CentOS iptables firewall configuration of a key
CentOS iptables firewall configuration of a key
Hands several VPS too complicated to configure iptables,Zhu brother LNMP saw a script to automatically configure iptables firewall script,Borrowed changed a bit,To those who need to use;
Only common port settings,If you have special needs or simply add their own to reduce the corresponding port;
how to use:
wget -c http://ph4ntasy.googlecode.com/files/iptables.sh
chmod +x iptables.sh
./iptables.sh
Setting iptables at startup:
chkconfig –level 345 iptables on
Complete Shell:
#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
function support_distro(){
if [ -from “`egrep -i “centos” /etc/issue`” ];then
echo “Sorry,iptables script only support centos system now.”
exit 1
be
}
support_distro
echo “============================iptables configure============================================”
# Created by Centos.bz Modified by ph4ntasy.com
# Only support CentOS system
# Get SSH port
if grep “^Port” /etc/ssh/sshd_config>/dev/null;then
sshdport=`grep “^Port” /etc/ssh/sshd_config | but “s/Ports//g” `
else
sshdport = 22
be
# Obtain DNS server IP
if [ -s /etc/resolv.conf ];then
nameserver1=`cat /etc/resolv.conf |grep nameserver |awk 'NR == 1{print $2 }’`
nameserver2=`cat /etc/resolv.conf |grep nameserver |awk 'NR == 2{print $2 }’`
be
IPT=”/sbin/iptables”
# Delete an existing rule
$IPT –delete-chain
$IPT –flush
# Feed ban,Allow the,Allow loopback adapter
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# Allow the passage of established or related connections
$IPT -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
# Limit a single IP port 80 the maximum number of connections to 10
$IPT -I INPUT -p tcp –dport 80 -m connlimit –connlimit-above 10 -j DROP
# Allow 80(HTTP)/873(RSYNC)/443(HTTPS)/20,21(FTP)/25(SMTP)Connection port
$IPT -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 873 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 20 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 21 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
# Allow SSH port connection,Script automatically detects the current SSH port,Otherwise, the default is 22 port
$IPT -A INPUT -p tcp -m tcp –dport $sshdport -j ACCEPT
# Allow ping
$IPT -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
$IPT -A INPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
# Allow DNS
[ ! -from “$nameserver1” ] && $IPT -A OUTPUT -p udp -m udp -d $nameserver1 –dport 53 -j ACCEPT
[ ! -from “$nameserver2” ] && $IPT -A OUTPUT -p udp -m udp -d $nameserver2 –dport 53 -j ACCEPT
# Save the rule and restart IPTABLES
service iptables save
service iptables restart
echo “============================iptables configure completed============================================”