超级实用的 iptables 防火墙脚本

作者: 老率的IT私房菜 | 来源:发表于2020-04-28 13:33 被阅读0次

超级实用的 iptables 防火墙脚本
《日子》.linux篇章－最实用常用linux操作
Linux防火墙iptables的策略
Linux常用命令-查看防火墙状态及开启关闭命令
linux防火墙查看状态firewall、iptable
linux防火墙
20171018 Linux防火墙
CentOS 笔记之LNMP的安装（4）
iptables
centos中iptables和firewall防火墙开启、关闭

本文档详细介绍生产环境中超级实用的iptables脚本。

创建 iptables.sh 脚本

[root@Jaking ~]# vim iptables.sh

#!/bin/bash

#清空 filter 表和 nat 表

iptables -F

iptables -t nat -F

#关掉 firewalld

systemctl stop firewalld &>/dev/null

systemctl disable firewalld &>/dev/null

#以下两行允许某些调用 localhost 的应用访问

iptables -A INPUT -i lo -j ACCEPT #规则1

iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #规则2

#以下一行允许从其他地方 ping

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #规则3

#以下一行允许从其他主机、网络设备发送 MTU 调整的报文

#在一些情况下，例如通过 IPSec VPN 隧道时，主机的 MTU 需要动态减小

iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT #规则4

#以下两行分别允许所有来源访问 TCP 80,443 端口

iptables -A INPUT -p tcp --dport 80 -j ACCEPT #规则5

iptables -A INPUT -p tcp --dport 443 -j ACCEPT #规则6

#以下一行允许所有来源访问 UDP 80,443 端口

iptables -A INPUT -p udp -m multiport --dports 80,443 -j ACCEPT #规则7

#以下一行允许 192.168.1.63 来源的 IP 访问 TCP 22 端口(OpenSSH)

iptables -A INPUT -p tcp -s 192.168.1.63 --dport 22 -j ACCEPT #规则8

#以下一行允许 192.168.1.3(发起SSH连接的系统对应网卡的IP) 来源的 IP 访问 TCP 22 端口(OpenSSH)

#如果是在远程终端跑本脚本，最好开启以下一行以防被踢掉

#另一种更加简便的方式：iptables -I INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp -s 192.168.1.3 --dport 22 -j ACCEPT #规则9

#以下一行允许 192.168.1.26 来源的 IP 访问 UDP 161 端口(SNMP)

iptables -A INPUT -p udp -s 192.168.1.26 --dport 161 -j ACCEPT #规则10

#配置 NAT

#启用内核路由转发功能

echo 1 > /proc/sys/net/ipv4/ip_forward

echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf

sysctl -p &>/dev/null

#配置源地址转换 SNAT

#将 192.168.2.0/24 转换成 192.168.1.63

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to 192.168.1.63 #规则11

#配置目的地址转换 DNAT

#将 192.168.1.63 的 80 端口请求转发到 192.168.2.2 的 80 端口

iptables -t nat -A PREROUTING -d 192.168.1.63 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80 #规则12

#以下一行禁止所有其他的进入流量

iptables -A INPUT -j DROP #规则13

#以下一行允许本机响应规则编号为 1-12 的数据包发出

iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT #规则14

#以下一行禁止本机主动发出外部连接

iptables -A OUTPUT -j DROP #规则15

#以下一行禁止本机转发数据包

iptables -A FORWARD -j DROP #规则16

#固化 iptables

iptables-save > /etc/sysconfig/iptables

[root@Jaking ~]# chmod 755 iptables.sh

测试

[root@Jaking ~]# ./iptables.sh

[root@Jaking ~]#

[root@Jaking ~]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- anywhere anywhere

ACCEPT all -- localhost localhost

ACCEPT icmp -- anywhere anywhere icmp echo-request

ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed

ACCEPT tcp -- anywhere anywhere tcp dpt:http

ACCEPT tcp -- anywhere anywhere tcp dpt:https

ACCEPT udp -- anywhere anywhere multiport dports http,https

ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh

ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh

ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp

DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- anywhere anywhere state ESTABLISHED

DROP all -- anywhere anywhere

[root@Jaking ~]# iptables -L --line-number

Chain INPUT (policy ACCEPT)

num target prot opt source destination

1 ACCEPT all -- anywhere anywhere

2 ACCEPT all -- localhost localhost

3 ACCEPT icmp -- anywhere anywhere icmp echo-request

4 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed

5 ACCEPT tcp -- anywhere anywhere tcp dpt:http

6 ACCEPT tcp -- anywhere anywhere tcp dpt:https

7 ACCEPT udp -- anywhere anywhere multiport dports http,https

8 ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh

9 ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh

10 ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp

11 DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)

num target prot opt source destination

1 DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination

1 ACCEPT all -- anywhere anywhere state ESTABLISHED

2 DROP all -- anywhere anywhere

[root@Jaking ~]# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63

[root@Jaking ~]# iptables -t nat -L --line-number

Chain PREROUTING (policy ACCEPT)

num target prot opt source destination

1 DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80

Chain INPUT (policy ACCEPT)

num target prot opt source destination

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

num target prot opt source destination

1 SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63

iptables 的清空和恢复

[root@Jaking ~]# iptables -F

[root@Jaking ~]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@Jaking ~]# iptables -t nat -F

[root@Jaking ~]# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

[root@Jaking ~]# iptables-restore < /etc/sysconfig/iptables

[root@Jaking ~]# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- anywhere anywhere

ACCEPT all -- localhost localhost

ACCEPT icmp -- anywhere anywhere icmp echo-request

ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed

ACCEPT tcp -- anywhere anywhere tcp dpt:http

ACCEPT tcp -- anywhere anywhere tcp dpt:https

ACCEPT udp -- anywhere anywhere multiport dports http,https

ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh

ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh

ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp

DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)

target prot opt source destination

DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- anywhere anywhere state ESTABLISHED

DROP all -- anywhere anywhere

[root@Jaking ~]# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63

总结

以上就是生产环境中超级实用的iptables脚本，这个脚本可以直接拿去用，不过请谨慎操作！

本文原创地址：https://www.linuxprobe.com/super-practical-iptables.html编辑：传棋，审核员：逄增宝

网友评论

本文标题：超级实用的 iptables 防火墙脚本

本文链接：https://www.haomeiwen.com/subject/ipyvwhtx.html

延伸阅读

深度阅读

您也可以注册成为美文阅读网的作者，发表您的原创作品、分享您的心情！

超级实用的 iptables 防火墙脚本

相关文章