标签:
execute command apropos iptables to find something about iptabls.
root:notfound/ # apropos iptables
ip6tables-save (8) - dump iptables rules to stdout
iptables (8) - administration tool for IPv4/IPv6 packet filtering and NAT
iptables-extensions (8) - list of extensions in the standard iptables distribution
iptables-restore (8) - Restore IP Tables
iptables-save (8) - dump iptables rules to stdout
iptables-xml (1) - Convert iptables-save format to XML
If you are interested in iptables, you can type man iptables for more details.
IPTABLES(8) iptables 1.4.21 IPTABLES(8)
NAME
iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT
......
......
root:not/ # ls -l /lib/modules/`uname -r`/kernel/net/netfilter/
root:not/ # ls -l /lib/iptables/
root:not/ # cat /etc/iptables/iptables.rules
# Generated by iptables-save v1.4.21 on Thu Apr 30 13:58:26 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [9:524]
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 8080 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 1194 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 23456 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 6667 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5432 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 5432 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 55552 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 55552 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1194 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23456 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6667 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 5432 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 5432 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 55552 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 55552 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
COMMIT
# Completed on Thu Apr 30 13:58:26 2015
lab:~/ $ cat ~/sectools/linux/iptables_client.sh
#!/bin/bash
#
# configuration iptables
# ///////////////////////////////////////////////////////////
# Author: nixawk
# Webpage: http://blog.csdn.net/nixawk
# Date: Dec 9 05:59:16 EST 2014
# ///////////////////////////////////////////////////////////
# ============================================================
# Initialize all settings (iptables, srcip, dstip, and so on)
# ============================================================
# Check current user permision.
if [[ "$UID" -ne 0 ]];then
echo "[-] Must be root to execute it."
fi
# Get iptables path
IPTSBIN="$(which iptables)"
INTERFACE="eth0"
if [[ -e "$IPTSBIN" ]];then
echo "$IPTSBIN"
else
echo "[-] could not find iptables"
exit 1
fi
# Get source ip (TCP data out, from localhost)
SRCIP=`ip addr show $INTERFACE | grep "inet " |awk -F " " ‘{print $2}‘ | awk -F "/" ‘{print $1}‘`
# Get destination ip (TCP data out, from localhost)
DSTIP="0.0.0.0/0"
#
# ============================================================
# set default filter policy to [DROP]
# ============================================================
function filter_default_policy {
echo "[+] iptable filter: from [ACCEPT] to [DROP]"
$IPTSBIN -t filter -P INPUT DROP
$IPTSBIN -t filter -P OUTPUT DROP
$IPTSBIN -t filter -P FORWARD DROP
}
#
# ============================================================
# TCP Filter (data otside or inside)
# ============================================================
function filter_tcp_out {
local proto="TCP"
echo "[+] ----> filter $proto outside"
while [ -n "$1" ];
do
rule="$IPTSBIN -t filter -A OUTPUT --proto ${proto} --source ${SRCIP} --destination ${DSTIP} --destination-port ${1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT"
echo "$rule"
`$rule` # execute command
shift
done
}
function filter_tcp_in {
local proto="tcp"
echo "[+] ----> filter $proto inside"
while [ -n "$1" ];
do
rule="$IPTSBIN -t filter -A INPUT --proto ${proto} --source ${DSTIP} --destination ${SRCIP} --source-port ${1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT"
echo $rule
`$rule`
shift
done
}
#
# ===========================================================
# UDP Filter (UDP data outside or inside)
# ===========================================================
function filter_udp_out {
local proto="udp"
echo "[+] ----> filter $proto outside "
while [ -n "$1" ];
do
rule="$IPTSBIN -t filter -A OUTPUT --proto ${proto} --source ${SRCIP} --destination ${DSTIP} --destination-port ${1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT"
echo $rule | bash -x
shift
done
}
function filter_udp_in {
local proto="udp"
echo "[+] ----> filter $proto inside "
while [ -n "$1" ];
do
rule="$IPTSBIN -t filter -A INPUT --proto ${proto} --source ${DSTIP} --destination ${SRCIP} --source-port ${1} -m state --state ESTABLISHED,RELATED -j ACCEPT"
echo $rule | bash -x
shift
done
}
#
# ===========================================================
# ICMP Filter
# ===========================================================
function filter_icmp_out {
local proto="icmp"
echo "[+] ----> filter $proto outside"
# DROP ICMP REPLY FROM LOCALHOST
rule="$IPTSBIN -t filter -A OUTPUT --proto ${proto} --source ${SRCIP} --destination ${DSTIP} --icmp-type echo-request -j ACCEPT"
echo $rule | bash -x
}
function filter_icmp_in {
local proto="icmp"
echo "[+] ----> filter $proto inside"
# ALLOW ICMP REQUEST
rule="$IPTSBIN -t filter -A INPUT --proto ${proto} --source ${DSTIP} --destination ${SRCIP} --icmp-type echo-reply -j ACCEPT"
echo $rule | bash -x
}
#
# ============================================================
# Flush IPTABLES Rules
# ============================================================
function flush_rules {
$IPTSBIN -t filter -P INPUT ACCEPT
$IPTSBIN -t filter -P OUTPUT ACCEPT
$IPTSBIN -t filter -P FORWARDD ACCEPT
rule="$IPTSBIN -t filter -F"
echo "$rule" | bash -x
}
#
# ============================================================
# List IPTABLES Rules
# ============================================================
function list_rules {
rule="$IPTSBIN -L -n -v"
echo "$rule" | bash -x
}
#
# =============================
# Main
# +============================
flush_rules # flush iptables rules, default rules action is ACCEPT.
filter_default_policy # Translate [ACCEPT] to [DROP]
# ------------------------
filter_tcp_out 25 80 110 443 8080 # filter TCP DATA OUTSIDE, PORT 80/...
filter_tcp_in 25 80 110 443 8080 # filter TCP DATA INSIDE,
# ------------------------
# ------------------------
filter_udp_out 53 # filter UDP outside
filter_udp_in 53 #
# ------------------------
# ------------------------
filter_icmp_out # filter icmp outside
filter_icmp_in # filter icmp inside
# ------------------------
list_rules # list current rules标签:
原文地址:http://blog.csdn.net/nixawk/article/details/45915725
