发现一个好存货 iptables规范模板

以下代码是一个模板！！
新建一个文件后缀改为.sh复制并粘贴下面的代码
有不懂得shell脚本问题可以在下方留言[呵呵]
#!/bin/sh

# 清除所有现有iptables规则
iptables -F
echo "iptables规则已清除"

# 设置默认策略为DROP，关闭所有FORWARD流量
iptables -P FORWARD DROP

# 对于IPv6，默认策略为DROP，关闭所有INPUT, FORWARD和OUTPUT流量
ip6tables=/system/bin/ip6tables
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

# 获取com.tencent.tmgp.pubgmhd应用的UID
uid=$(cat /data/system/packages.list | grep com.tencent.tmgp.pubgmhd | awk '{print $2}')

# 禁止指定UID的应用联网
iptables -A OUTPUT -m owner --uid-owner=$uid -j DROP
echo "禁止UID为$uid的应用联网成功"

# 允许指定UID的应用访问特定的IP地址

# 替换为实际需要访问的IP地址
allow_ips=(
"101.89.15.220" "101.89.15.230" "101.89.15.229"
"203.205.254.156" "117.184.248.88" "116.128.164.124"
"116.128.164.125" "117.184.248.87" "203.205.254.145"
"49.51.67.47" "49.51.67.157" "101.227.162.110"
"223.167.104.112" "120.204.0.111" "140.207.119.111"
"180.163.25.112" "183.192.199.121" "182.254.92.110"
"182.254.78.103" "203.205.151.16" "203.205.151.49"
)

for ip in ${allow_ips[@]}; do
iptables -I OUTPUT -m owner --uid-owner=$uid -d $ip -j ACCEPT
done
echo "特定IP放行成功"

# 允许指定UID的应用使用特定端口
allow_ports=("10001" "10013:65010" "54863" "3031" "443" "80" "65010")

for port in ${allow_ports[@]}; do
iptables -I OUTPUT -m owner --uid-owner=$uid -p tcp --dport $port -j ACCEPT
iptables -I OUTPUT -m owner --uid-owner=$uid -p udp --dport $port -j ACCEPT
done
echo "特定端口放行成功"

# 允许指定UID的应用访问特定的域名
allow_domains=(
"dsgroup1range.cfm.qq.com" "dsgroup2range.cfm.qq.com"
"dsgroup3range.cfm.qq.com" "dsgroup4range.cfm.qq.com"
"dsgroup5range.cfm.qq.com" "dsgroup6range.cfm.qq.com"
"dsgroup7range.cfm.qq.com" "dsgroup8range.cfm.qq.com"
"dsgroup9range.cfm.qq.com" "dsgroup10range.cfm.qq.com"
"dsgroup11range.cfm.qq.com" "dsgroup12range.cfm.qq.com"
"app.cfm.qq.com" "cf.qq.com" "cfm.qq.com"
)

for domain in ${allow_domains[@]}; do
iptables -I OUTPUT -m owner --uid-owner=$uid -p all -m string --string $domain --algo bm -j ACCEPT
done
echo "特定域名放行成功"

# 禁止访问特定的域名
block_domains=("gitee.com")

for domain in ${block_domains[@]}; do
iptables -I OUTPUT -p all -m string --string $domain --algo bm -j DROP
done
echo "特定域名禁止成功"

# 执行反馈
echo "iptables配置执行成功"

微信扫码关注公众号 更新内容早知道