Linux下firewall简易设置
时间:2016-03-24 22:06 来源:linux.it.net.cn 作者:IT
iptables.rule为firewall总规则;
iptables.allow为充许进入的主机;
iptables.deny为不许放的主机;
iptables.allow代码如下:
#!/bin/bash
# This is an esay firewall.
# the inside interface. if you don't have this one
# and you must let this be black ex> INIF=""
INIF="eth0"
INNET="192.168.160.0/20"
# 2.0 load the right module
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH EXTIF INIF INNET
modprobe ip_tables > /dev/null 2>&1
modprobe iptable_nat > /dev/null 2>&1
modprobe ip_nat_ftp > /dev/null 2>&1
modprobe ip_nat_irc > /dev/null 2>&1
modprobe ip_conntrack > /dev/null 2>&1
modprobe ip_conntrack_ftp > /dev/null 2>&1
modprobe ip_conntrack_irc > /dev/null 2>&1
# 3.0 clear iptables rule
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
# 4.0 start loading trusted and denied file.
if [ -f /usr/local/virus/iptables/iptables.allow ]; then
sh /usr/local/virus/iptables/iptables.allow
fi
if [ -f /usr/local/virus/iptables/iptables.deny ]; then
sh /usr/local/virus/iptables/iptables.deny
fi
# 5.0 if the following file exist ,please executed
if [ -f /usr/local/virus/httpd-err/iptables.http ];then
sh /usr/local/virus/httpd-err/iptables.http
fi
# 6.0 allow icmp data packet and the establishd data
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
/sbin/iptables -A INPUT -i $EXTIF="eth0" -p icmp --icmp-type $tyicmp -j ACCEPT
done
# 7.0 open the other service ports
/sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 25 -j ACCEPT # SMTP
/sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 53 -j ACCEPT # DNS
/sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 80 -j ACCEPT # WWW
/sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 110 -j ACCEPT # POP3
/sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 113 -j ACCEPT #AUTH
/sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 22222 -j ACCEPT #SSH
/sbin/iptables -A INPUT -p UDP -i $EXTIF="eth0" --dport 138 -j ACCEPT #138
/sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 139 -j ACCEPT #139
/sbin/iptables -A INPUT -p UDP -i $EXTIF="eth0" --dport 137 -j ACCEPT #137
/sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 445 -j ACCEPT #445
iptables.allow代码如下
#!/bin/bash
# this program is used to allow some IP or hosts to access your server
/sbin/iptables -A INPUT -i $EXTIF="eth0" -s 192.168.161.242 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTIF="eth0" -s 192.168.160.178 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTIF="eth0" -s 192.168.160.218 -j ACCEPT
iptables.deny代码如下
#! /bin/bash
# This script will deny some IPs that I don't want in IN
/sbin/iptables -A INPUT -i $EXTIF="eth0" -s 192.168.160.242 -j DROP
以上的三个文件都放在/usr/local/virus/iptables目录下,最在修改此文件/etc/rc.d/rc.local成如下代码
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
#1. Starting firewall settings
/usr/local/virus/iptables/iptables.rule
以上就是linux下firewall简易设置啦。
(责任编辑:IT)
| iptables.rule为firewall总规则; iptables.allow为充许进入的主机; iptables.deny为不许放的主机; iptables.allow代码如下: #!/bin/bash # This is an esay firewall. # the inside interface. if you don't have this one # and you must let this be black ex> INIF="" INIF="eth0" INNET="192.168.160.0/20" # 2.0 load the right module PATH=/sbin:/bin:/usr/sbin:/usr/bin export PATH EXTIF INIF INNET modprobe ip_tables > /dev/null 2>&1 modprobe iptable_nat > /dev/null 2>&1 modprobe ip_nat_ftp > /dev/null 2>&1 modprobe ip_nat_irc > /dev/null 2>&1 modprobe ip_conntrack > /dev/null 2>&1 modprobe ip_conntrack_ftp > /dev/null 2>&1 modprobe ip_conntrack_irc > /dev/null 2>&1 # 3.0 clear iptables rule /sbin/iptables -F /sbin/iptables -X /sbin/iptables -Z /sbin/iptables -F -t nat /sbin/iptables -X -t nat /sbin/iptables -Z -t nat /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT # 4.0 start loading trusted and denied file. if [ -f /usr/local/virus/iptables/iptables.allow ]; then sh /usr/local/virus/iptables/iptables.allow fi if [ -f /usr/local/virus/iptables/iptables.deny ]; then sh /usr/local/virus/iptables/iptables.deny fi # 5.0 if the following file exist ,please executed if [ -f /usr/local/virus/httpd-err/iptables.http ];then sh /usr/local/virus/httpd-err/iptables.http fi # 6.0 allow icmp data packet and the establishd data /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT AICMP="0 3 3/4 4 11 12 14 16 18" for tyicmp in $AICMP do /sbin/iptables -A INPUT -i $EXTIF="eth0" -p icmp --icmp-type $tyicmp -j ACCEPT done # 7.0 open the other service ports /sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 25 -j ACCEPT # SMTP /sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 53 -j ACCEPT # DNS /sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 80 -j ACCEPT # WWW /sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 110 -j ACCEPT # POP3 /sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 113 -j ACCEPT #AUTH /sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 22222 -j ACCEPT #SSH /sbin/iptables -A INPUT -p UDP -i $EXTIF="eth0" --dport 138 -j ACCEPT #138 /sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 139 -j ACCEPT #139 /sbin/iptables -A INPUT -p UDP -i $EXTIF="eth0" --dport 137 -j ACCEPT #137 /sbin/iptables -A INPUT -p TCP -i $EXTIF="eth0" --dport 445 -j ACCEPT #445 iptables.allow代码如下 #!/bin/bash # this program is used to allow some IP or hosts to access your server /sbin/iptables -A INPUT -i $EXTIF="eth0" -s 192.168.161.242 -j ACCEPT /sbin/iptables -A INPUT -i $EXTIF="eth0" -s 192.168.160.178 -j ACCEPT /sbin/iptables -A INPUT -i $EXTIF="eth0" -s 192.168.160.218 -j ACCEPT iptables.deny代码如下 #! /bin/bash # This script will deny some IPs that I don't want in IN /sbin/iptables -A INPUT -i $EXTIF="eth0" -s 192.168.160.242 -j DROP 以上的三个文件都放在/usr/local/virus/iptables目录下,最在修改此文件/etc/rc.d/rc.local成如下代码 #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local #1. Starting firewall settings /usr/local/virus/iptables/iptables.rule 以上就是linux下firewall简易设置啦。 (责任编辑:IT) |