iptables允许部分网段

iptables允许部分网段

#!/bin/bash #edit by luweinet at Apr 27 2005 ,just for allow which ip/net to access the server #you must make sure the allowip.txt is exits. or it just allow hhstu net~~ export PATH=$PATH:/sbin:/usr/sbin:/bin iptables="/sbin/iptables" dev=bond0 allowip=/home/kernel/allowip.txt inet=202.197.*.* $iptables -F $iptables -X $iptables -Z $iptables -P FORWARD DROP $iptables -P INPUT DROP $iptables -P OUTPUT DROP modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state #set state $iptables -N STATE $iptables -A STATE -m state --state INVALID -j DROP $iptables -A STATE -m state --state RELATED,ESTABLISHED -j ACCEPT #check flags $iptables -N FLAGS $iptables -A FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $iptables -A FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $iptables -A FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $iptables -A INPUT -i $dev -s 10.0.0.0/8 -j DROP $iptables -A INPUT -i $dev -s 192.168.0.0/16 -j DROP #$iptables -A INPUT -i lo -j ACCEPT   #$iptables -A INPUT -d 59.70.16.0/20 -j ACCEPT  # always allow hhstu $iptables -A INPUT -s 202.197.208.0/20 -j ACCEPT $iptables -A OUTPUT -d 202.197.208.0/20 -j ACCEPT   $iptables -A INPUT -s 59.70.16.0/20 -j ACCEPT $iptables -A OUTPUT -d 59.70.16.0/20 -j ACCEPT   #allow other which at /home/kernel/allowip.txt         for ip in `cat $allowip`          do                 $iptables -A INPUT -s $ip -d $inet -j ACCEPT                 $iptables -A OUTPUT -d $ip -s $inet -j ACCEPT         done     #$iptables -A INPUT -f -m limit --limit 100/s --limit-burst 300 -j ACCEPT if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then    for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do    echo "0" > $i;    done fi   /etc/init.d/iptables save /etc/init.d/iptables restart # 缺点是链太乱，不过能实现那功能~~