#!/bin/bash
#定义变量,以减少输入量
WAN_INT="eth0"
WAN_INT_IP="172.16.100.100"
LAN_INT="eth0"
LAN_INT_IP="10.15.15.15"
LAN_IP_RANGE="10.15.0.0/16"
ACCEPT_ACCESS_CLIENT="10.15.100.11 10.15.100.12 10.15.100.13 10.15.100.14 10.15.100.15 10.15.101.11 10.15.101.12 10.15.101.13 10.15.101.14 10.15.101.15 10.15.100.86"
ACCEPT_QQ_CLIENT="10.15.100.86"
WAN_WIN2003_SRV="172.16.100.101"
PORT="20,21,25,53,80,110,143,554,1755,7070"
PORT_QQ="4000:4020,8000:8020"
IPT="/sbin/iptables"
MODP="/sbin/modprobe"
###################################################################################
$MODP ip_tables
$MODP ip_conntrack
$MODP iptable_filter
$MODP iptable_nat
$MODP ipt_LOG
$MODP ipt_limit
$MODP ipt_state
###################################################################################
start(){
echo ""
echo -e "\033[1;032m flush all chains...... [ok] \033[m"
#flush all rules at first
$IPT -t filter -F
$IPT -t nat -F
$IPT -t mangle -F
#default policy is drop
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD DROP
#open ssh service
$IPT -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -t filter -A OUTPUT -p tcp --sport 22 -j ACCEPT
#SNAT
echo 1 > /proc/sys/net/ipv4/ip_forward
# $IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $WAN_INT -j SNAT --to-source $WAN_INT_IP
#DNAT
$IPT -t nat -A PREROUTING -d $WAN_INT_IP -i $WAN_INT -j DNAT --to-destination 10.15.0.103
#PPPOE
/sbin/iptables -A FORWARD -s $LAN_IP_RANGE -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
##############allow someone to access internet##############################################################
for open_ip in $(cat /SqLogs/allowinternet|grep -v "#")
do
$IPT -A FORWARD -s $open_ip -j ACCEPT
$IPT -t nat -A PREROUTING -s $open_ip -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
done
##############Kill QQ##############################################################
$IPT -A FORWARD -p tcp -m multiport --dport $PORT_QQ -j ACCEPT
$IPT -A FORWARD -p udp -m multiport --dport $PORT_QQ -j ACCEPT
$IPT -A FORWARD -d tcpconn.tencent.com -j ACCEPT
$IPT -A FORWARD -d tcpconn2.tencent.com -j ACCEPT
$IPT -A FORWARD -d tcpconn3.tencent.com -j ACCEPT
$IPT -A FORWARD -d tcpconn4.tencent.com -j ACCEPT
$IPT -A FORWARD -d tcpconn5.tencent.com -j ACCEPT
$IPT -A FORWARD -d tcpconn6.tencent.com -j ACCEPT
$IPT -A FORWARD -d http2.tencent.com -j ACCEPT
$IPT -A FORWARD -d http.tencent.com -j ACCEPT
for killqq_ip in $(cat /SqLogs/qq-ip|grep -v "#")
do
$IPT -A FORWARD -s $ACCEPT_QQ_CLIENT -d $killqq_ip -j ACCEPT
done
###############accept erp access####################################################
if [ "$ACCEPT_ACCESS_CLIENT" != "" ] ; then
for LAN in ${ACCEPT_ACCESS_CLIENT} ; do
$IPT -t filter -A FORWARD -p tcp -m multiport -s ${LAN} -o $WAN_INT --dport $PORT -j ACCEPT
$IPT -t filter -A FORWARD -p udp -m multiport -s ${LAN} -o $WAN_INT --dport $PORT -j ACCEPT
$IPT -t filter -A FORWARD -p tcp -m multiport -i $WAN_INT --sport $PORT -j ACCEPT
$IPT -t filter -A FORWARD -p udp -m multiport -i $WAN_INT --sport $PORT -j ACCEPT
echo ""
echo ${LAN} Access to External.....ACCEPT access Win2003 server [ok]
done
fi
}
###############KILL QQ###########################################################
$IPT -t filter -I FORWARD -p tcp --dport 8000 -j DROP
$IPT -t filter -I FORWARD -p udp --dport 8000 -j DROP
$IPT -t filter -I FORWARD -d tcpconn.tencent.com -j DROP
$IPT -t filter -I FORWARD -d tcpconn2.tencent.com -j DROP
$IPT -t filter -I FORWARD -d tcpconn3.tencent.com -j DROP
$IPT -t filter -I FORWARD -d tcpconn4.tencent.com -j DROP
$IPT -t filter -I FORWARD -d tcpconn5.tencent.com -j DROP
$IPT -t filter -I FORWARD -d tcpconn6.tencent.com -j DROP
$IPT -t filter -I FORWARD -d http2.tencent.com -j DROP
$IPT -t filter -I FORWARD -d http.tencent.com -j DROP
for killqq_ip in $(cat /SqLogs/qq-ip|grep -v "#")
do
$IPT -A FORWARD -s $ACCEPT_QQ_CLIENT -d $killqq_ip -j DROP
done
###################################################################################
stop(){
##################### Flush everything
$IPT -F
$IPT -X
$IPT -Z
$IPT -F -t nat
$IPT -X -t nat
$IPT -Z -t nat
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -t nat -F
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
echo "#############################################################################"
echo "# #"
echo "# Stop firewall server Access rule successful ! #"
echo "# #"
echo "#############################################################################"
}
###################################################################################
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage:$0 {start|stop|restart|}"
exit 1
esac
exit $?
转载于:https://blog.51cto.com/lzy821218/605416
扫一扫
447
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
