iptables 防火墙实例

Deyou.Yang (yangdeyou@gmail.com) System Management
18 May 2007

脚本
#!/bin/sh
#
# A simple firewall initialization script
#
PASSLIST=~/conf/passlist.txt
STOPLIST=~/conf/stoplist.txt
ALLOWPORT=“22 80 443”

#Dorp all existing filter rules
iptables -F

#First, run through $PASSLIST, acceptin all traffic from
#the hosts and networks contained therein.
for x in `grep -v ^# $PASSLIST | awk '{print $1}'`; do
echo "Permitting $x..."
iptables -A INPUT -t filter -s $x -j ACCEPT
done

#Now run through $STOPLIST, dropping all traffic from the
#hosts and networks contained therein.
for x in `grep -v ^# $STOPLIST |awk '{print $1}'`; do
echo "Stoping $x..."
iptables -A INPUT -t filter -s $x -j DROP
done

#Next, the permitted ports:What will we accept from
#hosts not appearing on the stoplist?
for port in $ALLOWPORT; do
echo "Accepting port $port ...."
iptables -A INPUT -t filter -p tcp --dport $port -j ACCEPT
done

#Finally, unless it's mentioned above, and it's an inbound
#startup request, just drop it.
iptables -A INPUT -t filter -p tcp --syn -j DROP

受限列表
~/conf/stoplist.txt
1.2.3.4 # Portscanned on 8/12/07
7.8.9.0/24 # who knows what evil lurks therein
t1000.unix-center.net #
信任列表
~/conf/passlist.txt
11.22.33.44 # My workstation
208.201.239.0/26 # the local network

查看iptables列表
iptables -L
iptables -L -n