#!/bin/bash
EXTIF="eth0"
INIF="eth1"
INNET="10.10.10.0/24,10.10.20.0/24"
PORT="20,21,53,80,110"
export EXTIF INIF INNET PORT
#MMM
#MMM
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo "0" > $i
done
#deafult
PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
# iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT 本机不允许ping
iptables -A FORWARD -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
done
#SERVICES
iptables -A INPUT -p TCP -i $EXTIF --dport 22 -j ACCEPT
# SSH
iptables -A INPUT -p TCP -i $EXTIF --dport 25 -j ACCEPT
# SMTP
iptables -A INPUT -p UDP -i $EXTIF --sport 53 -j ACCEPT
# DNS
iptables -A INPUT -p TCP -i $EXTIF --sport 53 -j ACCEPT
# DNS
iptables -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT
# WWW
iptables -A INPUT -p TCP -i $EXTIF --dport 110 -j ACCEPT
# POP3
iptables -A INPUT -p TCP -i $EXTIF --dport 443 -j ACCEPT
# HTTPS
#ROUTER
if [ "$INIF" != "" ]; then
iptables -A INPUT -i $INIF -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
if [ "$INNET" != "" ]; then
for innet in $INNET
do
iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
done
fi
fi
iptables -A FORWARD -m multiport -s $INNET -o $EXTIF -p tcp --dport $PORT -j ACCEPT
转载于:https://blog.51cto.com/liusancai/1029787