客戶的要求，不想讓外國(guó)的ip來(lái)訪問服務(wù)器，本來(lái)要讓機(jī)房在上端路由解決，但是那些人不鳥你?。。~~~
這樣的話，只能自己用iptables解決了~~~~~~~~~
關(guān)于 ip庫(kù) 大家可以去 http://www.ipdeny.com/ipblocks/ 下載，這里有各個(gè)國(guó)家的~~~

復(fù)制代碼代碼如下:

#下載ip庫(kù)

#wget http://rfyiamcool.googlecode.com/files/allip.txt

wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone

#把分號(hào)去掉

sed -i 's/;$//' allip.txt

#把ip端調(diào)出來(lái)

for i in `cat cn.zone`

do

echo "iptables -A INPUT -s $i -j ACCEPT" >>iptables.sh

done

cat iptables.sh

把這個(gè)腳本做下優(yōu)化，在iptables.sh前面加上下面的命令！

復(fù)制代碼代碼如下:

#!/bin/bash

ziji="222.173.13.5"

iptables -F

iptables -X

iptables -Z

iptables -t nat -F 

iptables -t mangle -F 

modprobe iptable_nat

modprobe ip_nat_ftp

modprobe ip_nat_irc

modprobe ip_conntrack

modprobe ip_conntrack_ftp

modprobe ip_conntrack_irc

modprobe ipt_limit

modprobe ipt_recent ip_list_tot=16384

modprobe ip_conntrack hashsize=16384

echo "1024  63000" > /proc/sys/net/ipv4/ip_local_port_range

echo "1" > /proc/sys/net/ipv4/tcp_tw_recycle

echo "1" > /proc/sys/net/ipv4/tcp_tw_reuse

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "1" >/proc/sys/net/ipv4/conf/all/log_martians

echo "1" >/proc/sys/net/ipv4/tcp_syncookies

echo "2" >/proc/sys/net/ipv4/tcp_synack_retries

echo "5000" >/proc/sys/net/ipv4/tcp_max_syn_backlog

echo "3" >/proc/sys/net/ipv4/tcp_syn_retries

echo "1" > /proc/sys/net/ipv4/tcp_tw_reuse

echo "1" > /proc/sys/net/ipv4/tcp_tw_recycle

echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout

echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT DROP

iptables -P FORWARD ACCEPT

iptables -P OUTPUT ACCEPT

/sbin/iptables -t nat -P PREROUTING ACCEPT

/sbin/iptables -t nat -P POSTROUTING ACCEPT

iptables -A INPUT -s $ziji -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP