iptables_ubuntu_限制出入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#!/bin/bash
# 检查用户是否为root,因为设置防火墙需要root权限
if [ "$(id -u)" != "0" ]; then
echo "请以root用户身份运行此脚本。"
exit 1
fi
# check iptables tools
which iptables
if [ $? -ne 0 ]; then
echo "iptables is not support!"
exit 1
fi
## 安装iptables(如果尚未安装)
#apt-get update
#apt-get install -y iptables
IPT='/sbin/iptables'
IPT6='/sbin/ip6tables'
IPT_CONF='/etc/sysconfig/iptables'
TIMESTAME=`date "+%Y%m%d%H%M%S"`
IPT_BACKUP_DIR='/etc/sysconfig'
IPT_BACKUP_CONF=${IPT_BACKUP_DIR}/iptables.${TIMESTAME}
SERV_SSH="22"
# 内部网络
## 信任网络
DEFAULT_DOMAIN="$( dig +short cip.cc oapi.dingtalk.com mirrors.cloud.aliyuncs.com | grep -vE "[a-zA-Z]+" )"
NET_TRUES_LIST="
127.0.0.1/8
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
${DEFAULT_DOMAIN}
"
## 对信任IP开放端口
#NET_OPEN_PORT="
#10069
#10063
#"
# 对外全开端口
NAT_OPEN_PORT="
"
# 显示当前iptables规则
${IPT} -L -n --line-number
echo "=============================================================="
# 清除现有规则,但保留Docker链
${IPT} -F INPUT
${IPT} -F FORWARD
${IPT} -F OUTPUT
${IPT6} -F INPUT
${IPT6} -F FORWARD
${IPT6} -F OUTPUT
# 设置默认策略
${IPT} -P INPUT DROP
${IPT} -P FORWARD DROP
#${IPT} -P OUTPUT ACCEPT
${IPT} -P OUTPUT DROP
${IPT6} -P INPUT DROP
${IPT6} -P FORWARD DROP
#${IPT6} -P OUTPUT ACCEPT
${IPT6} -P OUTPUT DROP
#${IPT} -P INPUT DROP
#${IPT} -P FORWARD DROP
#${IPT} -P OUTPUT ACCEPT
##${IPT} -P OUTPUT DROP
#${IPT6} -P INPUT DROP
#${IPT6} -P FORWARD DROP
#${IPT6} -P OUTPUT ACCEPT
##${IPT6} -P OUTPUT DROP
#${IPT} -P INPUT ACCEPT
#${IPT} -P FORWARD ACCEPT
#${IPT} -P OUTPUT ACCEPT
#${IPT6} -P INPUT ACCEPT
#${IPT6} -P FORWARD ACCEPT
#${IPT6} -P OUTPUT ACCEPT
### 允许来自本地回环接口的流量
${IPT} -A INPUT -i lo -j ACCEPT
${IPT} -A OUTPUT -o lo -j ACCEPT
${IPT6} -A INPUT -i lo -j ACCEPT
${IPT6} -A OUTPUT -o lo -j ACCEPT
## 允许已建立的连接和相关连接
#${IPT} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#${IPT} -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#${IPT} -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# SSH
#$IPT -A INPUT -p tcp -m state --state NEW -m tcp --dport $SERV_SSH -j ACCEPT
# 开放信任IP全部端口
for ip in $NET_TRUES_LIST
do
${IPT} -A INPUT -s $ip -j ACCEPT
${IPT} -A FORWARD -s $ip -j ACCEPT
#${IPT} -A FORWARD -d $ip -j ACCEPT
${IPT} -A OUTPUT -d $ip -j ACCEPT
done
# 域名DNS解析
# 允许出方向的 DNS 查询
${IPT} -A OUTPUT -p udp --dport 53 -j ACCEPT
${IPT} -A OUTPUT -p tcp --dport 53 -j ACCEPT
# 允许入方向的 DNS 响应
${IPT} -A INPUT -p udp --sport 53 -j ACCEPT
${IPT} -A INPUT -p tcp --sport 53 -j ACCEPT
# 开放外网全部端口
for port in $NAT_OPEN_PORT
do
${IPT} -A INPUT -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT
${IPT} -A FORWARD -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT
${IPT} -A OUTPUT -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT
done
#ICMP
#$IPT -A INPUT -p icmp -j ACCEPT
# 保留Docker链的规则
${IPT} -A INPUT -j DOCKER-USER
# 保存iptables规则
## ubuntu 使用netfilter-persistent 系统重启后恢复iptables(netfilter)规则的工具
netfilter-persistent save
mkdir -p ${IPT_BACKUP_DIR}
iptables-save > ${IPT_BACKUP_CONF}
# 显示当前iptables规则
${IPT} -L -n --line-number
Ubuntu iptables开机规则自动生效
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# 安装工具
apt install iptables-persistent
# 注意上面的脚本
...
netfilter-persistent save
...
## 是为了保存当前设置的规则,放入iptables-persistent 这个工具服务启动生效的位置
> systemctl status netfilter-persistent.service
● netfilter-persistent.service - netfilter persistent configuration
Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/netfilter-persistent.service.d
└─iptables.conf
Active: active (exited) since Fri 2024-03-01 22:18:56 CST; 4 days ago
Docs: man:netfilter-persistent(8)
Main PID: 1875 (code=exited, status=0/SUCCESS)
CPU: 13ms
3月 01 22:18:55 ai-gpu-server149 systemd[1]: Starting netfilter persistent configuration...
3月 01 22:18:55 ai-gpu-server149 netfilter-persistent[1885]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
3月 01 22:18:56 ai-gpu-server149 netfilter-persistent[1885]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
3月 01 22:18:56 ai-gpu-server149 systemd[1]: Finished netfilter persistent configuration.
本文由作者按照
CC BY 4.0
进行授权