iptables配置实例(请根据自己情况配置)
#!/bin/bash
#变量定义,请根据自己的情况定义变量的内容
EXTIF="eth0" #linux router对外IP,即public ip
INIF="eth1" #linux router对内IP,即private ip
INNET="192.168.2.0/24" #linux router所在LAN的IP段
export EXTIF INIF INNET
#针对本机的防火墙进行设置
#1.先设置好内核的网络功能
echo "1" > /proc/sys/net/ipv4/tcp_syncookies #避免SYN 阻断式攻击
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #取消ping broadcast的回应
for i in /proc/sys/net/ipv4/conf/*/{rp_filter,log_martians};do #内核的一些简单设定:逆向路由过滤、记录不合法的IP来源>/var/log/messages
echo "1" > $i
done
#for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,\
# send_redirects};do
# echo "0" > $i
#done
#2.清除规则,设置默认策略及开放lo与相关设置值
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin;
export PATH
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#3.启动额外的防火墙script
if [ -f /usr/local/virus/iptables/iptables.deny ];then #自己创建/usr/local/virus/iptables/iptables.deny阻挡恶意IP
sh /usr/local/virus/iptables/iptables.deny
fi
if [ -f /usr/local/virus/iptables/iptables.allow ];then #自己创建/usr/local/virus/iptables/iptables.allow设置允许访问的IP
sh /usr/local/virus/iptables/iptables.allow
fi
if [ -f /usr/local/virus/httpd-err/iptables.http ];then
sh /usr/local/virus/httpd-err/iptables.http
fi
#4.允许某些类型的ICMP数据包进入
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
done
#5.允许某些服务的进入,依照自己的环境开启
iptables -A INPUT -p TCP -i $EXTIF --dport 21 --sport 1024:65534 -j ACCEPT #FTP
iptables -A INPUT -p TCP -i $EXTIF --dport 22 --sport 1024:65534 -j ACCEPT #SSH
iptables -A INPUT -p TCP -i $EXTIF --dport 25 --sport 1024:65534 -j ACCEPT #SMTP
iptables -A INPUT -p TCP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT #DNS
iptables -A INPUT -p UDP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT #DNS
iptables -A INPUT -p TCP -i $EXTIF --dport 80 --sport 1024:65534 -j ACCEPT #WWW
iptables -A INPUT -p TCP -i $EXTIF --dport 443 --sport 1024:65534 -j ACCEPT #HTTPS
iptables -A INPUT -p TCP -i $EXTIF --dport 110 --sport 1024:65534 -j ACCEPT #POP3
iptables -A INPUT -p TCP -i $EXTIF --dport 445 --sport 1024:65534 -j ACCEPT #smbd
iptables -A INPUT -p TCP -i $EXTIF --dport 139 --sport 1024:65534 -j ACCEPT #smbd
#针对后端主机的防火墙设置
#1.先加载一些有用的模块
modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack
ip_conntrack_ftp ip_conntrack_irc"
for mod in $modules
do
testmod=` lsmod | grep "^${mod} " | awk '{print $1}'`
if [ "$testmod" == "" ];then
modprobe $mod
fi
done
#2.清除NAT table的规则
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#3.双网卡且开放成为路由器同时有IP分享的功能
if [ "$INIF" != "" ];then
iptables -A INPUT -i $INIF -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
if [ "$INIF" != "" ];then
for innet in $INNET
do
iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
done
fi
fi
#4.NAT服务器后端LAN内对外服务器的访问
iptables -t nat -A PREROUTING -p tcp i $EXTIF --dport 80\
-j DNAT --to-destination 192.168.2.4:80
iptables-save