#!/bin/bash
#变量定义,请根据自己的情况定义变量的内容
EXTIF="eth0"
#linux router对外IP,即public ip
INIF="eth1"
#linux router对内IP,即private ip
INNET="192.168.2.0/24"
#linux router所在LAN的IP段
export
EXTIF INIF INNET
#针对本机的防火墙进行设置
#1.先设置好内核的网络功能
echo "1" >
/proc/sys/net/ipv4/tcp_syncookies
#避免SYN
阻断式攻击
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#取消ping broadcast的回应
for i in /proc/sys/net/ipv4/conf/*/{rp_filter,log_martians};do
#内核的一些简单设定:逆向路由过滤、记录不合法的IP来源>/var/log/messages
echo "1" >
$i
done
#for i in
/proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,\
# send_redirects};do
#
echo "0" > $i
#done
#2.清除规则,设置默认策略及开放lo与相关设置值
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin;
export
PATH
iptables -F
iptables -X
iptables -Z
iptables -P INPUT
DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A
INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED
-j ACCEPT
#3.启动额外的防火墙script
if [ -f /usr/local/virus/iptables/iptables.deny ];then
#自己创建/usr/local/virus/iptables/iptables.deny阻挡恶意IP
sh
/usr/local/virus/iptables/iptables.deny
fi
if [ -f
/usr/local/virus/iptables/iptables.allow ];then
#自己创建/usr/local/virus/iptables/iptables.allow设置允许访问的IP
sh
/usr/local/virus/iptables/iptables.allow
fi
if [ -f
/usr/local/virus/httpd-err/iptables.http ];then
sh
/usr/local/virus/httpd-err/iptables.http
fi
#4.允许某些类型的ICMP数据包进入
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in
$AICMP
do
iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j
ACCEPT
done
#5.允许某些服务的进入,依照自己的环境开启
iptables -A INPUT -p TCP -i $EXTIF --dport 21
--sport 1024:65534 -j ACCEPT #FTP
iptables -A INPUT -p
TCP -i $EXTIF --dport 22 --sport 1024:65534 -j ACCEPT
#SSH
iptables -A INPUT -p TCP -i $EXTIF --dport 25 --sport 1024:65534 -j
ACCEPT #SMTP
iptables -A INPUT -p TCP -i $EXTIF --dport
53 --sport 1024:65534 -j ACCEPT #DNS
iptables -A INPUT
-p UDP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT
#DNS
iptables -A INPUT -p TCP -i $EXTIF --dport 80 --sport 1024:65534 -j
ACCEPT #WWW
iptables -A INPUT -p TCP -i $EXTIF --dport
443 --sport 1024:65534 -j ACCEPT #HTTPS
iptables -A INPUT -p
TCP -i $EXTIF --dport 110 --sport 1024:65534 -j ACCEPT
#POP3
iptables -A INPUT -p TCP -i $EXTIF --dport 445 --sport 1024:65534 -j
ACCEPT #smbd
iptables -A INPUT -p TCP -i $EXTIF --dport 139
--sport 1024:65534 -j ACCEPT #smbd
#针对后端主机的防火墙设置
#1.先加载一些有用的模块
modules="ip_tables iptable_nat ip_nat_ftp
ip_nat_irc ip_conntrack
ip_conntrack_ftp ip_conntrack_irc"
for
mod in $modules
do
testmod=` lsmod | grep "^${mod} " | awk ‘{print
$1}‘`
if [ "$testmod" == "" ];then
modprobe
$mod
fi
done
#2.清除NAT table的规则
iptables -F -t nat
iptables -X -t
nat
iptables -Z -t nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t
nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#3.双网卡且开放成为路由器同时有IP分享的功能
if [ "$INIF" != "" ];then
iptables -A INPUT
-i $INIF -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
if [
"$INIF" != "" ];then
for innet in $INNET
do
iptables -t nat -A
POSTROUTING -s $innet -o $EXTIF -j
MASQUERADE
done
fi
fi
#4.NAT服务器后端LAN内对外服务器的访问
iptables -t
nat -A PREROUTING -p tcp i $EXTIF --dport 80\
-j DNAT --to-destination
192.168.2.4:80
iptables-save
iptables配置实例(请根据自己情况配置),布布扣,bubuko.com
原文:http://www.cnblogs.com/ly565911158/p/3605230.html