Home Sign Up Sign In
mylara

请问 iptables 做网关,映射出的端口能否屏蔽国外 ip 访问?

  •   
  •   mylara · Aug 27, 2024 · 1162 views
    This topic created in 625 days ago, the information mentioned may be changed or developed.
    服务器托管在机房,有一个固定的公网 ip ,机房给了一个 centos7 做为网关,使用 iptables 给服务器和服务器上的若干个 vmware 虚拟机做端口映射,来提供服务。
    最近莫名其妙被一个乌克兰哈尔科夫的 ip 上传了病毒造成勒索。幸亏及时发现,有云端备份,损失不大。
    请问使用 iptables 做网关,映射出去的端口,能否屏蔽国外 ip 访问?
  • iptables
  • 屏蔽
  • 国外
    1 replies
    mylara
        1
    mylara  
    OP
       Aug 27, 2024
    搜了几个教程,汇总成如下,请各位大神看看有没有问题,没有敢运行,怕有问题影响生产。
    [安装组件]
    yum install ipset iptables-services iptables-devel ipset-service -y

    [下载 ip 段做 ipset]
    wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone
    for i in `cat cn.zone`; do echo "ipset add china $i" >>ipset_result.sh; done
    chmod +x ipset_result.sh
    ipset create china hash:net hashsize 10000 maxelem 1000000
    sh ipset_result.sh

    ipset add china 10.0.0.0/8
    ipset add china 172.16.0.0/12
    ipset add china 192.168.0.0/16
    ipset list china | wc -l
    ipset test china 192.168.1.0
    ipset save china > /etc/ipset.conf

    chmod +x /etc/rc.d/rc.local
    echo "ipset restore < /etc/ipset.conf" >> /etc/rc.d/rc.local

    [iptables 脚本]
    #!/bin/bash
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    service iptables restart

    iptables -F
    iptables -X
    iptables -Z
    iptables -F -t nat
    iptables -X -t nat
    iptables -Z -t nat

    modprobe iptable_filter
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ip_nat_ftp
    modprobe ip_tables
    modprobe iptable_nat

    iptables -t nat -P PREROUTING ACCEPT
    iptables -t nat -P POSTROUTING ACCEPT
    iptables -t nat -P OUTPUT ACCEPT
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    IP1=111.111.111.111
    LAN1=192.168.1.0/24

    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -m set --match-set china src -j ACCEPT
    iptables -A FORWARD -m set --match-set china src -j ACCEPT

    iptables -A INPUT -s $LAN1 -j ACCEPT
    iptables -A FORWARD -s $LAN1 -j ACCEPT

    iptables -t nat -A PREROUTING -p tcp -m set --match-set china src -d $IP1 --dport 80 -j DNAT --to-destination 192.168.1.10:80
    iptables -t nat -A PREROUTING -p tcp -m set --match-set china src -d $IP1 --dport 443 -j DNAT --to-destination 192.168.1.10:443
    iptables -t nat -A PREROUTING -p tcp -m set --match-set china src -d $IP1 --dport 58000 -j DNAT --to-destination 192.168.1.10:58000

    iptables -A INPUT -p tcp --dport 57000 -j ACCEPT #本机 SSH
    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -j SNAT --to-source 192.168.1.254
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    sysctl -w net.ipv4.tcp_keepalive_time=600
    sysctl -w net.ipv4.tcp_synack_retries=1
    sysctl -w net.ipv4.tcp_syn_retries=1
    sysctl -w net.ipv4.tcp_max_syn_backlog=16384
    sysctl -w net.nf_conntrack_max=655360

    [持久化规则]
    iptables-save > /etc/sysconfig/iptables
    echo "/usr/sbin/iptables-restore < /etc/sysconfig/iptables" >> /etc/rc.d/rc.local
    About   ·   Help   ·   Advertise   ·   Blog   ·   API   ·   FAQ   ·   Solana   ·   5522 Online   Highest 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 33ms · UTC 09:11 · PVG 17:11 · LAX 02:11 · JFK 05:11
    ♥ Do have faith in what you're doing.