UsedIptablesPut your own. An iptables script is provided for your reference!
#! /Bin/bash
#
#===================================================== ========================
# Script description:
# Welcome to use iptables. rule script to build your firewall
# This script must be set by yourself according to your environment before it can work.
# The basic rule is defined as: [deny all, open specific]
#
# Strongly recommended
# This script is used by friends who do not know the Linux firewall mechanism iptables.
# I may not understand the meaning of each command.
# Refer to the following webpages:
# Http://www.study-area.org/linux/servers/linux_nat.htm
# Http://linux.vbird.org/linux_server/0240network-secure-1.php
# Http://linux.vbird.org/linux_server/0250simple_firewall.php
# Instructions
# Change the script permission to executable:
# Chmod 755 iptables. rule
# Place the script under/usr/local/firewall
# Mkdir-p/usr/local/firewall
# Mv/your complete path/iptables. rule/usr/local/firewall
# Run the test:
#/Usr/local/firewall. rule
# Iptables-L-n (this action checks Firewall Rules)
# Add the following row to/etc/rc. d/rc. local
#/Usr/local/firewall. rule
# Cancel the Firewall
# Iptables-F
# Iptables-X
# Iptables-t nat-F
# Iptables-t nat-X
#===================================================== ========================
# Copyright notice:
# This script is authorized by GPL and can be used by anyone
# When this scripts is used for any issues
# I shall not assume any responsibility
# VBird
#===================================================== ========================
# Historical records:
# First Time VBird
#2003/04/26 VBird: related execution files of the Server Load balancer Software
#2003/08/25 modify the INPUT Policy to DROP
#===================================================== ========================
#0.0 Please key in your parameters
# This EXTIF is followed by the [External nic "WAN"]
# In general, if it is ADSL/FTTH, it is "ppp0"
# If it is a fixed IP address, it is "eth0"
# The interface that connect Internet
EXTIF = "ppp0"
# The following INIF is an internal NIC (Lan)
# Leave it blank if your Linux does not have an internal Nic
# INIF = ""
#
# The inside interface. if you don't have this one
# And you must let this be black ex> INIF = ""
INIF = "eth1"
INNET = "192.168.1.0/24" # This is for NAT's network
#1.0 test your Linux kernel version and firewall Module
# Kver = 'uname-r | cut-c 1-3'
# If ["$ kver "! = "2.4"] & ["$ kver "! = "2.5"]; then
# Echo "Your Linux Kernel Version may not be suported by this script! "
# Echo "This scripts will not be runing"
# Exit
# Fi
# Ipchains = 'lsmod | grep ipchains'
# If ["$ ipchains "! = ""]; Then
# Echo "unload ipchains in your system"
# Rmmod ipchains 2>/dev/null
# Fi
#2.0 load modules
- PATH=/sbin:/bin:/usr/sbin:/usr/bin
- export PATH EXTIF INIF INNET
- modprobe ip_tables > /dev/null 2>&1
- modprobe iptable_nat > /dev/null 2>&1
- modprobe ip_nat_ftp > /dev/null 2>&1
- modprobe ip_nat_irc > /dev/null 2>&1
- modprobe ip_conntrack > /dev/null 2>&1
- modprobe ip_conntrack_ftp > /dev/null 2>&1
- modprobe ip_conntrack_irc > /dev/null 2>&1
#3.0 clear all firewall rules
- /sbin/iptables -F
- /sbin/iptables -X
- /sbin/iptables -Z
- /sbin/iptables -F -t nat
- /sbin/iptables -X -t nat
- /sbin/iptables -Z -t nat
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P OUTPUT ACCEPT
- /sbin/iptables -P FORWARD ACCEPT
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
#4.0 allow any network, including the lo Interface
# And the specified internal interface (LAN)
# Of course, the focus is to start your Linux as a NAT server.
/Sbin/iptables-a input-I lo-j ACCEPT
If ["$ INIF "! = ""]; Then
/Sbin/iptables-a input-I $ INIF-j ACCEPT
Echo "1">/proc/sys/net/ipv4/ip_forward
/Sbin/iptables-t nat-a postrouting-s $ INNET-o $ EXTIF-j MASQUERADE
Fi
#5.0 start loading any files with network settings that can be rejected
# The following two files can be created by yourself
If [-f/usr/local/firewall. deny]; then
Sh/usr/local/firewall. deny
Fi
If [-f/usr/local/firewall. allow]; then
Sh/usr/local/firewall. allow
Fi
#6.0 if the file below exists, execute !!
# Note: This file is related to software that prevents site hacking.
If [-f/usr/local/firewall/httpd-err/iptables. http]; then
Sh/usr/local/firewall/httpd-err/iptables. http
Fi
#7.0 Allow ICMP packets and allow established connections to pass
/Sbin/iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
AICMP = "0 3 3/4 4 11 12 14 16 18"
For tyicmp in $ AICMP
Do
/Sbin/iptables-a input-I $ EXTIF-p icmp -- icmp-type $ tyicmp-j ACCEPT
Done
#8.0 Allow services "#"..
- # /sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 22 -j ACCEPT # SSH
- #/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 25 -j ACCEPT # SMTP
- /sbin/iptables -A INPUT -p UDP -i $EXTIF --dport 53 -j ACCEPT # DNS
- /sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 53 -j ACCEPT # DNS
- /sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT # WWW
- /sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 21 -j ACCEPT # FTP
- # /sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 20000:30000 -j ACCEPT # PASV_PORTS FTP USE
- # /sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 110 -j ACCEPT # POP3
- # /sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 113 -j ACCEPT # auth
- # /sbin/iptables -A INPUT -p tcp -i eth1 -s 192.168.1.0/24 --dport 137:139
Through an iptables script, you must have known iptables and hope to help you!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
