin/bash #清空 filter 表和 nat 表 iptables -F iptables -t nat -F #關掉 firewalld systemctl stop firewalld &>/dev/null systemctl disable firewalld &>/dev/null #以下兩行允許某些呼叫 localhost 的應用訪問 iptables -A INPUT -i lo -j ACCEPT #規則1 iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #規則2 #以下一行允許從其他地方 ping iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #規則3 #以下一行允許從其他主機、網路裝置傳送 MTU 調整的報文 #在一些情況下,例如透過 IPSec VPN 隧道時,主機的 MTU 需要動態減小 iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT #規則4 #以下兩行分別允許所有來源訪問 TCP 80,443 埠 iptables -A INPUT -p tcp --dport 80 -j ACCEPT #規則5 iptables -A INPUT -p tcp --dport 443 -j ACCEPT #規則6 #以下一行允許所有來源訪問 UDP 80,443 埠 iptables -A INPUT -p udp -m multiport --dports 80,443 -j ACCEPT #規則7 #以下一行允許 192.168.1.63 來源的 IP 訪問 TCP 22 埠(OpenSSH) iptables -A INPUT -p tcp -s 192.168.1.63 --dport 22 -j ACCEPT #規則8 #以下一行允許 192.168.1.3(發起SSH連線的系統對應網路卡的IP) 來源的 IP 訪問 TCP 22 埠(OpenSSH) #如果是在遠端終端跑本指令碼,最好開啟以下一行以防被踢掉 #另一種更加簡便的方式:iptables -I INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.1.3 --dport 22 -j ACCEPT #規則9 #以下一行允許 192.168.1.26 來源的 IP 訪問 UDP 161 埠(SNMP) iptables -A INPUT -p udp -s 192.168.1.26 --dport 161 -j ACCEPT #規則10 #配置 NAT #啟用核心路由轉發功能 echo 1 > /proc/sys/net/ipv4/ip_forward echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf sysctl -p &>/dev/null #配置源地址轉換 SNAT #將 192.168.2.0/24 轉換成 192.168.1.63 iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to 192.168.1.63 #規則11 #配置目的地址轉換 DNAT #將 192.168.1.63 的 80 埠請求轉發到 192.168.2.2 的 80 埠 iptables -t nat -A PREROUTING -d 192.168.1.63 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80 #規則12 #以下一行禁止所有其他的進入流量 iptables -A INPUT -j DROP #規則13 #以下一行允許本機響應規則編號為 1-12 的資料包發出 iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT #規則14 #以下一行禁止本機主動發出外部連線 iptables -A OUTPUT -j DROP #規則15 #以下一行禁止本機轉發資料包 iptables -A FORWARD -j DROP #規則16 #固化 iptables iptables-save > /etc/sysconfig/iptables [root@Jaking ~]# chmod 755 iptables.sh
測試
[root@Jaking ~]# ./iptables.sh [root@Jaking ~]# [root@Jaking ~]# [root@Jaking ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- localhost localhost ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT udp -- anywhere anywhere multiport dports http,https ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED DROP all -- anywhere anywhere [root@Jaking ~]# iptables -L --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT all -- localhost localhost 3 ACCEPT icmp -- anywhere anywhere icmp echo-request 4 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed 5 ACCEPT tcp -- anywhere anywhere tcp dpt:http 6 ACCEPT tcp -- anywhere anywhere tcp dpt:https 7 ACCEPT udp -- anywhere anywhere multiport dports http,https 8 ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh 9 ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh 10 ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp 11 DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere state ESTABLISHED 2 DROP all -- anywhere anywhere [root@Jaking ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63 [root@Jaking ~]# iptables -t nat -L --line-number Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63
iptables 的清空和恢復
[root@Jaking ~]# iptables -F [root@Jaking ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@Jaking ~]# iptables -t nat -F [root@Jaking ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination [root@Jaking ~]# iptables-restore < /etc/sysconfig/iptables [root@Jaking ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- localhost localhost ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT udp -- anywhere anywhere multiport dports http,https ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED DROP all -- anywhere anywhere [root@Jaking ~]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63
總結
以上就是生產環境中超級實用的iptables指令碼,這個指令碼可以直接拿去用,不過請謹慎操作!
本文原創地址: 編輯:傳棋,稽核員:逄增寶
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/31524109/viewspace-2688923/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- Iptables防火牆應用防火牆
- 體驗iptables 企業級的防火牆實戰防火牆
- iptables防火牆防火牆
- 防火牆iptables防火牆
- iptables防火牆規則防火牆
- 基於iptables防火牆堵漏防火牆
- Linux設定防火牆iptablesLinux防火牆
- Linux基礎命令---iptables防火牆Linux防火牆
- iptables實用知識 ,一文學會配置linux防火牆Linux防火牆
- linux iptables安全技術與防火牆Linux防火牆
- Linux IPTables:如何新增防火牆規則Linux防火牆
- 20條IPTables防火牆規則用法!防火牆
- iptables防火牆如何記錄日誌防火牆
- iptables配置-Linux系統安全防火牆Linux防火牆
- CentOS 中 iptables 和 firewall 防火牆的相關命令CentOS防火牆
- Linux 防火牆:關於 iptables 和 firewalld 的那些事Linux防火牆
- Linux 防火牆配置(iptables和firewalld)詳細教程。Linux防火牆
- Linux系統iptables與Firewalld防火牆區別?Linux防火牆
- 超級好用的mac防火牆軟體:Little Snitch for MacMac防火牆
- Linux防火牆介紹和iptables常用命令Linux防火牆
- NSIS 指令碼,安裝時新增防火牆規則指令碼防火牆
- Linux開啟防火牆並設定策略指令碼Linux防火牆指令碼
- 1、iptables-基礎-包過濾防火牆-四層防火牆(只支援4層協議)防火牆協議
- 嵌入式Linux可用的防火牆——iptables:實現ip白名單、mac地址白名單Linux防火牆Mac
- iptables防火牆簡介,原理,規則編寫,常見案例防火牆
- 伺服器安全設定Centos7 防火牆firewall與iptables伺服器CentOS防火牆
- 高 級防火牆軟體 Vallum啟用最新版防火牆
- 五款實用性非常高的Linux防火牆工具!Linux防火牆
- WAb防火牆與傳統防火牆防火牆
- 雲伺服器需要防火牆嗎?防火牆如何啟用設定?伺服器防火牆
- 阿里雲Web應用防火牆知識,瞭解阿里雲Web應用防火牆阿里Web防火牆
- 淺談下一代防火牆與Web應用防火牆的區別防火牆Web
- 防火牆防火牆
- 分享:有關Linux伺服器(在防火牆iptables)開放埠的操作總結Linux伺服器防火牆
- 華為防火牆及應用防火牆
- waf 應用防火牆部署配置防火牆
- 共享一個iptables的shell指令碼檔案指令碼
- Linux的銅牆鐵壁iptablesLinux