简单的iptables脚本

#!/bin/bash

#无源IP限制的端口
TCP_DPORT="80 443 3306 3690 8008 8000 8001 8088 50000:50100"
UDP_DPORT=""

#带有源IP限制的端口
S_TCP_IP=""
S_TCP_MAC=""
S_TCP_DPORT=""

S_UDP_IP=""
S_UDP_MAC=""
S_UDP_DPORT=""

#黑名单IP,禁止接入
DROP_IP=""

#系统版本,输入大版本号,6(Centos 6)或者7(Centos 7)
sysver=


if [[ ! -n $sysver ]];then
	while true;
	do
		read -p "请选择系统版本[1.Centos6 2.Centos7]: " version
		case $version in
				1|6)
				sysver=6
				break;
				;;
				2|7)
				sysver=7
				break;
				;;
				*)
				echo "----请输入1或者2----"
				;;
		esac
	done		
fi

function config_iptables() {
#判断SSH端口
if [ ! -n "$(egrep -wi "Port" /etc/ssh/sshd_config | grep -v \#)" ];then
        sshport=22
else
        if [ "$(egrep -wi "Port" /etc/ssh/sshd_config |grep -v \#|wc -l)" == "1" ];then
                sshport=$(egrep -wi "Port" /etc/ssh/sshd_config |grep -v \# |awk -F" " '{print $2}')
        else
                sshport=0
        fi
fi

iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

if [ "$sshport" == "0" ];then
	for sshport in $(egrep -wi "Port" /etc/ssh/sshd_config |grep -v \# |awk -F" " '{print $2}')
	do
		iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport $sshport -j ACCEPT
	done
else
	iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport $sshport -j ACCEPT
fi

if [[ -n ${TCP_DPORT} ]];then
	for t_prot in ${TCP_DPORT};
		do
			iptables -A INPUT -p tcp -m tcp --dport ${t_prot} -j ACCEPT
		done
fi

if [[ -n ${UDP_DPORT} ]];then
	for u_port in ${UDP_DPORT};
		do
			iptables -A INPUT -p udp --dport ${u_port} -j ACCEPT
		done
fi

if [[ -n ${S_TCP_IP} && -n ${S_TCP_DPORT} ]];then
	for ip in ${S_TCP_IP};
		do
			for s_tport in ${S_TCP_DPORT};
				do
					iptables -A INPUT -p tcp -m tcp -s $ip --dport ${s_tport} -j ACCEPT
				done
		done
fi

if [[ -n ${S_TCP_MAC} && -n ${S_TCP_DPORT} ]];then
	for tmac in ${S_TCP_MAC};
		do
			for s_tport in ${S_TCP_DPORT};
				do
					iptables -A INPUT -p tcp -m mac --mac-source $tmac --dport ${s_tport} -j ACCEPT
				done
		done
fi

if [[ -n ${S_UDP_IP} && -n ${S_UDP_DPORT} ]];then
	for ip in ${S_UDP_IP};
		do
			for s_uport in ${S_UDP_DPORT};
				do
					iptables -A INPUT -p udp -s $ip --dport ${s_uport} -j ACCEPT
				done
		done
fi

if [[ -n ${S_UDP_MAC} && -n ${S_UDP_DPORT} ]];then
	for umac in ${S_UDP_MAC};
		do
			for s_uport in ${S_UDP_DPORT};
				do
					iptables -A INPUT -p udp -m mac --mac-source $umac --dport ${s_uport} -j ACCEPT
				done
		done
fi
if [[ -n ${DROP_IP} ]];then
	for d_ip in ${DROP_IP};
		do
			iptables -A INPUT -s ${d_ip} -j DROP
		done
fi
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
}

function main() {
if (( "$sysver" == "6" ));then
	echo "*/3 * * * * /etc/init.d/iptables stop" >> /var/spool/cron/root
	echo -e "[\033[35mINFO\033[0m] [开始配置防火墙策略,并加入每5分钟关闭防火墙服务的定时任务,如稍后无法连接服务器,请静等五分钟再尝试连接]"
	/etc/init.d/iptables restart
	sleep 3
	config_iptables
	/etc/init.d/iptables save
	echo -e "[\033[32mOK\033[0m] [防火墙策略已生效,测试无问题后请在5分钟内删除关闭防火墙服务的定时任务]"
elif (( "$sysver" == "7" ));then
	echo "*/5 * * * * /bin/systemctl stop firewalld" >> /var/spool/cron/root
	echo -e "[\033[35mINFO\033[0m] [开始配置防火墙策略,并加入每5分钟关闭防火墙服务的定时任务,如稍后无法连接服务器,请静等五分钟再尝试连接]"
	systemctl restart firewalld
	sleep 3
	config_iptables
	echo -e "[\033[32mOK\033[0m] [防火墙策略已生效,测试无问题后请在5分钟内删除关闭防火墙服务的定时任务]"
else
	echo "不正确的版本号,请检查脚本"
	exit 0
fi
}
main