单机防火墙需要考虑的只是本机对外的一块网卡,因此入站要限IP,限端口
样本
- #!/usr/bin/env bash
- if [ "$(id -u)" != "0" ]; then
- echo "This script is designed to run as root" 1>&2
- exit 1
- fi
- modprobe ip_tables
- modprobe iptable_filter
- modprobe ipt_REJECT
- modprobe ip_conntrack
- iptables -P INPUT ACCEPT
- iptables -F
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -j ACCEPT
- iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 80 -j ACCEPT
- iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 5666 -j ACCEPT
- iptables -A INPUT -p udp -s 10.0.0.0/8 --dport 123 -j ACCEPT
- iptables -A INPUT -p udp -s 10.0.0.0/8 --dport 161 -j ACCEPT
- iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
- iptables -A OUTPUT -s 224.0.0.0/8 -j DROP
- iptables -A OUTPUT -d 224.0.0.0/8 -j DROP
- iptables -A OUTPUT -s 255.255.255.255/32 -j DROP
- iptables -A OUTPUT -m state --state INVALID -j DROP
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT ACCEPT
- service iptables save
- iptables -L -v -n
开放了内网的端口,ping包每秒一个,可以根据需要修改。
双网卡做网关(SNAT),既要保护自己,又要保护内网机器
样本
- #!/usr/bin/env bash
- if [ "$(id -u)" != "0" ]; then
- echo "This script is designed to run as root" 1>&2
- exit 1
- fi
- PATH=/usr/sbin:/sbin:/bin:/usr/bin
- wan=eth0
- lan=eth1
- #
- # delete all existing rules.
- #
- iptables -F
- iptables -t nat -F
- iptables -t mangle -F
- iptables -X
- iptables -Z
- # Set the INPUT policy to ALLOW for the moment
- iptables -P INPUT ACCEPT
- # Always accept loopback traffic
- iptables -A INPUT -i lo -j ACCEPT
- # Allow established connections, and those not coming from the outside
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Limit ping
- iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
- # Open some ports to the public
- iptables -A INPUT -i $wan -p tcp --dport 80 -j ACCEPT
- iptables -A INPUT -s 123.234.345.456 -p tcp --dport 22 -j ACCEPT
- # Open some ports to local netwrk
- iptables -A INPUT -i $lan -p tcp --dport 22 -m recent --set --name ssh --rsource
- iptables -A INPUT -i $lan -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 10 --name ssh --rsource -j ACCEPT
- iptables -A INPUT -i $lan -p udp --dport 123 -j ACCEPT
- iptables -A INPUT -i $lan -p udp --dport 161 -j ACCEPT
- iptables -A INPUT -i $lan -p tcp --dport 5666 -j ACCEPT
- iptables -A INPUT -i $lan -p tcp --dport 9102 -j ACCEPT
- iptables -A INPUT -i $lan -p tcp --dport 10000 -j ACCEPT
- iptables -A INPUT -i $lan -p tcp --dport 10050 -j ACCEPT
- # Apply the default policy
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT ACCEPT
- # Allow outgoing connections from the LAN side.
- iptables -A FORWARD -i $lan -o $wan -j ACCEPT
- iptables -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A OUTPUT -s 224.0.0.0/8 -j DROP
- iptables -A OUTPUT -d 224.0.0.0/8 -j DROP
- iptables -A OUTPUT -s 255.255.255.255/32 -j DROP
- iptables -A OUTPUT -m state --state INVALID -j DROP
- # Masquerade.
- iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE
- # Enable routing.
- echo 1 > /proc/sys/net/ipv4/ip_forward
- # Save and restart iptables
- service iptables save
- service iptables restart
- # Show the final rules
- iptables -n -v -L
- iptables -n -v -L -t nat
本文转自 紫色葡萄 51CTO博客,原文链接:http://blog.51cto.com/purplegrape/1051478,如需转载请自行联系原作者