设置Linux防火墙
设置 Linux 服务器防火墙脚本,Web_iptables.sh
- 通过内网可访问服务器所有开放端口
- 给跳板机开放sshd端口连接服务器
- 信任ip 所有端口均开放
- 开放部分端口供外部访问
#!/bin/bash #Intranet_network=`ifconfig eth1 |grep "inet addr"|awk -F: '{print $2}'|awk '{print $1}'|awk -F "." '{print $1}'` #取得本机内网IP function getLocalInnerIP() { ifconfig | grep 'inet addr:' | awk -F"inet addr:" '{print $2}' | awk '{print $1}' | while read theIP; do A=$(echo $theIP | cut -d '.' -f1) B=$(echo $theIP | cut -d '.' -f2) C=$(echo $theIP | cut -d '.' -f3) D=$(echo $theIP | cut -d '.' -f4) int_ip=$(($A<<24|$B<<16|$C<<8|$D)) #10.0.0.0(167772160)~10.255.255.255(184549375) if [ "${int_ip}" -ge 167772160 -a "${int_ip}" -le 184549375 ]; then echo $theIP elif [ "${int_ip}" -ge 2886729728 -a "${int_ip}" -le 2887778303 ]; then #172.16.0.0(2886729728)~172.31.255.255(2887778303) echo $theIP elif [ "${int_ip}" -ge 3232235520 -a "${int_ip}" -le 3232301055 ]; then #192.168.0.0(3232235520)~192.168.255.255(3232301055) echo $theIP fi done } innerIP=`getLocalInnerIP` Intranet_network=`echo $innerIP|awk -F "." '{print $1}'` IPT=/sbin/iptables #tiaobanji #TIAOBANJI="218.17.152.189 113.107.167.90 58.253.68.90" TIAOBANJI="" #trust ip ETL1=219.129.216.224 LAN_IP=$Intranet_network.0.0.0/255.0.0.0 #guangzhou idc ip yw1=43.230.88.130 #NAGIOS_IP=121.10.141.196 TRUST_IP="$LAN_IP $ETL1 $yw1 121.10.141.196" # Delete Any Existing Chains In Filter Table $IPT -F -t filter $IPT -X -t filter $IPT -Z -t filter ### Allow TRUST IP (LAN_IP ETL1 ETL2 GM1 GM2 ACCPET) for TURST in $TRUST_IP do $IPT -A INPUT -s $TURST -j ACCEPT done #tiaobanji for TBJ in $TIAOBANJI do $IPT -A INPUT -s $TBJ -p tcp --dport 16333 -j ACCEPT done # localhost $IPT -A INPUT -p icmp -j ACCEPT $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ### The ALL network for open ports $IPT -A INPUT -p tcp -m multiport --dports 80,443,8080 -j ACCEPT $IPT -A INPUT -p tcp -m multiport --dports 9202,9200,9300,9400,9500 -j ACCEPT $IPT -A INPUT -p tcp -m multiport --dports 9001,9002,9003,9004,9005 -j ACCEPT ### The zabbix server $IPT -A INPUT -s 113.107.166.246 -p tcp --dport 10050 -j ACCEPT # Setting Default Policies, just accept output, drop any other $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD DROP ### save iptables /etc/init.d/iptables save exit
#!/bin/bash IPT=/sbin/iptables $IPT -F $IPT -P INPUT ACCEPT $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p icmp -j ACCEPT $IPT -A INPUT -s 120.25.153.31 -j ACCEPT $IPT -A INPUT -p tcp --dport 36000 -j ACCEPT $IPT -A INPUT -p tcp --dport 10050:10051 -j ACCEPT $IPT -A INPUT -s 120.25.153.31 -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -s 183.14.0.0/16 -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -s 183.14.1.0/24 -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -s 120.25.153.32 -j DROP $IPT -A INPUT -j DROP
Learn how to learn~~