linux幼儿园

  • 首页
  • 信息安全
    • 红队
    • 密码学
  • 软件
  • 硬件
  • 活动目录
  • 知识点
  • linux干货
  • linux命令集
    • 磁盘管理
    • 文档编辑
    • 设备管理
    • 网络通讯
    • 系统管理
    • 文件管理
    • 其他命令
  1. 首页
  2. linux干货
  3. 正文

超级实用的 iptables 脚本

2020年03月31日 72点热度 0人点赞 0条评论


创建 iptables.sh 脚本
[root@Jaking ~]# vim iptables.sh
#!/bin/bash

#清空 filter 表和 nat 表
iptables -F
iptables -t nat -F

#关掉 firewalld
systemctl stop firewalld &>/dev/null
systemctl disable firewalld &>/dev/null

#以下两行允许某些调用 localhost 的应用访问
iptables -A INPUT -i lo -j ACCEPT #规则1
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #规则2

#以下一行允许从其他地方 ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #规则3

#以下一行允许从其他主机、网络设备发送 MTU 调整的报文
#在一些情况下,例如通过 IPSec VPN 隧道时,主机的 MTU 需要动态减小
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT #规则4

#以下两行分别允许所有来源访问 TCP 80,443 端口
iptables -A INPUT -p tcp --dport 80 -j ACCEPT #规则5
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #规则6

#以下一行允许所有来源访问 UDP 80,443 端口
iptables -A INPUT -p udp -m multiport --dports 80,443 -j ACCEPT #规则7

#以下一行允许 192.168.1.63 来源的 IP 访问 TCP 22 端口(OpenSSH)
iptables -A INPUT -p tcp -s 192.168.1.63 --dport 22 -j ACCEPT #规则8

#以下一行允许 192.168.1.3(发起SSH连接的系统对应网卡的IP) 来源的 IP 访问 TCP 22 端口(OpenSSH)
#如果是在远程终端跑本脚本,最好开启以下一行以防被踢掉
#另一种更加简便的方式:iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.3 --dport 22 -j ACCEPT #规则9

#以下一行允许 192.168.1.26 来源的 IP 访问 UDP 161 端口(SNMP)
iptables -A INPUT -p udp -s 192.168.1.26 --dport 161 -j ACCEPT #规则10

#配置 NAT
#启用内核路由转发功能
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.ipv4.ip_forward = 1" > /etc/sysctl.conf
sysctl -p &>/dev/null

#配置源地址转换 SNAT
#将 192.168.2.0/24 转换成 192.168.1.63
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to 192.168.1.63 #规则11

#配置目的地址转换 DNAT
#将 192.168.1.63 的 80 端口请求转发到 192.168.2.2 的 80 端口
iptables -t nat -A PREROUTING -d 192.168.1.63 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80 #规则12

#以下一行禁止所有其他的进入流量
iptables -A INPUT -j DROP #规则13

#以下一行允许本机响应规则编号为 1-12 的数据包发出
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT #规则14

#以下一行禁止本机主动发出外部连接
iptables -A OUTPUT -j DROP #规则15

#以下一行禁止本机转发数据包
iptables -A FORWARD -j DROP #规则16

#固化 iptables
iptables-save > /etc/sysconfig/iptables

[root@Jaking ~]# chmod 755 iptables.sh
测试
[root@Jaking ~]# ./iptables.sh
[root@Jaking ~]#
[root@Jaking ~]#
[root@Jaking ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost localhost
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere multiport dports http,https
ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh
ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh
ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
DROP all -- anywhere anywhere
[root@Jaking ~]# iptables -L --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT all -- localhost localhost
3 ACCEPT icmp -- anywhere anywhere icmp echo-request
4 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
5 ACCEPT tcp -- anywhere anywhere tcp dpt:http
6 ACCEPT tcp -- anywhere anywhere tcp dpt:https
7 ACCEPT udp -- anywhere anywhere multiport dports http,https
8 ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh
9 ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh
10 ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp
11 DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state ESTABLISHED
2 DROP all -- anywhere anywhere
[root@Jaking ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63
[root@Jaking ~]# iptables -t nat -L --line-number
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80

Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63
iptables 的清空和恢复
[root@Jaking ~]# iptables -F
[root@Jaking ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@Jaking ~]# iptables -t nat -F
[root@Jaking ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root@Jaking ~]# iptables-restore < /etc/sysconfig/iptables
[root@Jaking ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- localhost localhost
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere multiport dports http,https
ACCEPT tcp -- 192.168.1.63 anywhere tcp dpt:ssh
ACCEPT tcp -- 192.168.1.3 anywhere tcp dpt:ssh
ACCEPT udp -- 192.168.1.26 anywhere udp dpt:snmp
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
DROP all -- anywhere anywhere
[root@Jaking ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.2.0/24 anywhere to:192.168.1.63
总结
以上就是生产环境中超级实用的iptables脚本,这个脚本可以直接拿去用,不过请谨慎操作!

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
标签: iptables
最后更新:2020年03月31日

jcghaier

from zero to hero

打赏 点赞
< 上一篇
下一篇 >

文章评论

取消回复
最新 热点 随机
最新 热点 随机
windows入侵检查流程 安全事件应急响应工具箱 利用腾讯轻量服务器搭建FRP服务 Windows局域网渗透(IPC$管道) 国内三大运营商宽带线路及分级介绍(联通篇) Windows Server 2012 R2 辅助域控制器搭建
windows入侵检查流程
mysqlshow命令 - 显示数据库、数据表和列信息 cdrdao命令 - 刻录影像到光盘 802.11ac和802.11n速率表 fgrep命令 - 为文件搜索文字字符串 gluster命令 - Gluster控制台管理工具 mkinitrd命令 - 建立ramdisk映像文件
标签聚合
防火墙 iptables nmap zabbix 勒索病毒 深信服 X.509 CentOS tcp Debian
书签
  • Linux就该这么学
  • pfschina.org
  • ruyo
  • 佐须之男
  • 大象笔记
  • 小陈博客
  • 我能过软考
  • 教父爱分享
  • 散尽浮华
  • 现代魔法学院

COPYRIGHT © 2020 linux幼儿园. ALL RIGHTS RESERVED.

THEME KRATOS MADE BY VTROIS

51la