NAT 上控制访问外网的防火墙规则

iptables.sh

#!/bin/bash

# 有两种权限:
# 1. 允许访问外网 WEB 端口(80, 443, 8080), 把 IP 加到 wl_web_ip 即可.
# 2. 允许访问外网所有流量, 基于 wl_all_ip, 把 IP 加到 wl_all_ip 即可.


iptables -F FORWARD
iptables -F BLOCK
iptables -F MON
iptables -X BLOCK
iptables -N BLOCK
iptables -X MON
iptables -N MON

ipset destroy

ipset n bl hash:net
ipset n wl_web_ip hash:ip hashsize 16777216 maxelem 16777216
ipset n web_port bitmap:port range 0-65535
ipset n wl_all_ip hash:ip hashsize 16777216 maxelem 16777216
ipset n wl_icmp_ip hash:ip hashsize 16777216 maxelem 16777216
ipset n wdj_extern_ip hash:net
ipset n wdj_intern_ip hash:net
ipset n mon_ip hash:ip hashsize 16777216 maxelem 16777216

ipset add web_port 80
ipset add web_port 443
ipset add web_port 8080
ipset add all_port 0-65535

ipset add wdj_extern_ip x.x.x.x/25
ipset add wdj_extern_ip y.y.y.y/24
ipset add wdj_intern_ip 192.168.0.0/16
ipset add wdj_intern_ip 100.64.0.0/16

ipset add bl 10.0.0.1/8

iptables -A BLOCK -j ACCEPT
iptables -I BLOCK -j DROP
iptables -I BLOCK -j LOG --log-prefix "ACL_BLOCK "

iptables -A MON -j ACCEPT
iptables -I MON -j LOG --log-prefix "ACL_MON "

iptables -I FORWARD -m set --set mon_ip src -j MON
iptables -I FORWARD -m set --set wdj_extern_ip dst -j ACCEPT
iptables -I FORWARD -m set --set wdj_intern_ip dst -j ACCEPT
iptables -I FORWARD -m set --set wl_all_ip src -j ACCEPT
iptables -I FORWARD -p tcp -m set --set wl_web_ip src -m set --set web_port dst  -j ACCEPT
iptables -I FORWARD -p udp -m set --set wl_web_ip src --dport 53 -j ACCEPT
iptables -I FORWARD -p icmp -m set --set wl_icmp_ip src -j ACCEPT
iptables -I FORWARD -p icmp -m set --set wl_web_ip src -j ACCEPT
iptables -A FORWARD -m set --set bl src -j BLOCK