防火墙样本

 

 单机防火墙需要考虑的只是本机对外的一块网卡，因此入站要限IP，限端口

 

样本

 

#!/usr/bin/env bash

if [ "$(id -u)" != "0" ]; then
   echo "This script is designed to run as root" 1>&2
   exit 1
fi

modprobe ip_tables
modprobe iptable_filter
modprobe ipt_REJECT
modprobe ip_conntrack

iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 5666 -j ACCEPT

iptables -A INPUT -p udp -s 10.0.0.0/8 --dport 123 -j ACCEPT
iptables -A INPUT -p udp -s 10.0.0.0/8 --dport 161 -j ACCEPT


iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

iptables -A OUTPUT -s 224.0.0.0/8 -j DROP
iptables -A OUTPUT -d 224.0.0.0/8 -j DROP
iptables -A OUTPUT -s 255.255.255.255/32 -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
service iptables save
iptables -L -v -n

 开放了内网的端口，ping包每秒一个，可以根据需要修改。

 

双网卡做网关(SNAT)，既要保护自己，又要保护内网机器

 

样本 

 

#!/usr/bin/env bash

if [ "$(id -u)" != "0" ]; then
   echo "This script is designed to run as root" 1>&2
   exit 1
fi

PATH=/usr/sbin:/sbin:/bin:/usr/bin

wan=eth0
lan=eth1
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -Z

# Set the INPUT policy to ALLOW for the moment
iptables -P INPUT ACCEPT

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Limit ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

# Open some ports to the public
iptables -A INPUT -i $wan -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -s 123.234.345.456 -p tcp --dport 22 -j ACCEPT

# Open some ports to local netwrk
iptables -A INPUT -i $lan -p tcp --dport 22 -m recent --set --name ssh --rsource
iptables -A INPUT -i $lan -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 10 --name ssh --rsource -j ACCEPT

iptables -A INPUT -i $lan -p udp --dport 123 -j ACCEPT
iptables -A INPUT -i $lan -p udp --dport 161 -j ACCEPT
iptables -A INPUT -i $lan -p tcp --dport 5666 -j ACCEPT
iptables -A INPUT -i $lan -p tcp --dport 9102 -j ACCEPT
iptables -A INPUT -i $lan -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -i $lan -p tcp --dport 10050 -j ACCEPT

# Apply the default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i $lan -o $wan -j ACCEPT

iptables -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -s 224.0.0.0/8 -j DROP
iptables -A OUTPUT -d 224.0.0.0/8 -j DROP
iptables -A OUTPUT -s 255.255.255.255/32 -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Masquerade.
iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Save and restart iptables
service iptables save
service iptables restart

# Show the final rules
iptables -n -v -L
iptables -n -v -L -t nat