[英]bash script excutes multiple iptables chain
我正在使用以下腳本通過從whitelist.txt
文件中過濾IP來應用iptables
。
如果列表中有多個IP,則iptables
顯示多個鏈:
#!/bin/bash
# allowed ip file location
WHITELIST=/usr/src/firewall/whitelist.txt
#
## Specify where IP Tables is located
#
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
#
## Save current iptables running configuration in case we want to revert back
## To restore using our example we would run "/sbin/iptables-restore < /usr/src/iptables.last"
#
$IPTABLES_SAVE > /usr/src/iptables.last
#
## Clear current rules
#
##If current INPUT policy is set to DROP we will be locked out once we flush the rules
## so we must first ensure it is set to ACCEPT.
#
$IPTABLES -P INPUT ACCEPT
echo 'Setting default INPUT policy to ACCEPT'
$IPTABLES -F
echo 'Clearing Tables F'
$IPTABLES -X
echo 'Clearing Tables X'
$IPTABLES -Z
echo 'Clearing Tables Z'
#Always allow localhost.
echo 'Allowing Localhost'
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
#
## Whitelist
#
for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
echo "Permitting $x..."
# $IPTABLES -A INPUT -s $x -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -s "$x" --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s "$x" --dport 5060 -j ACCEPT
done
# block all other traffice
$IPTABLES -A INPUT -p all -j DROP
#
## Save the rules so they are persistent on reboot.
#
/etc/init.d/iptables save
我的iptables -L -n輸出顯示為
firewall]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 192.168.1.125 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 192.168.1.125 0.0.0.0/0 udp dpt:5060
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 192.168.1.1 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 192.168.1.1 0.0.0.0/0 udp dpt:5060
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
如何避免重復,該腳本出了什么問題?
讓我猜想您的whitelist.txt
包含兩個IP:192.168.1.125和192.168.1.1 ?!
然后為每個IP設置三個規則,一個用於SSH,一個用於HTTP,一個用於SIP,只是您沒有為SSH指定--source
/ -s
,因此對於白名單中的任何IP,該規則自然會與任何以前的。
TL; DR :在SSH規則中添加-s "$x"
,應該沒問題。
溫馨提示:如果要允許整個私有C類子網,則可以使用語法-s 192.168.1.0/24
:-)
干杯,
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.