iptables 脚本工具
分享一个一键设置Centos系统防火墙脚本#!/bin/bash
#无源IP限制的端口
TCP_DPORT="80 443 22 21 2299 8888 9922 39000:40000"
UDP_DPORT=""
#带有源IP限制的端口 192.168.0.1改成对应内网ip
S_TCP_IP="192.168.0.1 192.168.0.2 192.168.0.3"
S_TCP_MAC=""
S_TCP_DPORT="3306 6379"
S_UDP_IP=""
S_UDP_MAC=""
S_UDP_DPORT=""
#黑名单IP,禁止接入
DROP_IP=""
#系统版本,输入大版本号,6(Centos 6)或者7(Centos 7)
sysver=
if [[ ! -n $sysver ]];then
while true;
do
read -p "请选择系统版本: " version
case $version in
1|6)
sysver=6
break;
;;
2|7)
sysver=7
break;
;;
*)
echo "----请输入1或者2----"
;;
esac
done
fi
function config_iptables() {
#判断SSH端口
if [ ! -n "$(egrep -wi "Port" /etc/ssh/sshd_config | grep -v \#)" ];then
sshport=22
else
if [ "$(egrep -wi "Port" /etc/ssh/sshd_config |grep -v \#|wc -l)" == "1" ];then
sshport=$(egrep -wi "Port" /etc/ssh/sshd_config |grep -v \# |awk -F" " '{print $2}')
else
sshport=0
fi
fi
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
if [ "$sshport" == "0" ];then
for sshport in $(egrep -wi "Port" /etc/ssh/sshd_config |grep -v \# |awk -F" " '{print $2}')
do
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport $sshport -j ACCEPT
done
else
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport $sshport -j ACCEPT
fi
if [[ -n ${TCP_DPORT} ]];then
for t_prot in ${TCP_DPORT};
do
iptables -A INPUT -p tcp -m tcp --dport ${t_prot} -j ACCEPT
done
fi
if [[ -n ${UDP_DPORT} ]];then
for u_port in ${UDP_DPORT};
do
iptables -A INPUT -p udp --dport ${u_port} -j ACCEPT
done
fi
if [[ -n ${S_TCP_IP} && -n ${S_TCP_DPORT} ]];then
for ip in ${S_TCP_IP};
do
for s_tport in ${S_TCP_DPORT};
do
iptables -A INPUT -p tcp -m tcp -s $ip --dport ${s_tport} -j ACCEPT
done
done
fi
if [[ -n ${S_TCP_MAC} && -n ${S_TCP_DPORT} ]];then
for tmac in ${S_TCP_MAC};
do
for s_tport in ${S_TCP_DPORT};
do
iptables -A INPUT -p tcp -m mac --mac-source $tmac --dport ${s_tport} -j ACCEPT
done
done
fi
if [[ -n ${S_UDP_IP} && -n ${S_UDP_DPORT} ]];then
for ip in ${S_UDP_IP};
do
for s_uport in ${S_UDP_DPORT};
do
iptables -A INPUT -p udp -s $ip --dport ${s_uport} -j ACCEPT
done
done
fi
if [[ -n ${S_UDP_MAC} && -n ${S_UDP_DPORT} ]];then
for umac in ${S_UDP_MAC};
do
for s_uport in ${S_UDP_DPORT};
do
iptables -A INPUT -p udp -m mac --mac-source $umac --dport ${s_uport} -j ACCEPT
done
done
fi
if [[ -n ${DROP_IP} ]];then
for d_ip in ${DROP_IP};
do
iptables -A INPUT -s ${d_ip} -j DROP
done
fi
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
}
function main() {
if (( "$sysver" == "6" ));then
echo "*/3 * * * * /etc/init.d/iptables stop" >> /var/spool/cron/root
echo -e "[\033 [开始配置防火墙策略,并加入每5分钟关闭防火墙服务的定时任务,如稍后无法连接服务器,请静等五分钟再尝试连接]"
/etc/init.d/iptables restart
sleep 3
config_iptables
/etc/init.d/iptables save
echo -e "[\033 [防火墙策略已生效,测试无问题后请在5分钟内删除关闭防火墙服务的定时任务]"
elif (( "$sysver" == "7" ));then
echo "*/5 * * * * /bin/systemctl stop firewalld" >> /var/spool/cron/root
echo -e "[\033 [开始配置防火墙策略,并加入每5分钟关闭防火墙服务的定时任务,如稍后无法连接服务器,请静等五分钟再尝试连接]"
systemctl restart firewalld
sleep 3
config_iptables
echo -e "[\033 [防火墙策略已生效,测试无问题后请在5分钟内删除关闭防火墙服务的定时任务]"
else
echo "不正确的版本号,请检查脚本"
exit 0
fi
}
main
页:
[1]