To have a holiday, today is really idle egg pain, originally just want to write a configuration iptables script, did not expect to be so complicated by their own, or to share out to everyone, interested can change their own.
PS: This script only supports CENTOS5 and CENTOS6, does not support CentOS 7, and is also limited in the script.
Script content:
#!/bin/sh
# by rocdk890
Path=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
Export PATH
#Begin
Start () {
Sshport= ' Netstat-ntlp|grep sshd |awk-f: ' {if ($4!= "") Print $} '
# Require ROOT to run this script.
echo "Check user ..."
if [[$ (WhoAmI)!= root]];then
echo "Please run this script as root!"
Exit 1
Fi
echo "Check lsb_release ..."
chlsb= ' Rpm-qa|grep redhat-lsb|wc-l '
If [$chlsb-ge 1];then
echo "has installed REDHAT-LSB."
Else
echo "no found. Install REDHAT-LSB ... "
Yum-y Install REDHAT-LSB
Fi
#===============================================================================
#this script is only for CentOS 5 and CentOS 6
#check the OS
#===============================================================================
version= ' Lsb_release-r |awk ' {print substr ($2,1,1)} '
If [$version!= 5] | | [$version!= 6];then
echo "The platform is OK!"
Else
echo "This script are only for CentOS 5 or CentOS 6!"
Exit 1
Fi
#iptables setting
echo "Iptables Setting ..."
/sbin/iptables-p INPUT ACCEPT
#清空所有规则
/sbin/iptables-f
/sbin/iptables-x
/sbin/iptables-z
/sbin/iptables-f-T NAT
/sbin/iptables-x-T NAT
/sbin/iptables-z-T NAT
/sbin/iptables-x-T Mangle
#允许来自于lo接口的数据包 access to local services via 127.0.0.1
/sbin/iptables-a input-i lo-j ACCEPT
#允许dns和ntp的数据通过
/sbin/iptables-a input-p udp-m UDP--sport 53-j ACCEPT
/sbin/iptables-a input-p udp-m UDP--sport 123-j ACCEPT
#限制对内部封包的发送速度
/sbin/iptables-a input-f-M limit--limit 100/sec--limit-burst 100-j ACCEPT
/sbin/iptables-a input-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--limit-burst 200-j ACCEPT
#/sbin/iptables-a input-p icmp-m limit--limit 12/min--limit-burst 5-j DROP
#限制建立联机的转发速度
/sbin/iptables-a forward-f-M limit--limit 100/sec--limit-burst 100-j ACCEPT
/sbin/iptables-a forward-p tcp-m tcp--tcp-flags syn,rst,ack syn-m limit--limit 20/sec--limit-burst 200-j ACCEPT
#开放ssh端口
/sbin/iptables-a input-p TCP--dport $sshport-j ACCEPT
#开放web服务默认端口80
/sbin/iptables-a input-p TCP--dport 80-j ACCEPT
#开放https服务默认端口443
#/sbin/iptables-a input-p TCP--dport 443-j ACCEPT
#开放指定ip, specify port
#/sbin/iptables-a input-p tcp-s 100.240.143.33--dport 8080-j
#允许ping
/sbin/iptables-a input-p icmp-m ICMP--icmp-type 8-j ACCEPT
#允许TCP建立连接, accept a successful state handshake
/sbin/iptables-a input-m State--state established,related-j ACCEPT
/sbin/iptables-a input-m State--state invalid,new-j DROP
#屏蔽规则外请求
/sbin/iptables-p INPUT DROP
/sbin/iptables-p FORWARD DROP
Badips= "' Curl-s http://feeds.dshield.org/block.txt | awk '/^[1-9]/{print $ '/' $} '
If ["$BADIPS"];then
For IP in $BADIPS
Todo
Iptables-i input-s $ip-j DROP
Done
Fi
}
Stop () {
echo "Cleaning your Iptables: ..."
Iptables-f
Iptables-x
Iptables-z
Iptables-p INPUT ACCEPT
Iptables-p OUTPUT ACCEPT
/etc/init.d/iptables stop
If ["$?" = "0"];then
echo "done!"
Fi
}
Save () {
echo "Save your Iptables: ..."
/etc/init.d/iptables Save
/etc/init.d/iptables restart
}
Case "in
Start"
start
;;
Stop)
stop
;;
Restart)
Stop && start
;;
Save)
start && save
;;
*)
echo $ "Usage: $ {start|stop|restart|save}"
exit 1
Esac
Exit 0
#End
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
