我有下面的脚本,我在互联网上find了一些,我修改了一下,以适应我的需要。
我的问题是:如果我理解iptables的输出 – 保存我的iptables规则是maderight,但我只是想确定。
这是我的.sh文件:
#!/bin/bash ISO="af cn th vn in bd pk" ### Set PATH ### IPT=/sbin/iptables WGET=/usr/bin/wget EGREP=/bin/egrep ### No editing below ### SPAMLIST="countrydrop" ZONEROOT="/root/iptables" DLROOT="http://www.ipdeny.com/ipblocks/data/countries" cleanOldRules(){ $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT } # create a dir [ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT # clean old rules cleanOldRules # create a new iptables list $IPT -N $SPAMLIST for c in $ISO do # local zone file tDB=$ZONEROOT/$c.zone # get fresh zone file $WGET -O $tDB $DLROOT/$c.zone # country specific log message SPAMDROPMSG="$c Country Drop" # get BADIPS=$(egrep -v "^#|^$" $tDB) for ipblock in $BADIPS do # $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG" $IPT -A $SPAMLIST -s $ipblock -j DROP done sleep 3 done $IPT -I INPUT -j $SPAMLIST $IPT -I OUTPUT -j $SPAMLIST $IPT -I FORWARD -j $SPAMLIST #My part $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT $IPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT $IPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT $IPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT $IPT -A INPUT -s 188.92.161.49/32 -j ACCEPT $IPT -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 25 -j ACCEPT $IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT $IPT -A INPUT -s 188.92.163.198/32 -j ACCEPT $IPT -A INPUT -p tcp -m tcp --dport 25 -j DROP $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p icmp -j ACCEPT $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT $IPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited $IPT -A INPUT -j REJECT --reject-with icmp-host-prohibited exit 0 并输出iptables保存
# Generated by iptables-save v1.4.10 on Thu May 9 17:00:59 2013 *mangle :PREROUTING ACCEPT [128952:24289058] :INPUT ACCEPT [128944:24288514] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [180927:208852344] :POSTROUTING ACCEPT [180927:208852344] COMMIT # Completed on Thu May 9 17:00:59 2013 # Generated by iptables-save v1.4.10 on Thu May 9 17:00:59 2013 *nat :PREROUTING ACCEPT [3169:170149] :INPUT ACCEPT [3118:164866] :OUTPUT ACCEPT [909:54321] :POSTROUTING ACCEPT [909:54321] COMMIT # Completed on Thu May 9 17:00:59 2013 # Generated by iptables-save v1.4.10 on Thu May 9 17:00:59 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [134106:154955595] :countrydrop - [0:0] -A INPUT -j countrydrop -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j countrydrop -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j countrydrop -A countrydrop -s 202.56.176.0/20 -j DROP -A countrydrop -s 202.86.16.0/20 -j DROP -A countrydrop -s 203.174.27.0/24 -j DROP -A countrydrop -s 203.215.32.0/20 -j DROP -A countrydrop -s 210.80.0.0/19 -j DROP -A countrydrop -s 210.80.32.0/19 -j DROP -A countrydrop -s 91.109.216.0/21 -j DROP -A countrydrop -s 193.201.151.64/26 -j DROP -A countrydrop -s 192.124.154.0/24 -j DROP
如果我首先理解的是交易是指向国家的,然后是我的规则。
我对吗?
是的,命令
$IPT -I INPUT -j $SPAMLIST
将在INPUT链的开始处插入一条规则,导致所有数据包被发送到countrydrop链。 你可以在iptables-save输出中看到这个
-A INPUT -j countrydrop
你也应该能够在你的“生活”规则中看到这一点
iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination countrydrop all -- anywhere anywhere . . .