Jeffrey’s Blog

IPTABLES防火墙脚本实例

Filed under: 系统管理 — Jeffrey @ Thursday, December 20th, 2007 3:57 pm 1,451 views   Print This Post  

#!/bin/bash
# zhangjianfeng.com
# etho 接外网──ppp0
# eth1 接内网──192.168.0.0/24
################################################################

modprobe ipt_MASQUERADE #IP(数据包伪装)伪装
modprobe ip_conntrack_ftp # ftp自动追踪模块
modprobe ip_nat_ftp  #加载对ftp协议支持的模块
iptables -F #清空filter表中所有规则
iptables -t nat -F
iptables -X #Delete  the  optional  user-defined chain specified
iptables -t nat -X

########################INPUT键###########################
iptables -P INPUT DROP
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.186.0.0/24 -p tcp -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth1 -p tcp -m multiport –dports 443,139,80,21,110,25 -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m multiport –dports 53 -j ACCEPT

#iptables -A INPUT -p tcp –dport 1723 -j ACCEPT
#iptables -A INPUT -p gre -j ACCEPT
#允许风外网vpn连接

iptables -A INPUT -i ppp0 -p tcp -m multiport –dports 110,80,25 -j ACCEPT
#允许外网smtp,http,pop3连接
#iptables -A INPUT -p icmp -j DROP #禁止icmp通信-ping 不通
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE #内网转发

#######################FORWARD链###########################
iptables -P FORWARD DROP
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -m multiport –dports 80,110,21,25,1723 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.50  –dport 22 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/24 –dport 53 -j ACCEPT
iptables -A FORWARD -p gre -s 192.168.0.0/24 -j ACCEPT #允许 vpn客户走vpn网络连接外网
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp –dport 53 -m string –string “tencent” -m time –timestart 9:00 –timestop 18:00 –days Mon,Tue,Wed,Thu,Fri,Sat  -j DROP  #星期一到星期六的8:00-18:00禁止qq通信
iptables -A FORWARD -s 192.168.0.0/24 -m string –string “qq.com” -m time –timestart 9:00 –timestop 18:00 –days Mon,Tue,Wed,Thu,Fri,Sat  -j DROP  #星期一到星期六的8:00-18:00禁止访问qq.com
iptables -A FORWARD -s 192.168.0.0/24 -m string –string “sexy” -j DROP #禁止网址中含有sexy的URL
iptables -A FORWARD -m ipp2p –edk –kazaa –bit -j DROP
iptables -A FORWARD -p tcp -m ipp2p –ares -j DROP
iptables -A FORWARD -p udp -m ipp2p –kazaa -j DROP
#禁止BT连接

#######################################################################
sysctl -w net.ipv4.ip_forward=1 &>;/dev/null #打开转发
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600 &>;/dev/null #设置默认TCP连接痴呆时长为 3600 秒(可大大降低连接数)
sysctl -w net.ipv4.ip_conntrack_max=500000 &>;/dev/null #设置支持最大连接树为50W(每个connection需要300多个字节)
#######################################################################
iptables -I INPUT -s 192.168.0.50 -j ACCEPT
iptables -I FORWARD -s 192.168.0.50 -j ACCEPT #192.168.0.50管理员电脑IP

给本文打分: 1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...
Tags: , , , ,

5 Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

京ICP备06038449号