router/CentOS7

参照先 https://centossrv.com/iptables.shtml

[root@gate ~]# systemctl stop firewalld
[root@gate ~]# yum remove firewalld
[root@gate ~]# yum install iptables-services
 
 
[root@gate ~]# vi iptables.sh
#!/bin/bash
 
LOCALNET=10.10.0.0/24
 
IPTABLES_CONFIG=`mktemp`
echo "*filter" >> $IPTABLES_CONFIG
echo ":INPUT DROP [0:0]" >> $IPTABLES_CONFIG       # 受信はすべて破棄
echo ":FORWARD DROP [0:0]" >> $IPTABLES_CONFIG     # 通過はすべて破棄
echo ":OUTPUT ACCEPT [0:0]" >> $IPTABLES_CONFIG    # 送信はすべて許可
 
echo "-A INPUT -i lo -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A INPUT -s $LOCALNET -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> $IPTABLES_CONFIG
 
echo "-A INPUT -p tcp --dport 22 -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A INPUT -p tcp --dport 53 -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A INPUT -p udp --dport 53 -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p tcp --dport 53 -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p udp --dport 53 -j ACCEPT" >> $IPTABLES_CONFIG
 
echo "COMMIT" >> $IPTABLES_CONFIG
cat $IPTABLES_CONFIG > /etc/sysconfig/iptables
if [ -f /usr/libexec/iptables/iptables.init ]; then
    /usr/libexec/iptables/iptables.init restart
else
    /etc/rc.d/init.d/iptables restart
fi
rm -f $IPTABLES_CONFIG

samba-ADを通過させるなら

#!/bin/bash
 
LOCALNET=10.10.0.0/24
 
IPTABLES_CONFIG=`mktemp`
echo "*filter" >> $IPTABLES_CONFIG
echo ":INPUT DROP [0:0]" >> $IPTABLES_CONFIG       # 受信はすべて破棄
echo ":FORWARD DROP [0:0]" >> $IPTABLES_CONFIG     # 通過はすべて破棄
echo ":OUTPUT ACCEPT [0:0]" >> $IPTABLES_CONFIG    # 送信はすべて許可
 
echo "-A INPUT -i lo -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A INPUT -s $LOCALNET -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> $IPTABLES_CONFIG
 
echo "-A INPUT -p tcp --dport 22 -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A INPUT -p tcp --dport 53 -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A INPUT -p udp --dport 53 -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p tcp --dport 53 -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p udp --dport 53 -j ACCEPT" >> $IPTABLES_CONFIG
 
#samba-AD対応
echo "-A FORWARD -p tcp --dport 88   -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p udp --dport 88   -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p udp --dport 123  -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p tcp --dport 135  -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p udp --dport 137  -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p udp --dport 138  -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p tcp --dport 139  -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p tcp --dport 389  -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p udp --dport 389  -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p tcp --dport 445  -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p tcp --dport 464  -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p tcp --dport 3268 -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p tcp --dport 636  -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p tcp --dport 3269 -j ACCEPT" >> $IPTABLES_CONFIG
echo "-A FORWARD -p tcp --dport 9389 -j ACCEPT" >> $IPTABLES_CONFIG
 
echo "COMMIT" >> $IPTABLES_CONFIG
cat $IPTABLES_CONFIG > /etc/sysconfig/iptables
if [ -f /usr/libexec/iptables/iptables.init ]; then
    /usr/libexec/iptables/iptables.init restart
else
    /etc/rc.d/init.d/iptables restart
fi
rm -f $IPTABLES_CONFIG

トップ   編集 添付 複製 名前変更     ヘルプ   最終更新のRSS
Last-modified: 2020-07-21 (火) 00:36:14 (24d)