#!/bin/bash
###########################
export LANG=C
export LC_ALL=C
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#####filter table ##########

########INPUT chains ########
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
 
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type any -m limit --limit 40/s -j ACCEPT
 
######批量放通端口########
#iptables -A INPUT  -p tcp -m multiport --dports 80,443 -j ACCEPT
######批量放通端口########
#iptables -A INPUT -s 0.0.0.0/0  -p tcp -m multiport --dport 65300,65400,65500  -j ACCEPT 

#####运维IP-堡垒机节点IP######
iptables -A INPUT  -s 122.128.111.227  -p tcp --dport 22  -j ACCEPT
iptables -A INPUT  -s 122.128.111.146  -p tcp --dport 22  -j ACCEPT
iptables -A INPUT  -s 103.20.60.253  -p tcp --dport 22  -j ACCEPT

###  堡垒机内网节点IP ###
iptables -A INPUT  -s 192.168.1.2  -p tcp --dport 22  -j ACCEPT

###  放开堡垒机指定网段内网IP ###
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT 

###  放开这个IP所有端口 ### 
###  堡垒机节点 ###
iptables -A INPUT -s 34.150.66.45 -j ACCEPT

###外网放开 80 443 ###
for ip in `cat /opt/sh/ip.txt |grep -v "#"`
do
        if [ -n "$ip" ];then
         iptables -A INPUT -s $ip  -p tcp -m multiport --dport 443,80  -j ACCEPT
        fi 
done

#######global#####
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

########save#######
iptables-save -c > /etc/sysconfig/iptables