linux/Tip
iptables
efrit
2007. 3. 15. 21:58
--현재 상황--
#!/bin/bash
iptables="/sbin/iptables"
out_ip=`ifconfig eth0 | grep inet | head -1 | awk -F: '{print $2}' | awk '{print $1}'`
$iptables -F
$iptables -X
$iptables -Z
############## 기본 정책 ##############
#$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT ACCEPT
############## MASQUERADING ###############
$iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
$iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#$iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j MASQUERADE
############## 접속 허용 ip ###############
$iptables -A INPUT -s 192.168.0.100 -j ACCEPT
$iptables -A INPUT -s 192.168.0.101 -j ACCEPT
$iptables -A INPUT -s 222.108.25.249 -j ACCEPT
############## PORT forwarding #############
$iptables -t nat -A PREROUTING -p tcp --dport 4661 -j DNAT --to 192.168.0.101:4661
$iptables -t nat -A PREROUTING -p tcp --dport 4662 -j DNAT --to 192.168.0.101:4662
$iptables -t nat -A PREROUTING -p udp --dport 4672 -j DNAT --to 192.168.0.101:4672
#$iptables -t nat -A PREROUTING -p udp --dport 4665 -j DNAT --to 192.168.0.100:4665
$iptables -A INPUT -p tcp -m multiport -s 0.0.0.0/0 -d $out_ip --dport 20,21,53,80,9000,443 -j ACCEPT
$iptables -A OUTPUT -p tcp -m multiport -s $out_ip -d 0.0.0.0/0 --dport 20,21,53,80,9000,443 -j ACCEPT
#$iptables -A INPUT -p udp -m multiport -s 0.0.0.0/0 -d $eth0_ip --dport 161
############### intr.list #################
#grep Fail /var/log/secure | awk '{print $11}' | grep '^[0-9]' | uniq >> /root/list/list.imsi
#for ip in `cat /root/list/list.imsi`
#do
# b=`grep $ip /root/list/ip.list`
# if [ -z $b ];then
# echo $ip >> /root/list/ip.list
# fi
#done
############### iptables 적용 ###############
for ip in `cat /home/list/ip.list`
do
$iptables -A INPUT -s $ip -j DROP
done
#!/bin/bash
iptables="/sbin/iptables"
out_ip=`ifconfig eth0 | grep inet | head -1 | awk -F: '{print $2}' | awk '{print $1}'`
$iptables -F
$iptables -X
$iptables -Z
############## 기본 정책 ##############
#$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT ACCEPT
############## MASQUERADING ###############
$iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
$iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#$iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -j MASQUERADE
############## 접속 허용 ip ###############
$iptables -A INPUT -s 192.168.0.100 -j ACCEPT
$iptables -A INPUT -s 192.168.0.101 -j ACCEPT
$iptables -A INPUT -s 222.108.25.249 -j ACCEPT
############## PORT forwarding #############
$iptables -t nat -A PREROUTING -p tcp --dport 4661 -j DNAT --to 192.168.0.101:4661
$iptables -t nat -A PREROUTING -p tcp --dport 4662 -j DNAT --to 192.168.0.101:4662
$iptables -t nat -A PREROUTING -p udp --dport 4672 -j DNAT --to 192.168.0.101:4672
#$iptables -t nat -A PREROUTING -p udp --dport 4665 -j DNAT --to 192.168.0.100:4665
$iptables -A INPUT -p tcp -m multiport -s 0.0.0.0/0 -d $out_ip --dport 20,21,53,80,9000,443 -j ACCEPT
$iptables -A OUTPUT -p tcp -m multiport -s $out_ip -d 0.0.0.0/0 --dport 20,21,53,80,9000,443 -j ACCEPT
#$iptables -A INPUT -p udp -m multiport -s 0.0.0.0/0 -d $eth0_ip --dport 161
############### intr.list #################
#grep Fail /var/log/secure | awk '{print $11}' | grep '^[0-9]' | uniq >> /root/list/list.imsi
#for ip in `cat /root/list/list.imsi`
#do
# b=`grep $ip /root/list/ip.list`
# if [ -z $b ];then
# echo $ip >> /root/list/ip.list
# fi
#done
############### iptables 적용 ###############
for ip in `cat /home/list/ip.list`
do
$iptables -A INPUT -s $ip -j DROP
done