Shulou(Shulou.com)06/01 Report--

This article is about how to use the super-useful iptables firewall script. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Create an iptables.sh script

[root@Jaking ~] # vim iptables.sh #! / bin/bash# clear filter table and nat table iptables-Fiptables-t nat-F# turn off firewalldsystemctl stop firewalld & > / dev/nullsystemctl disable firewalld & > / dev/null# the following two lines allow some applications calling localhost to access iptables-An INPUT-I lo-j ACCEPT # Rule 1iptables-An INPUT-s 127.0.0.1-d 127.0.0.1-j ACCEPT # Rule "the following line allows access from Elsewhere pingiptables-An INPUT-p icmp--icmp-type echo-request-j ACCEPT # rule "the following line allows access from other hosts, The network device sends a message of MTU adjustment # in some cases For example, when passing through the IPSec VPN tunnel Host MTU needs to be dynamically reduced iptables-An INPUT-p icmp--icmp-type fragmentation-needed-j ACCEPT # Rule the following two lines allow all sources access to TCP 80443 port iptables-An INPUT-p tcp-- dport 80-j ACCEPT # Rule 5iptables-An INPUT-p tcp-- dport 443-j ACCEPT # Rule "the following line allows all sources to access UDP 80443 port iptables-An INPUT-p udp-m multiport-dports 80443-j ACCEPT # Rule "the following line allows IP from 192.168.1.63 source to access TCP port 22 (OpenSSH) iptables-An INPUT-p tcp-s 192.168.1.63-- dport 22-j ACCEPT # Rule" the following line allows 192.168.1.3 (the IP of the network card corresponding to the system initiating the SSH connection) to access TCP port 22 (OpenSSH) # if you run this script on a remote terminal It's best to open the following line in case you get kicked out # another easier way: iptables-I INPUT-p tcp-- dport 22-j ACCEPTiptables-An INPUT-p tcp-s 192.168.1.3-dport 22-j ACCEPT # Rule "the following line allows IP from the source 192.168.1.26 to access UDP port 161 (SNMP) iptables-An INPUT-p udp-s 192.168.1.26-dport 161-j ACCEPT # Rule 1" Configure NAT# to enable kernel route forwarding echo 1 > / proc/sys/net/ipv4/ip_forwardecho "net.ipv4.ip_forward = 1" > / etc/sysctl.confsysctl-p & > / dev/null# configure source address translation SNAT # convert 192.168.2.0 POSTROUTING 24 to 192.168.1.63iptables-t nat-A POSTROUTING-s 192.168.2.0 SNAT-- to 192.168.1.63 # Rule 1 Configure the destination address translation DNAT# to forward the request from port 80 of 192.168.1.63 to port 80 iptables-t nat-A PREROUTING-d 192.168.1.63-p tcp-- dport 80-j DNAT-- to 192.168.2.2 PREROUTING 80 # rule 1 "the following line forbids all other inbound traffic iptables-An INPUT-j DROP # rule 1" allows the local machine to respond to the rule Packets numbered 1-12 send out iptables- An OUTPUT-m state-- state ESTABLISHED-j ACCEPT # Rule 1 "the following line forbids the local machine from actively issuing external connections iptables- An OUTPUT-j DROP # rule" the following line forbids the local forwarding packet iptables- A FORWARD-j DROP # rule "solidified iptablesiptables-save > / etc/sysconfig/iptables [root@Jaking ~] # chmod 755 iptables.sh"

test

[root@Jaking] #. / iptables.sh [root@Jaking] # [root@Jaking] # [root@Jaking] # iptables-LChain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all-- anywhere anywhere ACCEPT all-- localhost localhost ACCEPT icmp-- anywhere anywhere Icmp echo-requestACCEPT icmp-anywhere anywhere icmp fragmentation-neededACCEPT tcp-anywhere anywhere tcp dpt:httpACCEPT tcp-anywhere anywhere tcp dpt:httpsACCEPT udp-anywhere anywhere multiport dports http HttpsACCEPT tcp-192.168.1.63 anywhere tcp dpt:sshACCEPT tcp-192.168.1.3 anywhere tcp dpt:sshACCEPT udp-192.168.1.26 anywhere udp dpt:snmpDROP all-anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt Source destination DROP all-anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all-anywhere anywhere state ESTABLISHEDDROP all-anywhere anywhere [root@Jaking] # iptables-L-line-numberChain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all-anywhere anywhere 2 ACCEPT all-localhost localhost 3 ACCEPT icmp-anywhere anywhere icmp echo-request4 ACCEPT icmp-anywhere anywhere icmp fragmentation -needed5 ACCEPT tcp-anywhere anywhere tcp dpt:http6 ACCEPT tcp-anywhere anywhere tcp dpt:https7 ACCEPT udp-anywhere anywhere multiport dports http Https8 ACCEPT tcp-192.168.1.63 anywhere tcp dpt:ssh9 ACCEPT tcp-192.168.1.3 anywhere tcp dpt:ssh10 ACCEPT udp-192.168.1.26 anywhere udp dpt:snmp11 DROP all-anywhere anywhere Chain FORWARD ( Policy ACCEPT) num target prot opt source destination 1 DROP all-anywhere anywhere Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all-anywhere anywhere state ESTABLISHED2 DROP all-anywhere anywhere [root@Jaking] # iptables-t nat-LChain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp-- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source Destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all-192.168.2.0 DNAT tcp 24 anywhere to:192.168.1.63 [root@Jaking] # iptables-t nat-L-line-numberChain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT tcp-- Anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 SNAT all. 168.2.0/24 anywhere to:192.168.1.63

Emptying and recovery of iptables

[root@Jaking ~] # iptables-F [root@Jaking ~] # iptables-LChain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@Jaking] # iptables-t nat-F [root@Jaking ~] # iptables-t nat-LChain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination [root@Jaking ~] # iptables-restore < / etc/sysconfig/iptables [root@Jaking ~] # iptables- LChain INPUT (policy ACCEPT) Target prot opt source destination ACCEPT all-anywhere anywhere ACCEPT all-localhost localhost ACCEPT icmp-anywhere anywhere icmp echo-requestACCEPT icmp-anywhere anywhere icmp fragmentation-neededACCEPT tcp-anywhere Anywhere tcp dpt:httpACCEPT tcp-anywhere anywhere tcp dpt:httpsACCEPT udp-anywhere anywhere multiport dports http HttpsACCEPT tcp-192.168.1.63 anywhere tcp dpt:sshACCEPT tcp-192.168.1.3 anywhere tcp dpt:sshACCEPT udp-192.168.1.26 anywhere udp dpt:snmpDROP all-anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt Source destination DROP all-anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all-anywhere anywhere state ESTABLISHEDDROP all-anywhere anywhere [root@Jaking ~] # iptables-t nat-LChain PREROUTING ( Policy ACCEPT) target prot opt source destination DNAT tcp-- anywhere 192.168.1.63 tcp dpt:http to:192.168.2.2:80Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot Opt source destination SNAT all-192.168.2.0 take 24 anywhere to:192.168.1.63 Thank you for reading! On "super practical iptables firewall script how to use" this article is shared here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, you can share it out for more people to see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.