设置 Linux 服务器防火墙脚本,Web_iptables.sh
- 通过内网可访问服务器所有开放端口
- 给跳板机开放sshd端口连接服务器
- 信任ip 所有端口均开放
- 开放部分端口供外部访问
#!/bin/bash#Intranet_network=`ifconfig eth1 |grep "inet addr"|awk -F: '{print $2}'|awk '{print $1}'|awk -F "." '{print $1}'`#取得本机内网IPfunction getLocalInnerIP(){ ifconfig | grep 'inet addr:' | awk -F"inet addr:" '{print $2}' | awk '{print $1}' | while read theIP; do A=$(echo $theIP | cut -d '.' -f1) B=$(echo $theIP | cut -d '.' -f2) C=$(echo $theIP | cut -d '.' -f3) D=$(echo $theIP | cut -d '.' -f4) int_ip=$(($A<<24|$B<<16|$C<<8|$D)) #10.0.0.0(167772160)~10.255.255.255(184549375) if [ "${int_ip}" -ge 167772160 -a "${int_ip}" -le 184549375 ]; then echo $theIP elif [ "${int_ip}" -ge 2886729728 -a "${int_ip}" -le 2887778303 ]; then #172.16.0.0(2886729728)~172.31.255.255(2887778303) echo $theIP elif [ "${int_ip}" -ge 3232235520 -a "${int_ip}" -le 3232301055 ]; then #192.168.0.0(3232235520)~192.168.255.255(3232301055) echo $theIP fi done}innerIP=`getLocalInnerIP`Intranet_network=`echo $innerIP|awk -F "." '{print $1}'`IPT=/sbin/iptables#tiaobanji#TIAOBANJI="218.17.152.189 113.107.167.90 58.253.68.90"TIAOBANJI=""#trust ipETL1=219.129.216.224LAN_IP=$Intranet_network.0.0.0/255.0.0.0#guangzhou idc ipyw1=43.230.88.130#NAGIOS_IP=121.10.141.196TRUST_IP="$LAN_IP $ETL1 $yw1 121.10.141.196"# Delete Any Existing Chains In Filter Table$IPT -F -t filter$IPT -X -t filter$IPT -Z -t filter### Allow TRUST IP (LAN_IP ETL1 ETL2 GM1 GM2 ACCPET)for TURST in $TRUST_IPdo $IPT -A INPUT -s $TURST -j ACCEPT done#tiaobanjifor TBJ in $TIAOBANJIdo $IPT -A INPUT -s $TBJ -p tcp --dport 16333 -j ACCEPTdone# localhost$IPT -A INPUT -p icmp -j ACCEPT$IPT -A INPUT -i lo -j ACCEPT$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT### The ALL network for open ports$IPT -A INPUT -p tcp -m multiport --dports 80,443,8080 -j ACCEPT$IPT -A INPUT -p tcp -m multiport --dports 9202,9200,9300,9400,9500 -j ACCEPT$IPT -A INPUT -p tcp -m multiport --dports 9001,9002,9003,9004,9005 -j ACCEPT### The zabbix server$IPT -A INPUT -s 113.107.166.246 -p tcp --dport 10050 -j ACCEPT# Setting Default Policies, just accept output, drop any other$IPT -P INPUT DROP$IPT -P OUTPUT ACCEPT$IPT -P FORWARD DROP### save iptables /etc/init.d/iptables saveexit
#!/bin/bashIPT=/sbin/iptables$IPT -F$IPT -P INPUT ACCEPT$IPT -A INPUT -i lo -j ACCEPT$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$IPT -A INPUT -p icmp -j ACCEPT$IPT -A INPUT -s 120.25.153.31 -j ACCEPT$IPT -A INPUT -p tcp --dport 36000 -j ACCEPT$IPT -A INPUT -p tcp --dport 10050:10051 -j ACCEPT$IPT -A INPUT -s 120.25.153.31 -p tcp --dport 80 -j ACCEPT$IPT -A INPUT -s 183.14.0.0/16 -p tcp --dport 80 -j ACCEPT$IPT -A INPUT -s 183.14.1.0/24 -p tcp --dport 80 -j ACCEPT$IPT -A INPUT -s 120.25.153.32 -j DROP$IPT -A INPUT -j DROP