iptables防火墙脚本实例2

精选转载

lzy821218 2011-07-07 14:46:28 博主文章分类：代理服务器

文章标签 linux 防火墙脚本 iptables 休闲 文章分类 运维

#!/bin/bash

#定义变量，以减少输入量
WAN_INT="eth0"
WAN_INT_IP="172.16.100.100"

LAN_INT="eth0"
LAN_INT_IP="10.15.15.15"
LAN_IP_RANGE="10.15.0.0/16"

ACCEPT_ACCESS_CLIENT="10.15.100.11 10.15.100.12 10.15.100.13 10.15.100.14 10.15.100.15 10.15.101.11 10.15.101.12 10.15.101.13 10.15.101.14 10.15.101.15 10.15.100.86"

ACCEPT_QQ_CLIENT="10.15.100.86"

WAN_WIN2003_SRV="172.16.100.101"

PORT="20,21,25,53,80,110,143,554,1755,7070"

PORT_QQ="4000:4020,8000:8020"

IPT="/sbin/iptables"

MODP="/sbin/modprobe"

###################################################################################

$MODP ip_tables
$MODP ip_conntrack
$MODP iptable_filter
$MODP iptable_nat
$MODP ipt_LOG
$MODP ipt_limit
$MODP ipt_state

###################################################################################

start(){
echo ""
echo -e "\033[1;032m flush all chains...... [ok] \033[m"

#flush all rules at first
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F

#default policy is drop
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD DROP

#open ssh service
$IPT -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -t filter -A OUTPUT -p tcp --sport 22 -j ACCEPT

#SNAT
echo 1 > /proc/sys/net/ipv4/ip_forward
# $IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $WAN_INT -j SNAT --to-source $WAN_INT_IP

#DNAT
$IPT -t nat -A PREROUTING -d $WAN_INT_IP -i $WAN_INT -j DNAT --to-destination 10.15.0.103

#PPPOE
/sbin/iptables -A FORWARD -s $LAN_IP_RANGE -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

##############allow someone to access internet##############################################################
for open_ip in $(cat /SqLogs/allowinternet|grep -v "#")
do
$IPT -A FORWARD -s $open_ip -j ACCEPT
$IPT -t nat -A PREROUTING -s $open_ip -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
done

##############Kill QQ##############################################################

$IPT -A FORWARD -p tcp -m multiport --dport $PORT_QQ -j ACCEPT
$IPT -A FORWARD -p udp -m multiport --dport $PORT_QQ -j ACCEPT
$IPT -A FORWARD -d tcpconn.tencent.com -j ACCEPT
$IPT -A FORWARD -d tcpconn2.tencent.com -j ACCEPT
$IPT -A FORWARD -d tcpconn3.tencent.com -j ACCEPT
$IPT -A FORWARD -d tcpconn4.tencent.com -j ACCEPT
$IPT -A FORWARD -d tcpconn5.tencent.com -j ACCEPT
$IPT -A FORWARD -d tcpconn6.tencent.com -j ACCEPT
$IPT -A FORWARD -d http2.tencent.com -j ACCEPT
$IPT -A FORWARD -d http.tencent.com -j ACCEPT

for killqq_ip in $(cat /SqLogs/qq-ip|grep -v "#")
do
$IPT -A FORWARD -s $ACCEPT_QQ_CLIENT -d $killqq_ip -j ACCEPT
done

###############accept erp access####################################################
if [ "$ACCEPT_ACCESS_CLIENT" != "" ] ; then
for LAN in ${ACCEPT_ACCESS_CLIENT} ; do
$IPT -t filter -A FORWARD -p tcp -m multiport -s ${LAN} -o $WAN_INT --dport $PORT -j ACCEPT
$IPT -t filter -A FORWARD -p udp -m multiport -s ${LAN} -o $WAN_INT --dport $PORT -j ACCEPT
$IPT -t filter -A FORWARD -p tcp -m multiport -i $WAN_INT --sport $PORT -j ACCEPT
$IPT -t filter -A FORWARD -p udp -m multiport -i $WAN_INT --sport $PORT -j ACCEPT

echo ""
echo ${LAN} Access to External.....ACCEPT access Win2003 server [ok]
done
fi

}

###############KILL QQ###########################################################

$IPT -t filter -I FORWARD -p tcp --dport 8000 -j DROP
$IPT -t filter -I FORWARD -p udp --dport 8000 -j DROP
$IPT -t filter -I FORWARD -d tcpconn.tencent.com -j DROP
$IPT -t filter -I FORWARD -d tcpconn2.tencent.com -j DROP
$IPT -t filter -I FORWARD -d tcpconn3.tencent.com -j DROP
$IPT -t filter -I FORWARD -d tcpconn4.tencent.com -j DROP
$IPT -t filter -I FORWARD -d tcpconn5.tencent.com -j DROP
$IPT -t filter -I FORWARD -d tcpconn6.tencent.com -j DROP
$IPT -t filter -I FORWARD -d http2.tencent.com -j DROP
$IPT -t filter -I FORWARD -d http.tencent.com -j DROP

for killqq_ip in $(cat /SqLogs/qq-ip|grep -v "#")
do
$IPT -A FORWARD -s $ACCEPT_QQ_CLIENT -d $killqq_ip -j DROP
done

###################################################################################

stop(){
##################### Flush everything
$IPT -F
$IPT -X
$IPT -Z
$IPT -F -t nat
$IPT -X -t nat
$IPT -Z -t nat
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -t nat -F
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

echo "#############################################################################"
echo "#                                                                           #"
echo "#                Stop firewall server Access rule successful !              #"
echo "#                                                                           #"
echo "#############################################################################"

}

###################################################################################

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage:$0 {start|stop|restart|}"
exit 1
esac
exit $?