iptables防火牆腳本實例1(2011-07-07)

#PPTP服務器上的iptables防火牆實例
#因大部分公司pptp服務器須要進行權限控制，若是採用linux做爲pptp服務器平臺，則可用iptables進行訪問控制。我特編寫了一個樣例。（這是我給一個客戶作的#pptp服務器的配置，固然實際IP地址信息已經被替換）
#pptp服務器爲fc4，兩個網卡：eth0和eth1，eth0：202.85.33.44 eth1:10.15.0.254 內部網絡劃分了6個VLAN，其中pptp用戶全部的vlan5爲10.15.0.0/24  內部服務

#器網段地址爲：10.15.55.0/24 在pptp服務器上須要增長一條路由表：route add -net 10.15.55.0/24 gw 10.15.0.1(注：10.15.0.1爲vlan5的IP地址)
#下面是firewall.sh腳本文件（vi firewall.sh後把下面的複製到此文件中，保存退出後,chmod 700 firewall.sh便可執行 ./firewall.sh restart）

經常使用命令：

iptables -t filter -F FORWARD 

iptables -t nat -F 

iptables -t filter -L -n

iptables -t nat -L -n

#############################################################

#!/bin/bash
#
#
#
echo "Starting................."
echo "RunTime = `date |awk '{print $6" "$2" "$3" "$4}'`"
echo -e "\t\t\n\n"
echo -e "\033[1;031m \n"
echo "######################################################################"
echo "#                 pptp server iptables  rule 1.0                     #"
echo "#                    E-mail:jdaoyou@sohu.com                         #"
echo "######################################################################"
echo -e "\033[m \n"
echo ""
echo ""
#
echo -e "\033[1;034m \n"
echo "######################################################################"
echo "#  Network Internet Address eth0:               202.85.33.44         #"
echo "#                                                                    #"
echo "#  Internal Network Address eth1:               10.15.0.254        #"
echo "#                                                                    #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
LAN_IFACE="eth1"
INET_IFACE="eth0"
IPTABLES="/sbin/iptables"
ACCEPT_ERP_OA_HOSTS="10.15.0.91 10.15.0.90 10.15.0.85 10.15.0.67 10.15.0.65 10.15.0.71 10.15.0.3 10.15.0.4 10.15.0.5 10.15.0.6 10.15.0.7 10.15.0.8 10.15.0.9 10.15.0.10 10.15.0.11 10.15.0.12 10.15.0.13 10.15.0.14 10.15.0.15 10.15.0.16 10.15.0.17 10.15.0.18 10.15.0.19 10.15.0.20 10.15.0.21 10.15.0.22 10.15.0.23 10.15.0.24 10.15.0.25 10.15.0.26 10.15.0.27 10.15.0.28 10.15.0.29 10.15.0.30 10.15.0.31 10.15.0.32 10.15.0.33 10.15.0.34 10.15.0.40 10.15.0.41 10.15.0.42 10.15.0.43 10.15.0.44 10.15.0.45 10.15.0.46 10.15.0.47 10.15.0.48 10.15.0.49 10.15.0.50 10.15.51 10.15.0.52 10.15.0.55 10.15.0.58 10.15.0.60 10.15.0.61 10.15.0.63 10.15.0.64 10.15.0.65 10.15.0.68 10.15.0.69 10.15.0.70 10.15.0.72 10.15.0.73 10.15.0.74 10.15.0.75 10.15.0.80 10.15.0.82 10.15.0.89 10.15.0.87"
#以上規則爲能夠訪問OA和ERP的權限
ACCEPT_inMAIL_HOSTS="10.15.0.91 10.15.0.67 10.15.0.65 10.15.0.71 10.15.0.3 10.15.0.4 10.15.0.5 10.15.0.6 10.15.0.7 10.15.0.8 10.15.0.9 10.15.0.10 10.15.0.11 10.15.0.12 10.15.0.13 10.15.0.14 10.15.0.15 10.15.0.16 10.15.0.17 10.15.0.18 10.15.0.19 10.15.0.20 10.15.0.21 10.15.0.22 10.15.0.23 10.15.0.24 10.15.0.25 10.15.0.26 10.15.0.27 10.15.0.28 10.15.0.29 10.15.0.30 10.15.0.31 10.15.0.32 10.15.0.33 10.15.0.34 10.15.0.40 10.15.0.41 10.15.0.42 10.15.0.43 10.15.0.44 10.15.0.45 10.15.0.46 10.15.0.47 10.15.0.48 10.15.0.49 10.15.0.50 10.15.0.51 10.15.0.52 10.15.0.55 10.15.0.58 10.15.0.60 10.15.0.61 10.15.0.63 10.15.0.64 10.15.0.65 10.15.0.68 10.15.0.69 10.15.0.70 10.15.0.72 10.15.0.73 10.15.0.74 10.15.0.75 10.15.0.80 10.15.0.82 10.15.0.87"
#以上規則爲僅可訪問內部郵件服務器的權限
ACCEPT_ERP_HOSTS=""
ACCEPT_inWEB_HOSTS=""
ACCEPT_TEST_HOSTS="10.15.0.76 10.15.0.77 10.15.0.78 10.15.0.92"
ACCEPT_CRM_HOSTS="10.15.35.0/24"
ACCEPT_all_HOSTS="10.15.0.90 10.15.0.81 10.15.0.21 10.15.0.22 10.15.0.31 10.15.0.32 10.15.0.33 10.15.0.35 10.15.0.36  10.15.55.94 10.15.55.24 10.15.55.38 10.15.0.41 19.168.34.42 10.15.0.43 10.15.0.44 10.15.0.53 10.15.0.54 10.15.0.56 10.15.0.57 10.15.0.59 10.15.0.62 10.15.0.66 10.15.0.79 10.15.0.83 10.15.0.88"
#以上爲全部訪問權限，也便可以訪問內網，也可能經過PPTP服務器訪問Internet
ACCEPT_APS_HOSTS="10.15.0.39" #能夠訪問APS系統的權限
#
########################## Main Options  #####################

# ===============================================
# --------Actual NetFilter Stuff Follows---------
# ===============================================
##############  Load modules
modprobe ip_tables             > /dev/null 2>&1
modprobe ip_conntrack          > /dev/null 2>&1
modprobe iptable_nat           > /dev/null 2>&1
#modprobe ip_nat_ftp            > /dev/null 2>&1
modprobe ip_conntrack_ftp      > /dev/null 2>&1
modprobe ip_conntrack_irc      > /dev/null 2>&1
modprobe ip_conntrack_h323     > /dev/null 2>&1
modprobe ip_nat_h323           > /dev/null 2>&1
modprobe ip_conntrack_irc      > /dev/null 2>&1
#modprobe ip_nat_irc            > /dev/null 2>&1
modprobe ip_conntrack_mms      > /dev/null 2>&1
modprobe ip_nat_mms            > /dev/null 2>&1
#modprobe ip_conntrack_pptp     > /dev/null 2>&1
#modprobe ip_nat_pptp           > /dev/null 2>&1
#modprobe ip_conntrack_proto_gre > /dev/null 2>&1
#modprobe ip_nat_proto_gre      > /dev/null 2>&1
modprobe ip_conntrack_quake3   > /dev/null 2>&1
modprobe ip_nat_quake3         > /dev/null 2>&1
##############################################

##############################################
echo 1 >/proc/sys/net/ipv4/ip_forward
#echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter

start(){
echo ""
echo -e "\033[1;032m Flush all chains......                           [OK] \033[m"
  $IPTABLES -F
  $IPTABLES -X
  $IPTABLES -Z
  $IPTABLES -F -t nat
  $IPTABLES -X -t nat
  $IPTABLES -Z -t nat
  $IPTABLES -P INPUT   DROP
  $IPTABLES -P OUTPUT  ACCEPT
  $IPTABLES -P FORWARD DROP
  $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
  $IPTABLES -A INPUT -s 202.102.224.68 -j ACCEPT
  $IPTABLES -A INPUT -s 202.96.134.133 -j ACCEPT
  $IPTABLES -A INPUT -s 127.0.0.0/8 -j ACCEPT
  $IPTABLES -A INPUT -d 127.0.0.0/8 -j ACCEPT
  $IPTABLES -A INPUT -p 47 -j ACCEPT
  $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
  $IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
  $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
  $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
  $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A INPUT -s 10.15.55.19 -j ACCEPT
#  $IPTABLES -A INPUT -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.15.0.0/24 -j SNAT --to 202.85.33.44
##########################################################
  $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A FORWARD -s 10.15.0.22 -j ACCEPT
  $IPTABLES -A FORWARD -p tcp -i ppp+ --dport 113 -j ACCEPT
  $IPTABLES -A FORWARD -p icmp -j ACCEPT
  $IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
  $IPTABLES -I FORWARD -d 10.15.0.0/24 -j ACCEPT
######################## comm rule  ###################
  $IPTABLES -I FORWARD -d 10.15.55.229 -j ACCEPT
  $IPTABLES -I FORWARD -s 10.15.55.229 -j ACCEPT
  $IPTABLES -A FORWARD -d 10.15.55.219 -j ACCEPT

  $IPTABLES -I FORWARD -s 10.15.0.0/24 -d 10.15.55.15 -j ACCEPT
  $IPTABLES -I FORWARD -s 10.15.0.0/24 -d 10.15.55.14 -j ACCEPT
  $IPTABLES -I FORWARD -s 10.15.0.0/24 -d 10.15.55.16 -j ACCEPT
  $IPTABLES -I FORWARD -s 10.15.0.0/24 -d 10.15.55.13 -j ACCEPT
  $IPTABLES -I FORWARD -s 10.15.0.0/24 -d 210.75.1.165 -j ACCEPT
  $IPTABLES -A FORWARD -p udp -m multiport --dport 53,449 -j ACCEPT
  $IPTABLES -A FORWARD -p tcp -m multiport --dport 53,449 -j ACCEPT

echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept erp access   #######################
if [ "$ACCEPT_ERP_OA_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_ERP_OA_HOSTS} ; do

  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.17 -j ACCEPT
  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.91 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT erp and oa access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept erp access   #######################
if [ "$ACCEPT_ERP_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_ERP_HOSTS} ; do
  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.17-j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT only erp  access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept crm access   #######################
if [ "$ACCEPT_CRM_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_CRM_HOSTS} ; do

  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.9 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT CRM access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept test access   #######################
if [ "$ACCEPT_TEST_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_TEST_HOSTS} ; do

  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.30 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT testapp access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"

###################################### accept inMAIL access   #######################
if [ "$ACCEPT_inMAIL_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_inMAIL_HOSTS} ; do
  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.8 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT inmail access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept inWEB access   #######################
if [ "$ACCEPT_inWEB_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_inWEB_HOSTS} ; do
  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.8 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT inweb access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept aps access   #######################
if [ "$ACCEPT_APS_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_APS_HOSTS} ; do
  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.23 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT aps access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"

###################################### accept all access   #######################
if [ "$ACCEPT_all_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_all_HOSTS} ; do
  $IPTABLES -A FORWARD -s ${LAN} -j ACCEPT
#  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 0/0  -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT all access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
#######################################################################################
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;031m \n"
########################### logrule #########################
#LOGACCESS="no"
LOGACCESS="yes"
if [ "$LOGACCESS" = "yes" ] ; then
#  $IPTABLES -I FORWARD -p tcp -m multiport --dport 445,135 -j LOG
$IPTABLES -I INPUT -p tcp ! -s 10.15.55.180 -j LOG --log-prefix 'IPTABLES INPUT TCP ACCEPT:'
#$IPTABLES -I INPUT -p udp ! -s 10.15.55.180 -j LOG --log-prefix 'IPTABLES INPUT UDP ACCEPT:'
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j LOG --log-tcp-options --log-ip-options --log-prefix 'IPTABLES INPUT DROP:'
$IPTABLES -I FORWARD -p tcp -s 10.15.0.0/24 -j LOG --log-prefix 'IPTABLES FORWARD TCP ACCEPT:'
$IPTABLES -I FORWARD -p udp -s 10.15.0.0/24 -j LOG --log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG --log-tcp-options --log-ip-options --log-prefix 'IPTABLES FORWARD DROP:'
echo LOG illegal access ...............................          [OK]
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;031m \n"

echo "" echo "######################################################################" echo "#                                                                    #" echo "#            Load PPTP server  Access rule Successfull !             #" echo "#                                                                    #" echo "######################################################################" echo "" echo -e "\033[m \n" echo "" ############################# Type of Service mangle optimizations # ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay # ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay # ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Minimize-Cost # ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay # ${IPTABLES} -t mangle -A OUTPUT -p udp --dport 4000:7000 -j TOS --set-tos Minimize-Delay } stop(){ #####################   Flush everything   $IPTABLES -F   $IPTABLES -X   $IPTABLES -Z   $IPTABLES -F -t nat   $IPTABLES -X -t nat   $IPTABLES -Z -t nat   $IPTABLES -P INPUT   ACCEPT   $IPTABLES -P OUTPUT  ACCEPT   $IPTABLES -P FORWARD ACCEPT echo "" echo -e "\033[1;031m \n" echo "" echo "######################################################################" echo "#                                                                    #" echo "#            Stop PPTP server  Access rule Successfull !             #" echo "#                                                                    #" echo "######################################################################" echo "" echo -e "\033[m \n" echo "" } ######################################################### case "$1" in   start)     start     ;;   stop)     stop     ;;   restart)     stop     start     ;;   *)     echo $"Usage:$0 {start|stop|restart|}"     exit 1 esac exit $?