公司近期搭建了幾臺CentOS的服務器,但是經常會出現網絡不通的情況,檢查到最後發現往往是最基礎的iptables rule沒有設置好。別小看簡簡單單的這個防火牆規則,弄不好費時費力,還不容易維護。
下面是萬能的IPTABLES模板。友情提示:這個模板某些參數需要根據自己公司的實際情況來做相應的改變。
我喜歡把腳本放在/usr/local/virus/iptables底下。
需要兩個腳本,一個是/usr/local/virus/iptables/iptables.rule,另一個是/usr/local/virus/iptables/iptables.rule
!!紅色字體需要加倍注意!!
vim /usr/local/virus/iptables/iptables.rule
#!/bin/bash
#set up variable parameter
EXTIF="eth0" #需要提前ifconfig下,查看你自己機器的端口,是eth0還是eth1或者還是其他的網口!
INIF=""
INNET=""
export EXTIF INIF INNET
#Part 1:the firewall configuration to this server machine
#1. the core function of network
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for i in /proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}; do
echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,\
send_redirects}; do
echo "0" > $i
done
#2.clean up rules, set up default policy and open lo
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#3. make the extra firewall script modules
if [ -f /usr/local/virus/iptables/iptables.deny ]; then
sh /usr/local/virus/iptables/iptables.deny
fi
if [ -f /usr/local/virus/iptables/iptables.allow ]; then
sh /usr/local/virus/iptables/iptables.allow
fi
if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
sh /usr/local/virus/httpd-err/iptables.http
fi
#4. allow the specific ICMP packet input
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
done
#5. allow the services income according to the real use
#我這裏只開放了ssh端口,根據你的實際需要選擇開放更多端口。
# iptables -A INPUT -p TCP -i $EXTIF --dport 21 --sport 1024:65534 -j ACCEPT # FTP
iptables -A INPUT -p TCP -i $EXTIF --dport 22 --sport 1024:65534 -j ACCEPT # SSH
# iptables -A INPUT -p TCP -i $EXTIF --dport 25 --sport 1024:65534 -j ACCEPT # SMTP
# iptables -A INPUT -p UDP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT # DNS
# iptables -A INPUT -p TCP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT # DNS
# iptables -A INPUT -p TCP -i $EXTIF --dport 80 --sport 1024:65534 -j ACCEPT # WWW
# iptables -A INPUT -p TCP -i $EXTIF --dport 110 --sport 1024:65534 -j ACCEPT # POP3
# iptables -A INPUT -p TCP -i $EXTIF --dport 443 --sport 1024:65534 -j ACCEPT # HTTPS
#Part 2: the firewall configuration of this server backend
#1. make the extra firewall script modules
modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack
ip_conntrack_ftp ip_conntrack_irc"
for mod in $modules
do
testmod=`lsmod | grep "^${mod} " | awk '{print $1}'`
if [ "$testmod" == "" ]; then
modprobe $mod
fi
done
#2. clean up the NAT table rules
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# 3. if there were 2 network cards to be route then IP share case
if [ "$INIF" != "" ]; then
iptables -A INPUT -i $INIF -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
if [ "$INNET" != "" ]; then
for innet in $INNET
do
iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
done
fi
fi
# if you can not use MSN or some website can not work well for you, please enable these 2 rule below
# iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss \
# --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
# 4. the configuration of NAT server backend to the outside
# iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 \
# -j DNAT --to-destination 192.168.1.210:80 # WWW
# 5. special functions, including the windows remote desktop rules, for instance the desktop IP is 1.2.3.4
# iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 --dport 6000 \
# -j DNAT --to-destination 192.168.100.10
# iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 --sport 3389 \
# -j DNAT --to-destination 192.168.100.20
# 6. save!!
/etc/init.d/iptables save
vim /usr/local/virus/iptables/iptables.allow
#!/bin/bash
iptables -A INPUT -i $EXTIF -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -i $EXTIF -s 10.0.4.0/24 -j ACCEPT
iptables -A INPUT -i $EXTIF -s 10.0.0.0/24 -j ACCEPT
Tip:上面三個網段是自己公司的三個子網,需要根據貴公司的實際子網來配置。