Linux bash脚本执行多个iptable链
我正在使用下面的脚本通过从Linux bash脚本执行多个iptable链,linux,shell,firewall,iptables,python-iptables,Linux,Shell,Firewall,Iptables,Python Iptables,我正在使用下面的脚本通过从whitelist.txt文件中过滤IP来应用iptables 如果列表中有多个IP,则我的iptables将显示多个链: #!/bin/bash # allowed ip file location WHITELIST=/usr/src/firewall/whitelist.txt # ## Specify where IP Tables is located # IPTABLES=/sbin/iptables IPTABLES_SAVE=/sbin/iptabl
whitelist.txt
文件中过滤IP来应用iptables
如果列表中有多个IP,则我的iptables
将显示多个链:
#!/bin/bash
# allowed ip file location
WHITELIST=/usr/src/firewall/whitelist.txt
#
## Specify where IP Tables is located
#
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
#
## Save current iptables running configuration in case we want to revert back
## To restore using our example we would run "/sbin/iptables-restore < /usr/src/iptables.last"
#
$IPTABLES_SAVE > /usr/src/iptables.last
#
## Clear current rules
#
##If current INPUT policy is set to DROP we will be locked out once we flush the rules
## so we must first ensure it is set to ACCEPT.
#
$IPTABLES -P INPUT ACCEPT
echo 'Setting default INPUT policy to ACCEPT'
$IPTABLES -F
echo 'Clearing Tables F'
$IPTABLES -X
echo 'Clearing Tables X'
$IPTABLES -Z
echo 'Clearing Tables Z'
#Always allow localhost.
echo 'Allowing Localhost'
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
#
## Whitelist
#
for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
echo "Permitting $x..."
# $IPTABLES -A INPUT -s $x -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -s "$x" --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s "$x" --dport 5060 -j ACCEPT
done
# block all other traffice
$IPTABLES -A INPUT -p all -j DROP
#
## Save the rules so they are persistent on reboot.
#
/etc/init.d/iptables save
如何避免重复,脚本中有什么错误…让我猜您的
whitelist.txt
包含两个IP:192.168.1.125和192.168.1.1
然后,您为每个IP设置了三个规则,一个用于SSH,一个用于HTTP,一个用于SIP,只是您没有为SSH指定--source
/-s
,因此对于白名单中的任何IP,该规则自然与以前的规则相同
TL;DR:在SSH规则中添加一个-s“$x”
,您就可以了
额外提示:如果您想允许整个私有C类子网,可以使用语法-s 192.168.1.0/24
:-)
干杯,白名单.txt看起来怎么样?也许你应该把非源地址限定的
$IPTABLES-A INPUT-p tcp--dport 22-j ACCEPT
行放在你的for each source address循环之外?在输入了无源地址之后,谢谢,它工作得很好。。。。。
firewall]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 192.168.1.125 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 192.168.1.125 0.0.0.0/0 udp dpt:5060
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 192.168.1.1 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 192.168.1.1 0.0.0.0/0 udp dpt:5060
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination