Iptables bash 脚本

tag-icon tag-icon linux networking iptables
Iptables bash 脚本

我想基本上丢弃所有数据包,但仍允许端口 22、80 和 52533。目前,此防火墙不允许 ping,也不允许我使用yum update。我该如何添加它?此外,有没有更简单的方法来打开端口 80?当前规则似乎有点冗长。

#!/bin/sh    
#
# Flush all current rules from iptables
#
iptables -F
iptables -t nat -F

#
# Allow SSH connections on tcp port 22 
#
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT

#
# Open port 80
#    
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 209.177.156.154 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 209.177.156.154 --sport 80 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT

#
# Accept connections on 1195 for vpn access from client
#
iptables -A INPUT -i eth0 -p udp --dport 1195 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 1195 -m state --state ESTABLISHED -j ACCEPT

#
# Apply forwarding
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT     
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 209.177.156.154   
iptables -A FORWARD -j REJECT

#
# Enable forwarding
# 
echo 1 > /proc/sys/net/ipv4/ip_forward

#
# PREROUTE ports
#    
iptables -t nat -A PREROUTING -p udp -m multiport --dports 10001:65535 -j REDIRECT --to-ports 52533

#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP              
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#
# IPv6 configuration 
#
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -F 

echo -n "1" >/proc/sys/net/ipv6/conf/all/forwarding
echo -n "1" >/proc/sys/net/ipv6/conf/all/proxy_ndp
echo -n "0" >/proc/sys/net/ipv6/conf/all/autoconf
echo -n "0" >/proc/sys/net/ipv6/conf/all/accept_ra

ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state NEW -i tun0 -o eth0 -s 2607:f740:101:f::/64 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT   

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

答案1

允许输出 HTTP 连接:

首先允许建立与远程端口的连接:

iptables -A OUTPUT -p tcp --destination-port 80 -j ACCEPT

并接受已建立的会话:

iptables -A INPUT -p tcp --source-port 80 -m state --state ESTABLISHED,RELATED -j ACCEPT

不要忘记允许 DNS 连接(即 8.8.8.8):

iptables -A INPUT -p udp --source-port 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -d 8.8.8.8 -p udp --destination-port 53 -j ACCEPT

接受所有 ICMP:

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

相关内容