#!/bin/bash
###################################

# touch /root/sh/iptables.sh; chmod u+x /root/sh/iptables.sh
##################################

######### ENV ####################

export LANG=C
export LC_ALL=C
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# env_over


###### filter table ################

###### INPUT chains ######
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 40/s -j ACCEPT

##本地vpn
iptables -A INPUT -s 35.220.190.118 -p tcp -j ACCEPT
iptables -A INPUT -s 122.128.111.227 -p tcp -j ACCEPT

##外网
for ip in `cat /opt/sh/ip.txt |grep -v "#"`
do
        if [ -n "$ip" ];then
         iptables -A INPUT -s $ip  -p tcp -m multiport --dport 22,80  -j ACCEPT
        fi
done

##外网
for ip in `cat /opt/sh/6379.txt |grep -v "#"`
do
        if [ -n "$ip" ];then
         iptables -A INPUT -s $ip  -p tcp -m multiport --dport 6379  -j ACCEPT
        fi
done
##数据库
for ip in `cat /opt/sh/ipsjk.txt |grep -v "#"`
do
        if [ -n "$ip" ];then
         iptables -A INPUT -s $ip  -p tcp -m multiport --dport 3306  -j ACCEPT
        fi
done
##内网
#iptables -A INPUT -s 192.168.0.0/12 -p tcp -j ACCEPT
#iptables -A INPUT -s 10.0.1.0/24 -p tcp -j ACCEPT
### global ###
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited