#!/bin/bash
# 2022.2.28 by dewan
# secutiry configuration.
usage ()
{
echo "$0 start # setup secutiry configuration"
echo "$0 add-ip <ip> # add whitelist ip"
exit
}
# whitelist ip
MANAGER_IP=""
LAN_IP="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 172.168.0.0/16 0.0.0.0/32 127.0.0.1/32"
# prohibit port
BLACK_PORT="6379 2022 22 20 21 23 69 111 135 137:139 177 389 445 513 1433:1435 1521:1530 3306 3389 4899 6000:6063 8888 50000:50050"
DNAT_PORT="5900:5999 20000:20999 21000:23999 32000:32768 61000:65535"
# basic config
basic_rule ()
{
iptables -F
## service: sshd
sshd_port=
iptables -I INPUT -p tcp --dport $sshd_port -j ACCEPT
## lo
iptables -A INPUT -i lo -j ACCEPT
## inner net access
for ip in $LAN_IP
do
iptables -A INPUT -p all -s $ip -j ACCEPT
done
## access ping
iptables -I INPUT -p icmp --icmp-type echo-request -j ACCEPT
## outgoing access
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# default forbidden
iptables -P INPUT DROP
}
whitelist_ip ()
{
iptables -N whitelist_FORWARD
iptables -N whitelist_INPUT
local ip port
for table in whitelist_INPUT whitelist_FORWARD
do
for ip in $MANAGER_IP $LAN_IP
do
iptables -I $table -s $ip -j ACCEPT
done
while read ip
do
iptables -I $table -s $ip -j ACCEPT
done < add_whitelist_ip
done
iptables -I FORWARD -j whitelist_FORWARD
iptables -I INPUT -j whitelist_INPUT
}
add_whitelist_ip ()
{
local ip
ip=$1
iptables -I whitelist_FORWARD -s $ip -j ACCEPT
echo $ip >> add_whitelist_ip
}
case $1 in
start)
basic_rule
whitelist_ip
;;
add_ip | add-ip)
add_whitelist_ip $2
;;
*)
usage
;;
esac
浙公网安备 33010602011771号