iptables允许部分网段

#!/bin/bash
#edit by luweinet at Apr 27 2005 ,just for allow which ip/net to aclearcase/" target="_blank" >ccess the server
#you must make sure the allowip.txt is exits. or it just allow hhstu net~~
export PATH=$PATH:/sbin:/usr/sbin:/bin
iptables="/sbin/iptables"
dev=bond0
allowip=/home/kernel/allowip.txt
inet=202.197.*.*
$iptables -F
$iptables -X
$iptables -Z
$iptables -P FORWARD DROP
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
#set state
$iptables -N STATE
$iptables -A STATE -m state --state INVALID -j DROP
$iptables -A STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
#check flags
$iptables -N FLAGS
$iptables -A FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$iptables -A FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$iptables -A FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$iptables -A INPUT -i $dev -s 10.0.0.0/8 -j DROP
$iptables -A INPUT -i $dev -s 192.168.0.0/16 -j DROP
#$iptables -A INPUT -i lo -j ACCEPT
 
#$iptables -A INPUT -d 59.70.16.0/20 -j ACCEPT  # always allow hhstu
$iptables -A INPUT -s 202.197.208.0/20 -j ACCEPT
$iptables -A OUTPUT -d 202.197.208.0/20 -j ACCEPT
 
$iptables -A INPUT -s 59.70.16.0/20 -j ACCEPT
$iptables -A OUTPUT -d 59.70.16.0/20 -j ACCEPT
 
#allow other which at /home/kernel/allowip.txt
        for ip in `cat $allowip`
         do
                $iptables -A INPUT -s $ip -d $inet -j ACCEPT
                $iptables -A OUTPUT -d $ip -s $inet -j ACCEPT
        done
 
 
#$iptables -A INPUT -f -m limit --limit 100/s --limit-burst 300 -j ACCEPT
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
   for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
   echo "0" > $i;
   done
fi
 
/etc/init.d/iptables save
/etc/init.d/iptables restart

# 缺点是链太乱，不过能实现那功能~~
 

原文转自：http://www.ltesting.net