动态iptables防火墙dynfw
2006-04-03 12:36:22 来源:WEB开发网#!/bin/bash
source /usr/local/share/dynfw.sh
args 2 $# "${0} IPADDR {on/off}" "Drops packets to/from IPADDR. Good for obnoxious networks/hosts/DoS"
if [ "$2" == "on" ]
then
#rules will be appended or inserted as normal
APPEND="-A"
INSERT="-I"
rec_check ipdrop $1 "$1 already blocked" on
record ipdrop $1
elif [ "$2" == "off" ]
then
#rules will be deleted instead
APPEND="-D"
INSERT="-D"
rec_check ipdrop $1 "$1 not currently blocked" off
unrecord ipdrop $1
else
echo "Error: "off" or "on" expected as second argument"
exit 1
fi
#block outside IP address thats causing problems
#attackers incoming TCP connections will take a minute or so to time out,
#reducing DoS effectiveness.
iptables $INSERT INPUT -s $1 -j DROP
iptables $INSERT OUTPUT -d $1 -j DROP
iptables $INSERT FORWARD -d $1 -j DROP
iptables $INSERT FORWARD -s $1 -j DROP
echo "IP ${1} drop ${2}."
ipdrop:解释
从上面的脚本源代码中最后四行内容可以看到实际的命令是在防火墙表中插入适当的规则。可以看到$INSERT变量的值取决于在命令行参数中是使用"on"还是"off"模式。当iptables行被执行时特定的规则将被适当的插入或删除。
更多精彩
赞助商链接