shell脚本简单配置iptables

要放假了,今天实在是闲得蛋疼,本来只想写个配置iptables的脚本的,没想到被自己搞得这么复杂了,还是分享出来给大家,有兴趣的可以自己再改改.

ps:本脚本只支持centos5和centos6,不支持centos 7,并且在脚本里也限制了.

脚本内容:

cat /root/soft_shell/setiptables.sh

view source

print?

001

#!/bin/sh

002	# By rocdk890

003	# http://blog.slogra.com

004	PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

005	export PATH

006

007

#Begin

008

start(){

009	sshport=`netstat -ntlp\|grep sshd \|awk -F: '{if($4!="")print $4}'`

010

011	# Require root to run this script.

012	echo " check user......"

013	if [[ $(whoami) != root ]];then

014	echo "Please run this script as root !"

015

exit 1

016

017	echo " check lsb_release....."

018	chlsb=`rpm -qa\|grep redhat-lsb\|wc -l`

019	if [ $chlsb -ge 1 ];then

020	echo " has installed redhat-lsb."

021

else

022	echo " no found. install redhat-lsb......"

023	yum -y install redhat-lsb

024

025	#===============================================================================

026	#this script is only for CentOS 5 and CentOS 6

027	#check the OS

028	#===============================================================================

029	version=`lsb_release -r \|awk '{print substr($2,1,1)}'`

030	if [ $version != 5 ] \|\| [ $version != 6 ];then

031	echo "the platform is ok !"

032

else

033	echo "this script is only for CentOS 5 or CentOS 6 !"

034

exit 1

035

036

037	#iptables setting

038	echo "Iptables Setting..."

039	/sbin/iptables -P INPUT ACCEPT

040

#清空所有规则

041	/sbin/iptables -F

042	/sbin/iptables -X

043	/sbin/iptables -Z

044	/sbin/iptables -F -t nat

045	/sbin/iptables -X -t nat

046	/sbin/iptables -Z -t nat

047	/sbin/iptables -X -t mangle

048	#允许来自于lo接口的数据包，通过127.0.0.1访问本地服务

049	/sbin/iptables -A INPUT -i lo -j ACCEPT

050	#允许dns和ntp的数据通过

051	/sbin/iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT

052	/sbin/iptables -A INPUT -p udp -m udp --sport 123 -j ACCEPT

053	#限制对内部封包的发送速度

054	/sbin/iptables -A INPUT -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT

055	/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j ACCEPT

056	#/sbin/iptables -A INPUT -p icmp -m limit --limit 12/min --limit-burst 5 -j DROP

057	#限制建立联机的转发速度

058	/sbin/iptables -A FORWARD -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT

059	/sbin/iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j ACCEPT

060

#开放ssh端口

061	/sbin/iptables -A INPUT -p tcp --dport $sshport -j ACCEPT

062	#开放web服务默认端口80

063	/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT

064	#开放https服务默认端口443

065	#/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

066	#开放指定ip，指定端口

067	#/sbin/iptables -A INPUT -p tcp -s 100.240.143.33 --dport 8080 -j ACCEPT

068

#允许ping

069	/sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

070	#允许TCP建立连接，接受成功状态握手

071	/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

072	/sbin/iptables -A INPUT -m state --state INVALID,NEW -j DROP

073

#屏蔽规则外请求

074	/sbin/iptables -P INPUT DROP

075	/sbin/iptables -P FORWARD DROP

076

077	BADIPS="`curl -s http://feeds.dshield.org/block.txt \| awk '/^[1-9]/ {print $1 "/" $3}'`"

078	if [ "$BADIPS" ];then

079	for ip in $BADIPS

080

081	iptables -I INPUT -s $ip -j DROP

082

done

083

084

}

085

086

stop(){

087	echo "Cleaning your Iptables:..."

088	iptables -F

089	iptables -X

090	iptables -Z

091	iptables -P INPUT ACCEPT

092	iptables -P OUTPUT ACCEPT

093	/etc/init.d/iptables stop

094	if [ "$?" == "0" ];then

095	echo "Done!"

096

097

}

098

099

save(){

100	echo "Save your Iptables:..."

101	/etc/init.d/iptables save

102	/etc/init.d/iptables restart

103

}

104

105	case "$1" in

106

start)

107

start

108

;;

109

stop)

110

stop

111

;;

112

restart)

113	stop && start

114

;;

115

save)

116	start && save

117

;;

118

119	echo $"Usage: $0 {start\|stop\|restart\|save}"

120

exit 1

121

esac

122

exit 0

123

#End

(责任编辑：IT)

搜索

热门标签:

shell脚本简单配置iptables