日日操夜夜添-日日操影院-日日草夜夜操-日日干干-精品一区二区三区波多野结衣-精品一区二区三区高清免费不卡

公告:魔扣目錄網為廣大站長提供免費收錄網站服務,提交前請做好本站友鏈:【 網站目錄:http://www.ylptlb.cn 】, 免友鏈快審服務(50元/站),

點擊這里在線咨詢客服
新站提交
  • 網站:51998
  • 待審:31
  • 小程序:12
  • 文章:1030137
  • 會員:747

超級實用的 iptables 防火墻腳本

發布時間:2023-07-03 13:55:51 作者:網友整理

本文檔詳細介紹生產環境中超級實用的iptables腳本。

創建 iptables.sh 腳本

[root@Jaking ~]# vim iptables.sh 
#!/bin/bash

#清空 filter 表和 nat 表
iptables -F
iptables -t nat -F

#關掉 firewalld
systemctl stop firewalld &>/dev/null
systemctl disable firewalld &>/dev/null

#以下兩行允許某些調用 localhost 的應用訪問
iptables -A INPUT -i lo -j ACCEPT #規則1
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #規則2

#以下一行允許從其他地方 ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #規則3

#以下一行允許從其他主機、網絡設備發送 MTU 調整的報文
#在一些情況下,例如通過 IPSec VPN 隧道時,主機的 MTU 需要動態減小
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT #規則4

#以下兩行分別允許所有來源訪問 TCP 80,443 端口
iptables -A INPUT -p tcp --dport 80 -j ACCEPT #規則5
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #規則6

#以下一行允許所有來源訪問 UDP 80,443 端口
iptables -A INPUT -p udp -m multiport --dports 80,443 -j ACCEPT #規則7

#以下一行允許 192.168.1.63 來源的 IP 訪問 TCP 22 端口(OpenSSH)
iptables -A INPUT -p tcp -s 192.168.1.63 --dport 22 -j ACCEPT #規則8

#以下一行允許 192.168.1.3(發起SSH連接的系統對應網卡的IP) 來源的 IP 訪問 TCP 22 端口(OpenSSH)
#如果是在遠程終端跑本腳本,最好開啟以下一行以防被踢掉
#另一種更加簡便的方式:iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.3 --dport 22 -j ACCEPT #規則9

#以下一行允許 192.168.1.26 來源的 IP 訪問 UDP 161 端口(SNMP)
iptables -A INPUT -p udp -s 192.168.1.26 --dport 161 -j ACCEPT #規則10

#配置 NAT
#啟用內核路由轉發功能
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf
sysctl -p &>/dev/null

#配置源地址轉換 SNAT 
#將 192.168.2.0/24 轉換成 192.168.1.63
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to 192.168.1.63 #規則11

#配置目的地址轉換 DNAT
#將 192.168.1.63 的 80 端口請求轉發到 192.168.2.2 的 80 端口
iptables -t nat -A PREROUTING -d 192.168.1.63 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80 #規則12

#以下一行禁止所有其他的進入流量
iptables -A INPUT -j DROP #規則13

#以下一行允許本機響應規則編號為 1-12 的數據包發出
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT #規則14

#以下一行禁止本機主動發出外部連接
iptables -A OUTPUT -j DROP #規則15

#以下一行禁止本機轉發數據包 
iptables -A FORWARD -j DROP #規則16

#固化 iptables
iptables-save > /etc/sysconfig/iptables

[root@Jaking ~]# chmod 755 iptables.sh

測試

[root@Jaking ~]# ./iptables.sh 
[root@Jaking ~]# 
[root@Jaking ~]# 
[root@Jaking ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  localhost            localhost           
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             multiport dports http,https
ACCEPT     tcp  --  192.168.1.63         anywhere             tcp dpt:ssh
ACCEPT     tcp  --  192.168.1.3          anywhere             tcp dpt:ssh
ACCEPT     udp  --  192.168.1.26         anywhere             udp dpt:snmp
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state ESTABLISHED
DROP       all  --  anywhere             anywhere            
[root@Jaking ~]# iptables -L --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            
2    ACCEPT     all  --  localhost            localhost           
3    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
4    ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
7    ACCEPT     udp  --  anywhere             anywhere             multiport dports http,https
8    ACCEPT     tcp  --  192.168.1.63         anywhere             tcp dpt:ssh
9    ACCEPT     tcp  --  192.168.1.3          anywhere             tcp dpt:ssh
10   ACCEPT     udp  --  192.168.1.26         anywhere             udp dpt:snmp
11   DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             state ESTABLISHED
2    DROP       all  --  anywhere             anywhere            
[root@Jaking ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             192.168.1.63         tcp dpt:http to:192.168.2.2:80

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.2.0/24       anywhere             to:192.168.1.63
[root@Jaking ~]# iptables -t nat -L --line-number
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    DNAT       tcp  --  anywhere             192.168.1.63         tcp dpt:http to:192.168.2.2:80

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    SNAT       all  --  192.168.2.0/24       anywhere             to:192.168.1.63

iptables 的清空和恢復

[root@Jaking ~]# iptables -F
[root@Jaking ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@Jaking ~]# iptables -t nat -F
[root@Jaking ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination 
[root@Jaking ~]# iptables-restore < /etc/sysconfig/iptables
[root@Jaking ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  localhost            localhost           
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             multiport dports http,https
ACCEPT     tcp  --  192.168.1.63         anywhere             tcp dpt:ssh
ACCEPT     tcp  --  192.168.1.3          anywhere             tcp dpt:ssh
ACCEPT     udp  --  192.168.1.26         anywhere             udp dpt:snmp
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state ESTABLISHED
DROP       all  --  anywhere             anywhere            
[root@Jaking ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             192.168.1.63         tcp dpt:http to:192.168.2.2:80

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.2.0/24       anywhere             to:192.168.1.63

總結

以上就是生產環境中超級實用的iptables腳本,這個腳本可以直接拿去用,不過請謹慎操作!

本文原創地址:https://www.linuxprobe.com/super-practical-iptables.html編輯:傳棋,審核員:逄增寶

分享到:
標簽:防火墻 iptables
用戶無頭像

網友整理

注冊時間:

網站:5 個   小程序:0 個  文章:12 篇

  • 51998

    網站

  • 12

    小程序

  • 1030137

    文章

  • 747

    會員

趕快注冊賬號,推廣您的網站吧!
最新入駐小程序

數獨大挑戰2018-06-03

數獨一種數學游戲,玩家需要根據9

答題星2018-06-03

您可以通過答題星輕松地創建試卷

全階人生考試2018-06-03

各種考試題,題庫,初中,高中,大學四六

運動步數有氧達人2018-06-03

記錄運動步數,積累氧氣值。還可偷

每日養生app2018-06-03

每日養生,天天健康

體育訓練成績評定2018-06-03

通用課目體育訓練成績評定