bash脚本执行多个iptables链

时间:2015-04-07 11:56:09

标签: linux shell firewall iptables python-iptables

我使用以下脚本通过过滤iptables文件中的IP来应用whitelist.txt

如果列表中有多个IP,我的iptables会显示多个链:

#!/bin/bash

# allowed ip file location
WHITELIST=/usr/src/firewall/whitelist.txt
#
## Specify where IP Tables is located
#

IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save

#
## Save current iptables running configuration in case we want to revert back
##  To restore using our example we would run "/sbin/iptables-restore < /usr/src/iptables.last"
#
$IPTABLES_SAVE > /usr/src/iptables.last
#
## Clear current rules
#
##If current INPUT policy is set to DROP we will be locked out once we flush the rules
## so we must first ensure it is set to ACCEPT.
#
$IPTABLES -P INPUT ACCEPT
echo 'Setting default INPUT policy to ACCEPT'

$IPTABLES -F
echo 'Clearing Tables F'
$IPTABLES -X
echo 'Clearing Tables X'
$IPTABLES -Z
echo 'Clearing Tables Z'

#Always allow localhost.
echo 'Allowing Localhost'
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT

#
## Whitelist
#

for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
echo "Permitting $x..."
# $IPTABLES -A INPUT -s $x -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -s "$x" --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s "$x" --dport 5060 -j ACCEPT
done

# block all other traffice

$IPTABLES -A INPUT -p all -j DROP
#
## Save the rules so they are persistent on reboot.
#
/etc/init.d/iptables save

我的iptables -L -n输出显示为

firewall]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.1            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
ACCEPT     tcp  --  192.168.1.125        0.0.0.0/0           tcp dpt:80
ACCEPT     udp  --  192.168.1.125        0.0.0.0/0           udp dpt:5060
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
ACCEPT     tcp  --  192.168.1.1          0.0.0.0/0           tcp dpt:80
ACCEPT     udp  --  192.168.1.1          0.0.0.0/0           udp dpt:5060
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

如何避免重复,该脚本中的错误......

1 个答案:

答案 0 :(得分:0)

我猜你的whitelist.txt包含两个IP:192.168.1.125和192.168.1.1?

然后你为每个IP设置三个规则,一个用于SSH,一个用于HTTP,一个用于SIP,只有你没有为SSH指定--source / -s,因此白名单中的任何IP都是如此,该规则将与之前的规则相同。

TL; DR :在SSH规则中添加-s "$x",您应该没问题。

额外提示:如果您想允许整个私有C类子网,您可以使用语法-s 192.168.1.0/24: - )

干杯,

相关问题
最新问题