大家帮忙看看有什么可改进
代码: 全选
#!/bin/bash -e
export PATH=/bin:/usr/bin:/sbin:/usr/sbin
if [ $UID != 0 ]
then
echo please run me as root. 1>&2
exit 1
fi
################################################################################
chain_clean() {
echo Cleaning iptables chains...
for table in filter nat mangle
do
iptables -t $table -F
iptables -t $table -X
done
}
chain_show() {
echo Listing chains...
for table in filter nat mangle
do
echo ==================== Table : $table ====================
iptables -t $table -L -v -n --line-numbers
echo
done
}
chain_init() {
# filter
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -N IReject
setup_IReject
# nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# mangle
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
}
setup_IReject () {
# 迷惑敌人
# iptables -A IReject -j LOG -s ! 192.168.6.0/24 --log-prefix "FIREWALL:IReject "
iptables -A IReject -j LOG --log-level 4 --log-prefix "FIREWALL:IReject "
iptables -A IReject -p tcp -j REJECT --reject-with tcp-reset
iptables -A IReject -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A IReject -p icmp -j REJECT --reject-with icmp-port-unreachable
iptables -A IReject -j DROP
}
################################################################################
ban_pub() {
# 这里屏蔽永远也用不到的机器
for i in "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
do
iptables -A INPUT -s "$i" -j IReject
iptables -A OUTPUT -d "$i" -j DROP
done
}
allow_gate() {
# 需要ping网关测试网络
route -n | tail -n +3 |\
while read line
do
gateway=`echo $line | awk '{print $2}'`
eth=`echo $line | awk '{print $8}'`
if [ ${gateway##*.} -ne 0 ] # 有效的网关
then
i=`ip addr | grep "^.: $eth: " -A2 | awk 'BEGIN { FS = "[ /]+" } /inet/{print $3}'`
iptables -A OUTPUT -o $eth -s $i -d $gateway -j ACCEPT
iptables -A INPUT -i $eth -s $gateway -d $i -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
done
}
getmyip() {
ip addr | grep "^.: $1: " -A2 | awk 'BEGIN { FS = "[ /]+" } /inet/{print $3}'
}
allow() {
#lo
iptables -A OUTPUT -o lo -s localhost -d localhost -j ACCEPT
iptables -A INPUT -i lo -s localhost -d localhost -j ACCEPT
#eth0
iptables -A OUTPUT -o eth0 -s `getmyip eth0` -j ACCEPT
iptables -A INPUT -i eth0 -d `getmyip eth0` -m state --state ESTABLISHED,RELATED -j ACCEPT
}
################################################################################
main() {
chain_clean
chain_init
allow_gate
ban_pub
allow
# 剩下的 INPUT 统统拒绝..
iptables -A INPUT -j IReject
iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "FIREWALL:OUTPUT "
chain_show
}
main