#!/bin/bash
#无源IP限制的端口
TCP_DPORT="80 443 3306 3690"
UDP_DPORT=""
#带有源IP限制的端口
S_TCP_IP=""
S_TCP_MAC=""
S_TCP_DPORT=""
S_UDP_IP=""
S_UDP_MAC=""
S_UDP_DPORT=""
#黑名单IP,禁止接入
DROP_IP=""
#系统版本,输入大版本号,6(Centos 6)或者7(Centos 7)
sysver=
if [[ ! -n $sysver ]];then
while true;
do
read -p "请选择系统版本[1.Centos6 2.Centos7]: " version
case $version in
1)
sysver=6
break;
;;
2)
sysver=7
break;
;;
*)
echo "----请输入1或者2----"
;;
esac
done
fi
function config_iptables() {
#判断SSH端口
if [ ! -n "$(egrep -wi Port /etc/ssh/sshd_config | grep -v \#)" ];then
sshport=22
else
sshport=$(egrep -wi "Port" /etc/ssh/sshd_config |grep -v \# |awk -F" " '{print $2}')
fi
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport $sshport -j ACCEPT
if [[ -n ${TCP_DPORT} ]];then
for t_prot in ${TCP_DPORT};
do
iptables -A INPUT -p tcp -m tcp --dport ${t_prot} -j ACCEPT
done
fi
if [[ -n ${UDP_DPORT} ]];then
for u_port in ${UDP_DPORT};
do
iptables -A INPUT -p udp --dport ${u_port} -j ACCEPT
done
fi
if [[ -n ${S_TCP_IP} && -n ${S_TCP_DPORT} ]];then
for ip in ${S_TCP_IP};
do
for s_tport in ${S_TCP_DPORT};
do
iptables -A INPUT -p tcp -m tcp -s $ip --dport ${s_tport} -j ACCEPT
done
done
fi
if [[ -n ${S_TCP_MAC} && -n ${S_TCP_DPORT} ]];then
for tmac in ${S_TCP_MAC};
do
for s_tport in ${S_TCP_DPORT};
do
iptables -A INPUT -p tcp -m mac --mac-source $tmac --dport ${s_tport} -j ACCEPT
done
done
fi
if [[ -n ${S_UDP_IP} && -n ${S_UDP_DPORT} ]];then
for ip in ${S_UDP_IP};
do
for s_uport in ${S_UDP_DPORT};
do
iptables -A INPUT -p udp -s $ip --dport ${s_uport} -j ACCEPT
done
done
fi
if [[ -n ${S_UDP_MAC} && -n ${S_UDP_DPORT} ]];then
for umac in ${S_UDP_MAC};
do
for s_uport in ${S_UDP_DPORT};
do
iptables -A INPUT -p udp -m mac --mac-source $umac --dport ${s_uport} -j ACCEPT
done
done
fi
if [[ -n ${DROP_IP} ]];then
for d_ip in ${DROP_IP};
do
iptables -I INPUT -s ${d_ip} -j DROP
done
fi
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
}
function main() {
if (( "$sysver" == "6" ));then
echo "*/5 * * * * /etc/init.d/iptables stop" >> /var/spool/cron/root
echo -e "[\033[35mINFO\033[0m] [开始配置防火墙策略,并加入每5分钟关闭防火墙服务的定时任务,如稍后无法连接服务器,请静等五分钟再尝试连接]"
/etc/init.d/iptables restart
sleep 3
config_iptables
/etc/init.d/iptables save
echo -e "[\033[32mOK\033[0m] [防火墙策略已生效,测试无问题后请在5分钟内删除关闭防火墙服务的定时任务]"
elif (( "$sysver" == "7" ));then
echo "*/5 * * * * /bin/systemctl stop firewalld" >> /var/spool/cron/root
echo -e "[\033[35mINFO\033[0m] [开始配置防火墙策略,并加入每5分钟关闭防火墙服务的定时任务,如稍后无法连接服务器,请静等五分钟再尝试连接]"
systemctl restart firewalld
sleep 3
config_iptables
echo -e "[\033[32mOK\033[0m] [防火墙策略已生效,测试无问题后请在5分钟内删除关闭防火墙服务的定时任务]"
else
echo "不正确的版本号,请检查脚本"
exit 0
fi
}
main
简单的iptables脚本
猜你喜欢
转载自blog.csdn.net/wangshui898/article/details/81145725
今日推荐
周排行