Practical firewall (Iptables) script analysis

-The Iptables firewall is pre-installed in common Linux releases such as Redhat, CentOS, and Ubuntu. most beginners are difficult to set up because they are unfamiliar with this software, the following script can be easily transplanted to your network by modifying the variable value, and introduces the content of each section. First, create a script named firewall under/usr/bin and set the executable permissions # do one of the key parts of my script under chmod + x/usr/bin/firewall

-The Iptables firewall is pre-installed in common Linux releases such as Redhat, CentOS, and Ubuntu. most beginners are difficult to set up because they are unfamiliar with this software, the following script can be easily transplanted to your network by modifying the variable value, and introduces the content of each section. First, create a script named firewall under/usr/bin and set the executable permission.

# Chmod + x/usr/bin/firewall

The following describes the key parts of my script:

-- First, if you want to restrict an IP address (for example, 10.10.10.20), you only need to enter them in the BADIPS variable. you can set multiple IP addresses or network terminals, separated by spaces.

BADIPS = "10.10.10.20 10.1.14.0/24"

-- Next, set the impossible_ips variable. for example, set the CIDR block of the three private iP addresses. The premise is that your host IP address cannot be within the three preset CIDR blocks. if the iP address is within the specified range, delete it.

IMPOSSIBLE_IPS = "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"

If your system is used only at home and accessed independently, you do not need to set the following six lines of code.

1). IN_TCP_PORTALLOWED = ""

2). IN_ICMP_ALLOWED = ""

3). EGRESS = "0"

4). OUT_TCP_PORTALLOWED = ""

5). OUT_UDP_PORTALLOWED = ""

6). OUT_ICMP_ALLOWED = ""

-- If you have set up a server, you need the following settings. here we emphasize that in_tcp_porallowed is a variable, and in_udp_portallowed is a variable. its value is used to set the port number of common network services; if you need to open a continuous port, you need to use the ":". for example, to open all ports between-, you only need to make the following settings:
In_tcp_portallowed = "38000: 38090"

The following is a complex example,

Example 1:

-- Assume that the SSH service only allows access from 200.100.10.10, while the FTP service is open to the 192.168.20.0/24 CIDR block. SMTP allows access from other IP addresses except 10.10.10.20:

In_tcp_portallowed = "ssh, 200.100.10.10ftp, 192.168.20.0/24 smtp ,! 10.10.10.20"

Example 2:

-- Enable smtp for setup, and use domain service for all IP addresses. then, only users from 200.100.10.10 and 192.168.20.0/24 can use ssh to log on to the server:

In_tcp_portallowed = "ssh, 200.100.10.10 ssh, 192.168.20.0/24 smtp domain"

Case 3: An incorrect case

-- Some people want to allow access from 192.168.150.30 to the intranet ssh server, but all Ip addresses except 192.168.255.10 can access port 22, and all others are blocked. He wrote:

In_tcp_portallowed = "ssh, 192.168.150.30ssh ,! 192.168.20.10"

-- We can see that although rule 1 limits only 192.168.150.30 to access the ssh server, rule 2 opens it to everyone. The first rule is equal to the setting.

# Add a new link to block IP addresses

Iptables-N BADIP

# If the droplog variable is 1, all packets entering the badip chain are recorded.

If ["$ DROPLOG" = "1"]; then

Iptables-a badip-j LOG -- log-prefix "** Firewall BADIP **"

Fi

# Discard all packets entering the badip chain

Iptables-a badip-j DROP