Linux命令 Iptables
原文链接: Linux命令 Iptables
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: $local_fs $network
# Required-Stop: $local_fs $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Firewall Rules for iptables
# Description: EDIT THIS FILE TO YOUR NEEDS BEFORE EXECUTING
### END INIT INFO
#!/bin/sh
# aptitude install iptables iptables-persistent fail2ban
# service fail2ban stop
iptables -F
iptables -X
#DENY
iptables -N DENY
iptables -A DENY -p tcp -m tcp -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with tcp-reset
iptables -A DENY -m limit --limit 30/sec --limit-burst 100 -m comment --comment "Anti-DoS" -j REJECT --reject-with icmp-proto-unreachable
iptables -A DENY -p tcp ! --syn -m state --state NEW -j DROP
iptables -A DENY -f -j DROP
iptables -A DENY -p tcp --tcp-flags ALL ALL -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p icmp --icmp-type echo-request -m limit --limit 1/s -m comment --comment "Limit Ping Flood" -j ACCEPT
#iptables -A DENY -j LOG --log-prefix "PORT DENIED: " --log-level 5 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A DENY -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -m comment --comment "Anti-Portscan" -j ACCEPT
iptables -A DENY -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -m comment --comment "Anti-Portscan2" -j ACCEPT
#Drop unusual flags
iptables -A DENY -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A DENY -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A DENY -p tcp --tcp-flags ALL NONE -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A DENY -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A DENY -m comment --comment "Ignore everything else" -j DROP
#BLOCKED
iptables -N BLOCKED
#ALLOWED
iptables -N ALLOWED
#iptables -A ALLOWED -s <YOUR IP HERE> -j ACCEPT ###EDIT AND UNCOMMENT THIS LINE!
#SERVICES
iptables -N SERVICES
iptables -A SERVICES -p tcp -m tcp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p udp -m udp --dport 53 -m comment --comment "Allow: DNS" -j ACCEPT
iptables -A SERVICES -p tcp -m tcp --dport 22 -m comment --comment "Allow: SSH-Access" -j ACCEPT
iptables -A SERVICES -p tcp -m multiport --dports 80,8080,443 -m comment --comment "Allow: Webserver" -j ACCEPT
iptables -A SERVICES -j RETURN
#TEAMSPEAK
iptables -N TEAMSPEAK
#iptables -A TEAMSPEAK -p tcp -m tcp --dport 2008 -m comment --comment "Allow: TeamSpeak Accounting" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 10011 -m comment --comment "Allow: TeamSpeak ServerQuery" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m multiport --dports 30033 -m comment --comment "Allow: TeamSpeak FileTransfer" -j ACCEPT
iptables -A TEAMSPEAK -p tcp -m tcp --dport 41144 -m comment --comment "Allow: TeamSpeak TSDNS" -j ACCEPT
iptables -A TEAMSPEAK -p udp -m udp --dport 1:65535 -m comment --comment "Allow: TeamSpeak Voiceports" -j ACCEPT
iptables -A TEAMSPEAK -j RETURN
#INPUT
iptables -A INPUT -m comment --comment "Allow Whitelisted IP's" -j ALLOWED
iptables -A INPUT -m comment --comment "Block Blacklisted IP's" -j BLOCKED
iptables -A INPUT -i lo -m comment --comment "Allow: Loopback" -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow: Related and Established Connections" -j ACCEPT
iptables -A INPUT -m comment --comment "Allow Default Services" -j SERVICES
iptables -A INPUT -m comment --comment "Allow TeamSpeak Services" -j TEAMSPEAK
iptables -A INPUT -p icmp -m comment --comment "Allow: ICMP" -j ACCEPT
iptables -A INPUT -m comment --comment "Ignore everything else" -j DENY
iptables -P INPUT DROP
/etc/init.d/iptables-persistent save
service fail2ban start
clear
iptables -L
If you want to easily add or remove entries from the ALLOWED/BLOCKED chain, you can use the following script, created by @Supervisor:
Code:
sudo nano firewall;sudo chmod +x firewall
Code:
#!/bin/sh
case $1 in
block*) iptables -I BLOCKED -s ${2} -j DROP ;;
unblock*) iptables -D BLOCKED -s ${2} -j DROP ;;
allow*) iptables -I ALLOWED -s ${2} -j ACCEPT ;;
disallow*) iptables -D ALLOWED -s ${2} -j ACCEPT ;;
*) printf "Usage: ./firewall 'block|unblock|allow|disallow' IP\n" ;;
esac
exit 1
#!/bin/sh
#
# Copyright (C) 2015 Red Hat, Inc.
# Copyright (C) 2016 Lance LeFlore
#
# This file is part of ocserv.
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this file; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
# Input is from environment:
#
# OCSERV_RESTRICT_TO_ROUTES: If set to '1' the user should be restricted
# to accessing the OCSERV_ROUTES and prevented from accessing
# OCSERV_NO_ROUTES.
#
# OCSERV_ROUTES: A space separated list of IPv4 and IPv6 routes to
# which the user has access. If empty or not set the
# user has default route.
#
# OCSERV_ROUTES4: A version of OCSERV_ROUTES with IPv4 addresses only.
# OCSERV_ROUTES6: A version of OCSERV_ROUTES with IPv6 addresses only.
#
# OCSERV_NO_ROUTES: A space separated list of IPv4 and IPv6 routes to
# which the user has NO access.
#
# OCSERV_NO_ROUTES4: A version of OCSERV_NO_ROUTES with IPv4 addresses only.
# OCSERV_NO_ROUTES6: A version of OCSERV_NO_ROUTES with IPv6 addresses only.
#
# OCSERV_DNS: A space-separated list of DNS servers the user has access to.
# OCSERV_DNS4: A version of OCSERV_DNS with IPv4 addresses only.
# OCSERV_DNS6: A version of OCSERV_DNS with IPv6 addresses only.
#
# OCSERV_DENY_PORTS: A space-separated list of port types and ports that the user
# should be denied access to. An example of the format is:
# "tcp 443 udp 312 sctp 999 icmp all esp all icmpv6 all"
#
# OCSERV_ALLOW_PORTS: A space-separated list of port types and ports that the user
# should be granted access to. If set the user must be denied access
# to any other ports. An example of the format is:
# "tcp 443 udp 312 sctp 999 icmp all esp all icmpv6 all"
PATH=/sbin:/usr/sbin:$PATH
COMMENT="ocserv-fw"
FORWARD_CHAIN="FORWARD"
SEC_FORWARD_CHAIN="FORWARD-${COMMENT}-${DEVICE}"
if test "$1" = "--removeall";then
eval "$(iptables -S | grep "comment ${COMMENT}" | sed -e 's/-A/-D/g' -e 's/^-/iptables -/g')"
eval "$(ip6tables -S | grep "comment ${COMMENT}" | sed -e 's/-A/-D/g' -e 's/^-/ip6tables -/g')"
#delete chains
eval "$(iptables -S | grep "INPUT-${COMMENT}" | sed -e 's/-N/-X/g' -e 's/^-/iptables -/g')"
eval "$(ip6tables -S | grep "INPUT-${COMMENT}" | sed -e 's/-N/-X/g' -e 's/^-/ip6tables -/g')"
exit 0
fi
execute_next_script() {
if test -n "${OCSERV_NEXT_SCRIPT}";then
TMP_SCRIPT="${OCSERV_NEXT_SCRIPT}"
unset OCSERV_NEXT_SCRIPT
/bin/sh "${TMP_SCRIPT}"
fi
}
clean_all_rules() {
eval "$(iptables -S | grep "comment ${COMMENT}" | grep -e "-[io] ${DEVICE}" | sed -e 's/-A/-D/g' -e 's/^-/iptables -/g')" 2>/dev/null
eval "$(ip6tables -S | grep "comment ${COMMENT}" | grep -e "-[io] ${DEVICE}" | sed -e 's/-A/-D/g' -e 's/^-/ip6tables -/g')" 2>/dev/null
iptables -X ${SEC_FORWARD_CHAIN} 2>/dev/null
ip6tables -X ${SEC_FORWARD_CHAIN} 2>/dev/null
}
if test "${REASON}" = "connect";then
#clear any leftover rules for this device
clean_all_rules
# assume FORWARD policy is REJECT - allow return traffic
# may also need to turn kernel knob to allow forwarding
iptables -I ${FORWARD_CHAIN} \
-o ${DEVICE} \
-m conntrack --ctstate RELATED,ESTABLISHED \
-j ACCEPT -m comment --comment "${COMMENT}"
else
if test "${REASON}" = "disconnect";then
clean_all_rules
set -e
execute_next_script
exit 0
else
logger -t ocserv-fw "unknown reason ${REASON}"
exit 1
fi
fi
set -e
allow_dns() {
"$1" -A ${FORWARD_CHAIN} -i ${DEVICE} -p udp -d "$2" --dport 53 -j ACCEPT --match comment --comment "${COMMENT}"
"$1" -A ${FORWARD_CHAIN} -i ${DEVICE} -p tcp -d "$2" --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT --match comment --comment "${COMMENT}"
}
allow_dns4() {
allow_dns iptables "$1"
}
allow_dns6() {
allow_dns ip6tables "$1"
}
allow_route() {
"$1" -A ${SEC_FORWARD_CHAIN} -i ${DEVICE} -d "$2" -j ACCEPT --match comment --comment "${COMMENT}"
}
allow_route4() {
allow_route iptables "$1"
}
allow_route6() {
allow_route ip6tables "$1"
}
disallow_route() {
"$1" -A ${SEC_FORWARD_CHAIN} -i ${DEVICE} -d "$2" -j REJECT --match comment --comment "${COMMENT}"
}
disallow_route4() {
disallow_route iptables "$1"
}
disallow_route6() {
disallow_route ip6tables "$1"
}
disallow_all() {
iptables -A ${FORWARD_CHAIN} -i ${DEVICE} -j REJECT --match comment --comment "${COMMENT}"
ip6tables -A ${FORWARD_CHAIN} -i ${DEVICE} -j REJECT --match comment --comment "${COMMENT}"
}
allow_all() {
iptables -A ${FORWARD_CHAIN} -i ${DEVICE} -j ACCEPT --match comment --comment "${COMMENT}"
ip6tables -A ${FORWARD_CHAIN} -i ${DEVICE} -j ACCEPT --match comment --comment "${COMMENT}"
}
allow_port() {
proto=$1
port=$2
case "$proto" in
icmp)
iptables -A FORWARD -i ${DEVICE} -p $proto -j ${SEC_FORWARD_CHAIN} --match comment --comment "${COMMENT}"
;;
icmpv6)
ip6tables -A FORWARD -i ${DEVICE} -p $proto -j ${SEC_FORWARD_CHAIN} --match comment --comment "${COMMENT}"
;;
*)
iptables -A FORWARD -i ${DEVICE} -p $proto --dport $port -j ${SEC_FORWARD_CHAIN} --match comment --comment "${COMMENT}"
ip6tables -A FORWARD -i ${DEVICE} -p $proto --dport $port -j ${SEC_FORWARD_CHAIN} --match comment --comment "${COMMENT}"
;;
esac
}
deny_port() {
proto=$1
port=$2
case "$proto" in
icmp)
iptables -A ${FORWARD_CHAIN} -i ${DEVICE} -p $proto -j REJECT --match comment --comment "${COMMENT}"
;;
icmpv6)
ip6tables -A ${FORWARD_CHAIN} -i ${DEVICE} -p $proto -j REJECT --match comment --comment "${COMMENT}"
;;
*)
iptables -A ${FORWARD_CHAIN} -i ${DEVICE} -p $proto --dport $port -j REJECT --match comment --comment "${COMMENT}"
ip6tables -A ${FORWARD_CHAIN} -i ${DEVICE} -p $proto --dport $port -j REJECT --match comment --comment "${COMMENT}"
;;
esac
}
disallow_all_ports() {
iptables -A FORWARD -i ${DEVICE} -j REJECT --match comment --comment "${COMMENT}"
ip6tables -A FORWARD -i ${DEVICE} -j REJECT --match comment --comment "${COMMENT}"
}
# Allow DNS lookups
for i in $OCSERV_DNS4;do
allow_dns4 $i
done
# block or allow routes
for i in $OCSERV_DNS6;do
allow_dns6 $i
done
# create the chain
FORWARD_CHAIN="${SEC_FORWARD_CHAIN}"
iptables -N "${FORWARD_CHAIN}"
ip6tables -N "${FORWARD_CHAIN}"
# block ports - if needed
if test -n "${OCSERV_DENY_PORTS}";then
set ${OCSERV_DENY_PORTS}
while test $# -gt 1; do
proto=$1
port=$2
deny_port $proto $port
if test $# -gt 1;then
shift 2
else
break
fi
done
else
if test -n "${OCSERV_ALLOW_PORTS}";then
set ${OCSERV_ALLOW_PORTS}
while test $# -gt 1; do
proto=$1
port=$2
allow_port $proto $port
if test $# -gt 1;then
shift 2
else
break
fi
done
disallow_all_ports
fi
fi
if test "${OCSERV_RESTRICT_TO_ROUTES}" = "1";then
for i in $OCSERV_NO_ROUTES4;do
disallow_route4 $i
done
for i in $OCSERV_NO_ROUTES6;do
disallow_route6 $i
done
if test -n "$OCSERV_ROUTES";then
for i in $OCSERV_ROUTES4;do
allow_route4 $i
done
for i in $OCSERV_ROUTES6;do
allow_route6 $i
done
# no default route, don't allow anything except the configured routes
disallow_all
else
allow_all
fi
else
# we still need to allow traffic through if OCSERV_RESTRICT_TO_ROUTES is not true
iptables -A ${SEC_FORWARD_CHAIN} -i ${DEVICE} -j ACCEPT -m comment --comment "${COMMENT}"
fi
# send traffic to the route chain
iptables -A FORWARD -i ${DEVICE} -j ${SEC_FORWARD_CHAIN} --match comment --comment "${COMMENT}"
ip6tables -A FORWARD -i ${DEVICE} -j ${SEC_FORWARD_CHAIN} --match comment --comment "${COMMENT}"
execute_next_script
exit 0