iptables

yum install iptables

 iptables -L -n

iptables -A OUTPUT -m state --state NEW -p tcp -d 182.92.228.160 --dport 80 -j ACCEPT 

iptables -L INPUT --line-numbers

iptables -D INPUT 3

 1 /sbin/iptables -P INPUT ACCEPT
 2 /sbin/iptables -F
 3 /sbin/iptables -X
 4 /sbin/iptables -Z
 5 
 6 /sbin/iptables -A INPUT -i lo -j ACCEPT 
 7 /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 8 /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 9 /sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
10 /sbin/iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
11 /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
12 /sbin/iptables -P INPUT DROP
13  service iptables save

 

 

Linux系统脚本

  1 #!/bin/bash
  2 #########################################
  3 #Function:    linux drop port
  4 #Usage:       bash linux_drop_port.sh
  5 #Author:      Customer Service Department
  6 #Company:     Alibaba Cloud Computing
  7 #Version:     2.0
  8 #########################################
  9 
 10 check_os_release()
 11 {
 12   while true
 13   do
 14     os_release=$(grep "Red Hat Enterprise Linux Server release" /etc/issue 2>/dev/null)
 15     os_release_2=$(grep "Red Hat Enterprise Linux Server release" /etc/redhat-release 2>/dev/null)
 16     if [ "$os_release" ] && [ "$os_release_2" ]
 17     then
 18       if echo "$os_release"|grep "release 5" >/dev/null 2>&1
 19       then
 20         os_release=redhat5
 21         echo "$os_release"
 22       elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
 23       then
 24         os_release=redhat6
 25         echo "$os_release"
 26       else
 27         os_release=""
 28         echo "$os_release"
 29       fi
 30       break
 31     fi
 32     os_release=$(grep "Aliyun Linux release" /etc/issue 2>/dev/null)
 33     os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release 2>/dev/null)
 34     if [ "$os_release" ] && [ "$os_release_2" ]
 35     then
 36       if echo "$os_release"|grep "release 5" >/dev/null 2>&1
 37       then
 38         os_release=aliyun5
 39         echo "$os_release"
 40       elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
 41       then
 42         os_release=aliyun6
 43         echo "$os_release"
 44       else
 45         os_release=""
 46         echo "$os_release"
 47       fi
 48       break
 49     fi
 50     os_release=$(grep "CentOS release" /etc/issue 2>/dev/null)
 51     os_release_2=$(grep "CentOS release" /etc/*release 2>/dev/null)
 52     if [ "$os_release" ] && [ "$os_release_2" ]
 53     then
 54       if echo "$os_release"|grep "release 5" >/dev/null 2>&1
 55       then
 56         os_release=centos5
 57         echo "$os_release"
 58       elif echo "$os_release"|grep "release 6" >/dev/null 2>&1
 59       then
 60         os_release=centos6
 61         echo "$os_release"
 62       else
 63         os_release=""
 64         echo "$os_release"
 65       fi
 66       break
 67     fi
 68     os_release=$(grep -i "ubuntu" /etc/issue 2>/dev/null)
 69     os_release_2=$(grep -i "ubuntu" /etc/lsb-release 2>/dev/null)
 70     if [ "$os_release" ] && [ "$os_release_2" ]
 71     then
 72       if echo "$os_release"|grep "Ubuntu 10" >/dev/null 2>&1
 73       then
 74         os_release=ubuntu10
 75         echo "$os_release"
 76       elif echo "$os_release"|grep "Ubuntu 12.04" >/dev/null 2>&1
 77       then
 78         os_release=ubuntu1204
 79         echo "$os_release"
 80       elif echo "$os_release"|grep "Ubuntu 12.10" >/dev/null 2>&1
 81       then
 82         os_release=ubuntu1210
 83         echo "$os_release"
 84       else
 85         os_release=""
 86         echo "$os_release"
 87       fi
 88       break
 89     fi
 90     os_release=$(grep -i "debian" /etc/issue 2>/dev/null)
 91     os_release_2=$(grep -i "debian" /proc/version 2>/dev/null)
 92     if [ "$os_release" ] && [ "$os_release_2" ]
 93     then
 94       if echo "$os_release"|grep "Linux 6" >/dev/null 2>&1
 95       then
 96         os_release=debian6
 97         echo "$os_release"
 98       else
 99         os_release=""
100         echo "$os_release"
101       fi
102       break
103     fi
104     os_release=$(grep "openSUSE" /etc/issue 2>/dev/null)
105     os_release_2=$(grep "openSUSE" /etc/*release 2>/dev/null)
106     if [ "$os_release" ] && [ "$os_release_2" ]
107     then
108       if echo "$os_release"|grep "13.1" >/dev/null 2>&1
109       then
110         os_release=opensuse131
111         echo "$os_release"
112       else
113         os_release=""
114         echo "$os_release"
115       fi
116       break
117     fi
118     break
119     done
120 }
121 
122 exit_script()
123 {
124   echo -e "\033[1;40;31mInstall $1 error,will exit.\n\033[0m"
125   rm -f $LOCKfile
126   exit 1
127 }
128 
129 config_iptables()
130 {
131   iptables -I OUTPUT 1 -p tcp -m multiport --dport 21,22,23,25,53,80,135,139,443,445 -j DROP
132   iptables -I OUTPUT 2 -p tcp -m multiport --dport 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186 -j DROP
133   iptables -I OUTPUT 3 -p udp -j DROP
134   iptables -nvL
135 }
136 
137 ubuntu_config_ufw()
138 {
139   ufw deny out proto tcp to any port 21,22,23,25,53,80,135,139,443,445
140   ufw deny out proto tcp to any port 1433,1314,1521,2222,3306,3433,3389,4899,8080,18186
141   ufw deny out proto udp to any
142   ufw status
143 }
144 
145 ####################Start###################
146 #check lock file ,one time only let the script run one time 
147 LOCKfile=/tmp/.$(basename $0)
148 if [ -f "$LOCKfile" ]
149 then
150   echo -e "\033[1;40;31mThe script is already exist,please next time to run this script.\n\033[0m"
151   exit
152 else
153   echo -e "\033[40;32mStep 1.No lock file,begin to create lock file and continue.\n\033[40;37m"
154   touch $LOCKfile
155 fi
156 
157 #check user
158 if [ $(id -u) != "0" ]
159 then
160   echo -e "\033[1;40;31mError: You must be root to run this script, please use root to execute this script.\n\033[0m"
161   rm -f $LOCKfile
162   exit 1
163 fi
164 
165 echo -e "\033[40;32mStep 2.Begen to check the OS issue.\n\033[40;37m"
166 os_release=$(check_os_release)
167 if [ "X$os_release" == "X" ]
168 then
169   echo -e "\033[1;40;31mThe OS does not identify,So this script is not executede.\n\033[0m"
170   rm -f $LOCKfile
171   exit 0
172 else
173   echo -e "\033[40;32mThis OS is $os_release.\n\033[40;37m"
174 fi
175 
176 echo -e "\033[40;32mStep 3.Begen to config firewall.\n\033[40;37m"
177 case "$os_release" in
178 redhat5|centos5|redhat6|centos6|aliyun5|aliyun6)
179   service iptables start
180   config_iptables
181   ;;
182 debian6)
183   config_iptables
184   ;;
185 ubuntu10|ubuntu1204|ubuntu1210)
186   ufw enable <<EOF
187 y
188 EOF
189   ubuntu_config_ufw
190   ;;
191 opensuse131)
192   config_iptables
193   ;;
194 esac
195 
196 echo -e "\033[40;32mConfig firewall success,this script now exit!\n\033[40;37m"
197 rm -f $LOCKfile

 

 

[root@iZ942bg57piZ storage]#  netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 0.0.0.0:48                  0.0.0.0:*                   LISTEN
udp        0      0 120.24.152.12:123           0.0.0.0:*
udp        0      0 10.45.177.31:123            0.0.0.0:*
udp        0      0 127.0.0.1:123               0.0.0.0:*
udp        0      0 0.0.0.0:123                 0.0.0.0:*
[root@iZ942bg57piZ storage]#

 

 

[root@iZ942bg57piZ storage]# netstat  -tunp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0     64 120.24.152.12:48            183.128.163.147:13553       ESTABLISHED 1317/sshd
tcp        0      0 120.24.152.12:48            183.128.163.147:13770       ESTABLISHED 1453/sshd

 

posted @ 2015-10-13 15:27  真大闸蟹  阅读(229)  评论(0编辑  收藏  举报