脚本内容
#!/bin/bash
set -e
# ====== 配置区域 ======
WHITELIST_IPS=("1.2.3.4" "8.8.8.8")
KNOCK_OPEN="11111,22222,33333"
KNOCK_CLOSE="33333,22222,11111"
KNOCK_TIMEOUT=15
BANTIME=604800 # 秒,7天
echo "[+] 安装必要组件..."
yum install -y epel-release iptables ipset iptables-services knock fail2ban
# ====== 初始化 iptables 规则 ======
echo "[+] 初始化 iptables..."
systemctl stop firewalld || true
systemctl disable firewalld || true
systemctl enable iptables
systemctl start iptables
iptables -F
iptables -X
iptables -Z
# ipset: 记录白名单和敲门授权IP
ipset create whitelist hash:ip -exist
ipset create knockallow hash:ip timeout 3600 -exist
ipset create blacklist hash:ip timeout $BANTIME -exist
# 添加白名单 IP
for ip in "${WHITELIST_IPS[@]}"; do
ipset add whitelist "$ip" -exist
done
# 默认策略
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Loopback & 已建立连接允许
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# 白名单允许全部
iptables -A INPUT -m set --match-set whitelist src -j ACCEPT
# 黑名单直接拒绝
iptables -A INPUT -m set --match-set blacklist src -j DROP
# 敲门后授权IP允许访问所有端口
iptables -A INPUT -m set --match-set knockallow src -j ACCEPT
# 默认仅开放 80 端口
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# === 允许 ICMP (ping),可选 ===
iptables -A INPUT -p icmp -j ACCEPT
service iptables save
# ====== 配置 knockd ======
echo "[+] 配置 knockd..."
cat >/etc/knockd.conf <<EOF
[options]
UseSyslog
[openports]
sequence = ${KNOCK_OPEN}
seq_timeout = ${KNOCK_TIMEOUT}
command = /usr/sbin/ipset add knockallow %IP%
tcpflags = syn
[closeports]
sequence = ${KNOCK_CLOSE}
seq_timeout = ${KNOCK_TIMEOUT}
command = /usr/sbin/ipset del knockallow %IP%
tcpflags = syn
EOF
sed -i 's/^OPTIONS=.*/OPTIONS="-i eth0"/' /etc/sysconfig/knockd || true
systemctl enable knockd
systemctl restart knockd
# ====== 配置 fail2ban ======
echo "[+] 配置 fail2ban..."
cat >/etc/fail2ban/jail.local <<EOF
[DEFAULT]
bantime = $BANTIME
findtime = 60
maxretry = 2
backend = auto
ignoreip = 127.0.0.1/8 $(IFS=" "; echo "${WHITELIST_IPS[*]}")
[sshd]
enabled = true
[apache-portscan]
enabled = true
filter = apache-portscan
action = iptables-ipset[name=blacklist, port=all, protocol=all]
logpath = /var/log/httpd/access_log
maxretry = 2
EOF
# 创建自定义 filter
cat >/etc/fail2ban/filter.d/apache-portscan.conf <<EOF
[Definition]
failregex = <HOST>.*"(GET|POST|HEAD).*(phpmyadmin|\.env|\.git|\.svn|wp-admin|wp-login|etc|passwd|\/\.\.)"
ignoreregex =
EOF
systemctl enable fail2ban
systemctl restart fail2ban
echo "[✔] 配置完成!iptables 模式已启用"
echo "→ 默认仅 80 开放"
echo "→ 敲门开放指令: knock your.ip ${KNOCK_OPEN//,/ }"
echo "→ 关闭访问指令: knock your.ip ${KNOCK_CLOSE//,/ }"
执行方式
chmod +x iptables_secure.sh
sudo ./iptables_secure.sh
出现报错信息:
sed: can’t read /etc/sysconfig/knockd: No such file or directory
Failed to enable unit: Unit file knockd.service does not exist.
报错解决:
CentOS 默认 不包含 knockd,需要你手动安装并配置。下面是解决步骤:
✅ 步骤一:安装 knockd
CentOS 官方源没有提供 knockd,你可以通过以下方式安装:
🧩 方法 1:使用 EPEL + 源码构建
yum install -y epel-release git gcc make libpcap-devel
cd /usr/local/src
git clone https://github.com/jvinet/knock.git knockd
cd knockd
./configure
make
make install
⏩ 安装后会自动将 knockd 可执行文件放在 /usr/local/bin/knockd
✅ 步骤二:手动创建 systemd 启动文件
创建 knockd.service 文件:
cat >/etc/systemd/system/knockd.service <<EOF
[Unit]
Description=Port-knock Daemon
After=network.target
[Service]
ExecStart=/usr/local/bin/knockd -D -c /etc/knockd.conf
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
✅ 步骤三:配置 knockd(如前所示)
cat >/etc/knockd.conf <<EOF
[options]
UseSyslog
[openports]
sequence = 11111,22222,33333
seq_timeout = 15
command = /usr/sbin/ipset add knockallow %IP%
tcpflags = syn
[closeports]
sequence = 33333,22222,11111
seq_timeout = 15
command = /usr/sbin/ipset del knockallow %IP%
tcpflags = syn
EOF✅ 步骤四:启动并启用服务
systemctl daemon-reexec
systemctl daemon-reload
systemctl enable knockd
systemctl start knockd
✅ 验证 knockd 是否工作
ps aux | grep knockd
你应该能看到 knockd 正在运行。
Windows电脑Knock.exe客户端下载和使用
下载链接:https://github.com/sebastienwarin/Knock/releases/download/1.0/Knock.exe
使用方式
开启:
knock.exe 192.168.0.1 11111 22222 33333
关闭:
knock.exe 192.168.0.1 33333 22222 11111