iptables_ubuntu_限制域名
注意
1
iptables 规则有优先级区分,规则在前,优先级越高
依赖ip列表
1
2
3
4
# IP list file
yunshu_vpn="/root/bin/yunshu_vpn.ip"
default_domain="/root/bin/default_domain.ip"
drop_ip="/root/bin/drop.ip"
脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
#!/bin/bash
# 检查用户是否为root,因为设置防火墙需要root权限
if [ "$(id -u)" != "0" ]; then
echo "请以root用户身份运行此脚本。"
exit 1
fi
# check iptables tools
which iptables
if [ $? -ne 0 ]; then
echo "iptables is not support!"
exit 1
fi
# IP list file
yunshu_vpn="/root/bin/yunshu_vpn.ip"
default_domain="/root/bin/default_domain.ip"
drop_ip="/root/bin/drop.ip"
## 获取最新IP信息,合并原IP,获取IP列表
## default_domain
cat ${default_domain} > /tmp/default_domain.ip.tmp
dig +short cip.cc mirrors.cloud.aliyuncs.com aegis.alicdn.com | grep -vE "[a-zA-Z]+" >> /tmp/default_domain.ip.tmp
cat /tmp/default_domain.ip.tmp | sort | uniq > ${default_domain}
## drop_ip
cat ${drop_ip} > /tmp/drop.ip.tmp
dig +short oapi.dingtalk.com | grep -vE "[a-zA-Z]+" >> /tmp/drop.ip.tmp
cat /tmp/drop.ip.tmp | sort | uniq > ${drop_ip}
## 安装iptables(如果尚未安装)
#apt-get update
#apt-get install -y iptables
IPT='/sbin/iptables'
IPT6='/sbin/ip6tables'
IPT_CONF='/etc/sysconfig/iptables'
TIMESTAME=`date "+%Y%m%d%H%M%S"`
IPT_BACKUP_DIR='/etc/sysconfig'
IPT_BACKUP_CONF=${IPT_BACKUP_DIR}/iptables.${TIMESTAME}
SERV_SSH="22"
# 内部网络
## 信任网络
YUNSHU_VPN="$( cat ${yunshu_vpn} )"
DEFAULT_DOMAIN="$( cat ${default_domain} )"
#OFFICE_IP="
#211.95.16.42/31
#211.95.16.44/31
#58.34.136.108/32
#"
#YUNSHU_CONN_IP="
#47.99.50.243/32
#47.99.89.203/32
#47.75.41.102/32
#"
ALIYUN_IP="
100.100.0.0/16
106.11.0.0/16
100.103.0.0/16
"
JUMP_SERV_IP="
120.***.***.19
"
## 公司内部服务
#OFFICE_SERV_IP="
#10.***.***.***
#"
# alertswebhook.xtadmins.com
ALERT_IP="
139.***.89.***
139.***.80.***
"
NET_TRUES_LIST="
127.0.0.1/8
192.168.0.0/16
${ALIYUN_IP}
${JUMP_SERV_IP}
${ALERT_IP}
"
# DROP IP: 钉钉扫码
DINGTALK_IP="$( cat ${drop_ip} )"
DROP_IP_LIST="
${DINGTALK_IP}
"
## 对信任IP开放端口
#NET_OPEN_PORT="
#10069
#10063
#"
# 对外全开端口
NAT_OPEN_PORT="
443
"
# 显示当前iptables规则
${IPT} -L -n --line-number
echo "=============================================================================================="
# 清除现有规则,但保留Docker链
${IPT} -F INPUT
${IPT} -F FORWARD
${IPT} -F OUTPUT
${IPT6} -F INPUT
${IPT6} -F FORWARD
${IPT6} -F OUTPUT
# 设置默认策略
${IPT} -P INPUT DROP
${IPT} -P FORWARD DROP
#${IPT} -P OUTPUT ACCEPT
${IPT} -P OUTPUT DROP
${IPT6} -P INPUT DROP
${IPT6} -P FORWARD DROP
#${IPT6} -P OUTPUT ACCEPT
${IPT6} -P OUTPUT DROP
#${IPT} -P INPUT DROP
#${IPT} -P FORWARD DROP
#${IPT} -P OUTPUT ACCEPT
##${IPT} -P OUTPUT DROP
#${IPT6} -P INPUT DROP
#${IPT6} -P FORWARD DROP
#${IPT6} -P OUTPUT ACCEPT
##${IPT6} -P OUTPUT DROP
#${IPT} -P INPUT ACCEPT
#${IPT} -P FORWARD ACCEPT
#${IPT} -P OUTPUT ACCEPT
#${IPT6} -P INPUT ACCEPT
#${IPT6} -P FORWARD ACCEPT
#${IPT6} -P OUTPUT ACCEPT
### 允许来自本地回环接口的流量
${IPT} -A INPUT -i lo -j ACCEPT
${IPT} -A OUTPUT -o lo -j ACCEPT
${IPT6} -A INPUT -i lo -j ACCEPT
${IPT6} -A OUTPUT -o lo -j ACCEPT
## 允许已建立的连接和相关连接
${IPT} -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${IPT} -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${IPT} -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# 禁用IP
for ip in ${DROP_IP_LIST}
do
${IPT} -A INPUT -s $ip -j DROP
${IPT} -A FORWARD -s $ip -j DROP
${IPT} -A OUTPUT -d $ip -j DROP
done
## SSH
#$IPT -A INPUT -p tcp -s 192.168.0.0/16 -m state --state NEW -m tcp --dport $SERV_SSH -j ACCEPT
# 开放信任IP全部端口
for ip in $NET_TRUES_LIST
do
${IPT} -A INPUT -s $ip -j ACCEPT
${IPT} -A FORWARD -s $ip -j ACCEPT
${IPT} -A OUTPUT -d $ip -j ACCEPT
done
# 域名DNS解析
# 允许出方向的 DNS 查询
${IPT} -A OUTPUT -p udp --dport 53 -j ACCEPT
${IPT} -A OUTPUT -p tcp --dport 53 -j ACCEPT
# 允许入方向的 DNS 响应
${IPT} -A INPUT -p udp --sport 53 -j ACCEPT
${IPT} -A INPUT -p tcp --sport 53 -j ACCEPT
# 开放指定IP所有出
for ip in ${DEFAULT_DOMAIN}
do
${IPT} -A OUTPUT -d $ip -j ACCEPT
done
# 开放外网全部端口
for port in $NAT_OPEN_PORT
do
#${IPT} -A INPUT -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT
#${IPT} -A FORWARD -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT
${IPT} -A OUTPUT -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT
done
#ICMP
$IPT -A OUTPUT -p icmp -j ACCEPT
# 保留Docker链的规则
${IPT} -A INPUT -j DOCKER-USER
# 保存iptables规则
## ubuntu 使用netfilter-persistent 系统重启后恢复iptables(netfilter)规则的工具
netfilter-persistent save
mkdir -p ${IPT_BACKUP_DIR}
iptables-save > ${IPT_BACKUP_CONF}
# 显示当前iptables规则
${IPT} -L -n --line-number
本文由作者按照
CC BY 4.0
进行授权