Linux系统防火墙白名单策略
#!/bin/bash#适用于服务器:Linux服务器
#操作系统版本:CentOS Linux release 7.5.1804 (Core)其中x86_64测试通过
#工程服务中心:工程技术部提供
BanBen="Tools Ver: 0.33-20240812"
#判断当前用户是否为root;
if [ `whoami` = "root" ];then
echo "Login Name: root"
else
whoami
echo "Login Root: user Error!"
exit 0
fi
#1、人工编辑只允许下列IP地址访问白名单如:(NVR录像机、工作站、运维工作站、区域算法主机等地址);
# 四区地址中禁止WHITE_LIST乱开地址池,防止第三方网络扫描设备在地址池中防火墙将失去防护作用。
WHITE_LIST=(
"26.74.117.22"
"192.168.0.0/24"
"192.168.1.0/24"
"192.168.2.0/24"
"127.0.0.1"
)
#2、人工编辑开启NAT路由功能WangLuo默认0为关闭1为开启,LanName为对应内部网卡名,WanIpdd为公网地址;
WangLuo="0"
LanName="enp125s0f4"
WanIpdd="26.74.117.15"
#掩码位数参照表,学习使用;
#255.128.000.000/09255.192.000.000/10255.224.000.000/11255.240.000.000/12255.248.000.000/13
#255.252.000.000/14255.254.000.000/15255.255.000.000/16255.255.128.000/17255.255.192.000/18
#255.255.224.000/19255.255.240.000/20255.255.248.000/21255.255.252.000/22255.255.254.000/23
#255.255.255.000/24255.255.255.128/25255.255.255.192/26255.255.255.224/27255.255.255.240/28
#255.255.255.248/29255.255.255.252/30255.255.255.254/31255.255.255.255/32
#3、清除防火墙原有策略;
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#4、批量添加白名单规则;
echo "-----------------------------------"
for IP in "${WHITE_LIST[@]}"; do
iptables -A INPUT -s $IP -j ACCEPT
# iptables -A FORWARD -s $IP -j ACCEPT
# iptables -A OUTPUT -d $IP -j ACCEPT
echo "IP Address:" $IP
done
echo "Restart iptables Server."
#5、禁Ping功能默认为1禁止随意Ping,为0表示白名单不受限制Ping;
Iping="1"
if [ $Iping == "1" ];then
#非白名单Windows使用ping 192.168.1.100 -l 35可以通过(启始数据包28+35=63),白名单随意Ping操作;
iptables -I INPUT -p icmp --icmp-type 8 -m length --length 63:63 -j ACCEPT
iptables -I INPUT -p icmp --icmp-type 0 -j ACCEPT
# iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
else
#开启任意ping数据包请求;
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
fi
#6、开启SSH远程服务供默认1开启:为1允许任意地址访问使用,为0时只有白名单地址不受限制及访问需谨慎操作,避免设置错误;
kfSSH="1"
echo "-----------------------------------"
if [ $kfSSH == "1" ];then
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 10022 -j ACCEPT
echo "Port State: Postlist TCP Open."
else
echo "Port State: Postlist TCP/UDP 1-65535 Close."
fi
echo "-----------------------------------"
#7、禁止所有其他流量;
iptables -A INPUT -j DROP
iptables -A FORWARD -j ACCEPT
iptables -A OUTPUT -j ACCEPT
#8、开启NAT路由功能;
if [ $WangLuo == "1" ];then
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -p
#service netwrork restart
iptables -A FORWARD -i $LanName -j ACCEPT
iptables -t nat -A POSTROUTING -j SNAT --to-source $WanIpdd
echo "Linux NAT Enabled"
else
echo 0 > /proc/sys/net/ipv4/ip_forward
sysctl -p
#sed -i '3c\net.ipv4.ip_forward=0' /etc/sysctl.conf
#cat /etc/sysctl.conf | grep "net.ipv4.ip_forward"
echo "Linux NAT Disabled"
fi
echo "-----------------------------------"
#9、Linux开机自动启动脚本及路径;
iptables-save > /etc/iptables.rules
sed -i '2c\iptables-restore < /etc/iptables.rules' /etc/rc.d/rc.local
# 保存规则查询which iptables路径 /sbin/iptables
chmod +x /etc/rc.d/rc.local
echo "Auto Runing /etc/rc.d/rc.local"
cat /etc/redhat-release
iptables -V
echo $BanBen
ping 192.168.0.12 -l 35采能通过,防目陌生地址Ping地址,默认10022与22端口开放,其它地址不是白名单地址禁止访问!
页:
[1]