Linux CentOS 服務器簡單好用的iptables rule

原創 karlklein 2018-09-12 03:46

  公司近期搭建了幾臺CentOS的服務器,但是經常會出現網絡不通的情況,檢查到最後發現往往是最基礎的iptables rule沒有設置好。別小看簡簡單單的這個防火牆規則,弄不好費時費力,還不容易維護。


  下面是萬能的IPTABLES模板。友情提示:這個模板某些參數需要根據自己公司的實際情況來做相應的改變。

  

  我喜歡把腳本放在/usr/local/virus/iptables底下。

  

  需要兩個腳本,一個是/usr/local/virus/iptables/iptables.rule,另一個是/usr/local/virus/iptables/iptables.rule


!!紅色字體需要加倍注意!!

vim /usr/local/virus/iptables/iptables.rule

#!/bin/bash


#set up variable parameter

EXTIF="eth0"  #需要提前ifconfig下,查看你自己機器的端口,是eth0還是eth1或者還是其他的網口!

INIF=""

INNET=""

export EXTIF INIF INNET


#Part 1:the firewall configuration to this server machine

#1. the core function of network

  echo "1" > /proc/sys/net/ipv4/tcp_syncookies

  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

  for i in /proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}; do

        echo "1" > $i

  done

  for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,\

send_redirects}; do

        echo "0" > $i

  done


#2.clean up rules, set up default policy and open lo

  PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH

  iptables -F

  iptables -X

  iptables -Z

  iptables -P INPUT   DROP

  iptables -P OUTPUT  ACCEPT

  iptables -P FORWARD ACCEPT

  iptables -A INPUT -i lo -j ACCEPT

  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


#3. make the extra firewall script modules

  if [ -f /usr/local/virus/iptables/iptables.deny ]; then

        sh /usr/local/virus/iptables/iptables.deny

  fi

  if [ -f /usr/local/virus/iptables/iptables.allow ]; then

        sh /usr/local/virus/iptables/iptables.allow

  fi

  if [ -f /usr/local/virus/httpd-err/iptables.http ]; then

        sh /usr/local/virus/httpd-err/iptables.http

  fi


#4. allow the specific ICMP packet input

  AICMP="0 3 3/4 4 11 12 14 16 18"

  for tyicmp in $AICMP

  do

    iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT

  done


#5. allow the services income according to the real use

#我這裏只開放了ssh端口,根據你的實際需要選擇開放更多端口。

# iptables -A INPUT -p TCP -i $EXTIF --dport  21 --sport 1024:65534 -j ACCEPT # FTP

  iptables -A INPUT -p TCP -i $EXTIF --dport  22 --sport 1024:65534 -j ACCEPT # SSH

# iptables -A INPUT -p TCP -i $EXTIF --dport  25 --sport 1024:65534 -j ACCEPT # SMTP

# iptables -A INPUT -p UDP -i $EXTIF --dport  53 --sport 1024:65534 -j ACCEPT # DNS

# iptables -A INPUT -p TCP -i $EXTIF --dport  53 --sport 1024:65534 -j ACCEPT # DNS

# iptables -A INPUT -p TCP -i $EXTIF --dport  80 --sport 1024:65534 -j ACCEPT # WWW

# iptables -A INPUT -p TCP -i $EXTIF --dport 110 --sport 1024:65534 -j ACCEPT # POP3

# iptables -A INPUT -p TCP -i $EXTIF --dport 443 --sport 1024:65534 -j ACCEPT # HTTPS


#Part 2: the firewall configuration of this server backend

#1. make the extra firewall script modules

  modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack

ip_conntrack_ftp ip_conntrack_irc"

  for mod in $modules

  do

      testmod=`lsmod | grep "^${mod} " | awk '{print $1}'`

      if [ "$testmod" == "" ]; then

            modprobe $mod

      fi

  done


#2. clean up the NAT table rules

  iptables -F -t nat

  iptables -X -t nat

  iptables -Z -t nat

  iptables -t nat -P PREROUTING  ACCEPT

  iptables -t nat -P POSTROUTING ACCEPT

  iptables -t nat -P OUTPUT      ACCEPT


# 3. if there were 2 network cards to be route then IP share case

  if [ "$INIF" != "" ]; then

    iptables -A INPUT -i $INIF -j ACCEPT

    echo "1" > /proc/sys/net/ipv4/ip_forward

    if [ "$INNET" != "" ]; then

        for innet in $INNET

        do

            iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE

        done

    fi

  fi


# if you can not use MSN or some website can not work well for you, please enable these 2 rule below

  # iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss \

  #          --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu


# 4. the configuration of NAT server backend to the outside

# iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 \

#          -j DNAT --to-destination 192.168.1.210:80 # WWW


# 5. special functions, including the windows remote desktop rules, for instance the desktop IP is 1.2.3.4

# iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4  --dport 6000 \

#          -j DNAT --to-destination 192.168.100.10

# iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4  --sport 3389 \

#          -j DNAT --to-destination 192.168.100.20


# 6. save!!

  /etc/init.d/iptables save


vim /usr/local/virus/iptables/iptables.allow

#!/bin/bash

  iptables -A INPUT -i $EXTIF -s 10.0.1.0/24 -j ACCEPT

  iptables -A INPUT -i $EXTIF -s 10.0.4.0/24 -j ACCEPT

  iptables -A INPUT -i $EXTIF -s 10.0.0.0/24 -j ACCEPT

Tip:上面三個網段是自己公司的三個子網,需要根據貴公司的實際子網來配置。


發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

Linux 開機(腳本)啓動順序

Uchen 2019-02-24 13:53:20

Linux基本操作命令

wbzjacky 2019-02-24 13:12:38

tar Command Daily Work Summary

海膽階段 2019-02-24 12:58:10

SSH and SCP Daily Work Summary

海膽階段 2019-02-24 12:58:10

Linux積累-安裝與配置Hadoop

lftong 2019-02-23 14:00:30

centos ***

samplelife 2019-02-23 13:57:36

新手學習Linux系統的一點見解

jackieban 2019-02-23 13:57:24

CentOS 6.4下PXE+Kickstart無人值守安裝操作系統

paul8339 2019-02-23 13:56:09

Linux學習之旅 - 第一天

lichen_zt 2019-02-23 13:55:58

Linux I/O重定向以及正則表達式

zhongqijian916 2019-02-23 13:54:50

Linux---facl以及終端

zhongqijian916 2019-02-23 13:54:50

Linux---YUM

zhongqijian916 2019-02-23 13:54:50

Linux---LVM硬盤管理以及LVM的擴展

zhongqijian916 2019-02-23 13:54:50

Linux---LVM補充

zhongqijian916 2019-02-23 13:54:50

iptables的概述及應用(一)

shang61511 2019-02-23 14:04:46