전 회사 다닐때 만든 iptables 스크립트
페이지 정보
본문
#!/bin/sh
deny_ip="
#14.52.220.0/24
51.222.0.0/16
66.249.0.0/16
185.191.0.0/16
5.188.0.0/16
193.150.0.0/16
193.218.0.0/16
157.180.29.204
154.28.229.71
154.28.229.97
164.90.208.56
64.226.65.160
154.28.229.106
154.28.229.85
154.28.229.174
146.190.63.248
68.183.180.73
51.81.245.138
"
all_open_port_tcp="20 21 80 443 25 587 465 995 993"
all_open_port_udp="25 587 465 995 993"
all_open_ip="
192.168.0.14
35.202.117.120
34.68.200.154
"
open_ip_port_tcp="
"
open_ip_port_udp=""
all_open_port_out_tcp=""
all_open_port_out_udp=""
# 1. Flush previous iptables settings
iptables -F
iptables -P INPUT ACCEPT
# 2. Deny IP
for ip in $deny_ip
do
echo "iptables -A INPUT -s $ip -j DROP"
iptables -A INPUT -s $ip -j DROP
done
# 3-1. Block NULL packet
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# 3-2. Block SYN flooding
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# 4. Open for localhost & previous connection
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
# 5-1. Port opened for all(TCP)
for port in $all_open_port_tcp
do
echo "iptables -A INPUT -p tcp -m tcp --dport $port -j ACCEPT"
iptables -A INPUT -p tcp -m tcp --dport $port -j ACCEPT
done
# 5-2. Port opened for all(UDP)
for port in $all_open_port_udp
do
echo "iptables -A INPUT -p tcp -m tcp --dport $port -j ACCEPT"
iptables -A INPUT -p udp -m udp --dport $port -j ACCEPT
done
# 6. IP opened for all ports
for ip in $all_open_ip
do
echo "iptables -A INPUT -s $ip -j ACCEPT"
iptables -A INPUT -s $ip -j ACCEPT
done
# 7-1. Open IP/Port(TCP)
for ip_port in $open_ip_port_tcp
do
ip=${ip_port%:*}
port=${ip_port#*:}
echo "iptables -A INPUT -p tcp -s $ip --dport $port -j ACCEPT"
iptables -A INPUT -p tcp -s $ip --dport $port -j ACCEPT
done
# 7-2. Open IP/Port(UDP)
for ip_port in $open_ip_port_udp
do
ip=${ip_port%:*}
port=${ip_port#*:}
echo "iptables -A INPUT -p udp -s $ip --dport $port -j ACCEPT"
iptables -A INPUT -p udp -s $ip --dport $port -j ACCEPT
done
# 8. Drop all undefined policies
echo "iptables -A INPUT -j DROP"
iptables -A INPUT -j DROP
echo "iptables -A INPUT -p icmp -j DROP"
iptables -A INPUT -p icmp -j DROP
# 9-1. Port opened for all_output(TCP)
for port in $all_open_port_out_tcp
do
echo "iptables -A OUTPUT -p tcp -m tcp --dport $port -j ACCEPT"
iptables -A OUTPUT -p tcp -m tcp --dport $port -j ACCEPT
done
# 9-2. Port opened for all_output(UDP)
for port in $all_open_port_out_udp
do
echo "iptables -A OUTPUT -p udp -m udp --dport $port -j ACCEPT"
iptables -A OUTPUT -p udp -m udp --dport $port -j ACCEPT
done
# Attach settings to system
service iptables save
deny_ip="
#14.52.220.0/24
51.222.0.0/16
66.249.0.0/16
185.191.0.0/16
5.188.0.0/16
193.150.0.0/16
193.218.0.0/16
157.180.29.204
154.28.229.71
154.28.229.97
164.90.208.56
64.226.65.160
154.28.229.106
154.28.229.85
154.28.229.174
146.190.63.248
68.183.180.73
51.81.245.138
"
all_open_port_tcp="20 21 80 443 25 587 465 995 993"
all_open_port_udp="25 587 465 995 993"
all_open_ip="
192.168.0.14
35.202.117.120
34.68.200.154
"
open_ip_port_tcp="
"
open_ip_port_udp=""
all_open_port_out_tcp=""
all_open_port_out_udp=""
# 1. Flush previous iptables settings
iptables -F
iptables -P INPUT ACCEPT
# 2. Deny IP
for ip in $deny_ip
do
echo "iptables -A INPUT -s $ip -j DROP"
iptables -A INPUT -s $ip -j DROP
done
# 3-1. Block NULL packet
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# 3-2. Block SYN flooding
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# 4. Open for localhost & previous connection
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
# 5-1. Port opened for all(TCP)
for port in $all_open_port_tcp
do
echo "iptables -A INPUT -p tcp -m tcp --dport $port -j ACCEPT"
iptables -A INPUT -p tcp -m tcp --dport $port -j ACCEPT
done
# 5-2. Port opened for all(UDP)
for port in $all_open_port_udp
do
echo "iptables -A INPUT -p tcp -m tcp --dport $port -j ACCEPT"
iptables -A INPUT -p udp -m udp --dport $port -j ACCEPT
done
# 6. IP opened for all ports
for ip in $all_open_ip
do
echo "iptables -A INPUT -s $ip -j ACCEPT"
iptables -A INPUT -s $ip -j ACCEPT
done
# 7-1. Open IP/Port(TCP)
for ip_port in $open_ip_port_tcp
do
ip=${ip_port%:*}
port=${ip_port#*:}
echo "iptables -A INPUT -p tcp -s $ip --dport $port -j ACCEPT"
iptables -A INPUT -p tcp -s $ip --dport $port -j ACCEPT
done
# 7-2. Open IP/Port(UDP)
for ip_port in $open_ip_port_udp
do
ip=${ip_port%:*}
port=${ip_port#*:}
echo "iptables -A INPUT -p udp -s $ip --dport $port -j ACCEPT"
iptables -A INPUT -p udp -s $ip --dport $port -j ACCEPT
done
# 8. Drop all undefined policies
echo "iptables -A INPUT -j DROP"
iptables -A INPUT -j DROP
echo "iptables -A INPUT -p icmp -j DROP"
iptables -A INPUT -p icmp -j DROP
# 9-1. Port opened for all_output(TCP)
for port in $all_open_port_out_tcp
do
echo "iptables -A OUTPUT -p tcp -m tcp --dport $port -j ACCEPT"
iptables -A OUTPUT -p tcp -m tcp --dport $port -j ACCEPT
done
# 9-2. Port opened for all_output(UDP)
for port in $all_open_port_out_udp
do
echo "iptables -A OUTPUT -p udp -m udp --dport $port -j ACCEPT"
iptables -A OUTPUT -p udp -m udp --dport $port -j ACCEPT
done
# Attach settings to system
service iptables save
추천0
댓글목록
