centos服務器配置日記(三)

防火牆iptables.網絡上鳥哥配了個，我跟着改了下，原本是中文註釋，改爲英文的省得常常出亂碼。

 

 

#!/bin/bash

# please insert you parameters
  EXTIF="eth1"              # PUBLIC_IP SET
  INIF="eth0"               # INNER SET
  INNET="192.168.1.0/24"   # INNER DOMAIN SCOP
  export EXTIF INIF INNET

# FIRST:LOCAL FIREWORK ---###########################
# 1. SET KENERL NETWORKS
  echo "1" > /proc/sys/net/ipv4/tcp_syncookies
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo "1" > $i
  done
  for i in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo "1" > $i
  done
  for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo "0" > $i
  done
  for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo "0" > $i
  done
  for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
        echo "0" > $i
  done

# 2 CLEAR RULES SET PRE RULES AND OPEN LO&SET VALUES
  PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
  iptables -F
  iptables -X
  iptables -Z
  iptables -P INPUT   DROP
  iptables -P OUTPUT  ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -m state --state RELATED -j ACCEPT

# START UP EXTRA FIREWALL SCRIPT MODULES
  if [ -f /usr/local/virus/iptables/iptables.deny ]; then
        sh /usr/local/virus/iptables/iptables.deny
  fi
  if [ -f /usr/local/virus/iptables/iptables.allow ]; then
        sh /usr/local/virus/iptables/iptables.allow
  fi
  if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
        sh /usr/local/virus/httpd-err/iptables.http
  fi
#4 ALLOW SOME TYPE OF ICMP PACKAGE ENTER
  AICMP="0 3 3/4 4 11 12 14 16 18"
  for tyicmp in $AICMP
  do
  iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
  done

# 5.ALLOW SOME SERVIES IN, SET BY YOURSELF
# iptables -A INPUT -p FTP -i $EXTIF --dport  21  -j ACCEPT   # FTP
# iptables -A INPUT -p TCP -i $EXTIF --dport  22  -j ACCEPT   # SSH
# iptables -A INPUT -p TCP -i $EXTIF --dport  25  -j ACCEPT   # SMTP
# iptables -A INPUT -p UDP -i $EXTIF --sport  53  -j ACCEPT   # DNS
# iptables -A INPUT -p TCP -i $EXTIF --sport  53  -j ACCEPT   # DNS
# iptables -A INPUT -p TCP -i $EXTIF --dport  80  -j ACCEPT   # WWW
# iptables -A INPUT -p TCP -i $EXTIF --dport 110  -j ACCEPT   # POP3
# iptables -A INPUT -p TCP -i $EXTIF --dport 443  -j ACCEPT   # HTTPS

#SECOND: FOR END MAINSERVER SET
# 1.LOAD SOME USEFULL MODULES
  modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack 
ip_conntrack_ftp ip_conntrack_irc"
  for mod in $modules
  do
        testmod=`lsmod | grep "${mod} "`
        if [ "$testmod" == "" ]; then
                modprobe $mod
        fi
  done

# 2.CLEAR NAT TABLE RULE
  iptables -F -t nat
  iptables -X -t nat
  iptables -Z -t nat
  iptables -t nat -P PREROUTING  ACCEPT
  iptables -t nat -P POSTROUTING ACCEPT
  iptables -t nat -P OUTPUT      ACCEPT


# 3. OPEN ROUTER ,IP SHARE MACHINE
  if [ "$INIF" != "" ]; then
    iptables -A INPUT -i $INIF -j ACCEPT
    echo "1" > /proc/sys/net/ipv4/ip_forward
    if [ "$INNET" != "" ]; then
      for innet in $INNET
      do
        iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
      done
    fi
  fi

  # IF YOU MSN ALWAYS DISCONNECTED,OR MAYBE SOME WEBSITE OK OR NOT OK
  # MAYBE IS MTU'S PROBLEM,CANCEL COMMENTS UNDERLINE
  # iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss \
  #          --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu

# INNER SERVER SET
# iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80  \
#          -j DNAT --to 192.168.1.253:80
# FILL YOU ALLOW IPs
# iptables -A INPUT -i $EXTIF -s 140.116.44.0/24 -j  ACCEPT
# FILL YOUR DENNIE IPs
#  iptables -A INPUT -i $EXTIF -s 192.168.1.254  -j DROP

 

稍做修改，就能夠將它運行

#sh iptables.rule

而後保存

#service iptables save

這樣防火牆設置基本上就ok了，若是有特殊須要的再本身根據命令。

iptables命令參考：http://dev.firnow.com/course/6_system/linux/Linuxjs/20090309/160215.html