| 首页 | 新闻 | 网页 | 设计 | 色彩 | 原创 | 视觉 | 素材 | 动漫 | 酷站 | 策划 | 文案 | 访谈 | 运营 | 编程 | 数据库 | 服务器 | 下载 | 图库 | 
您的位置: 幽幽天空 > 网页 > 服务器 > Linux教程 > 文章正文 用户登录
一个站点要运营成
迅雷联盟:个人站
迅雷联盟,个人站
一个失败者的网站
从名片看到一个小
一个大学生的网页
网络新生领域扫描
一个站长建站经历
一个网络创业者的
广捷居 一个永不言

一个国产的防火墙脚本           

一个国产的防火墙脚本
作者:佚名 来源:不详 更新:2006-8-25 21:05:35 错误报告 我要投稿
DMZ部分尚不完善,其中难免有疏漏,希望大家跟我一块改进,使他功能越来越强大,使用时请将firewall-dev copy 到/etc/rc.d/init.d将 firewall.conf copy /etc/下,你只需修改firewall.conf文件就可以了。可以用firewall-dev start|stop起动和关闭防火墙,功能增加中,如你有任何改动请发一份给我,arlenecc@263.net
本着GPL的原则希望有志之士跟我一块完善它,如有改动请通知我!!!!


firewall-dev

#!/bin/bash
# This is a firewall script with the function of stateful and
# ip filter, you can change it to meet you need,in a words:
# uplink means the output interface ,router means if you neet it
# to be a router or not,nat means if you are useing a dynamic ip
# address
# if you do ,then you can change it to "dynamic",interfaces means
# all the interface in you server ,services means all the services
# you server providing ,enjoy it !!! ----- write by arlenecc
#
##############################################################################
# #
# Copyright (c) 2002 arlenecc arlenecc@netease.com #
# All rights reserved #
# #
##############################################################################
#
# now begins the firewall


UPLINK=`less /root/firewall.conf | grep "UPLINK" | cut -d = -f 2 `

UPIP=`less /root/firewall.conf | grep "UPIP" | cut -d = -f 2`

ROUTER=`less /root/firewall.conf | grep "ROUTER" | cut -d = -f 2`

NAT=`less /root/firewall.conf | grep "NAT" | cut -d = -f 2`

INTERFACES=`less /root/firewall.conf | grep "INTERFACES" | cut -d = -f 2`

SERVICES=`less /root/firewall.conf | grep "SERVICES" | cut -d = -f 2`

DENYPORTS=`less /root/firewall.conf | grep "DENYPORTS" | cut -d = -f 2`

DENYUDPPORT=`less /root/firewall.conf | grep "DENYUDPPORT" | cut -d = -f 2`

LAN_IF=`less /root/firewall.conf | grep "LAN_IF" | cut -d = -f 2`

LAN_NET=`less /root/firewall.conf | grep "LAN_NET" | cut -d = -f 2`

DMZ_NET=`less /root/firewall.conf | grep "DMZ_NET" | cut -d = -f 2`

DMZ_IF=`less /root/firewall.conf | grep "DMZ_IF" | cut -d = -f 2`

DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d = -f 2`

DMZ_UDP_PORT=`less /root/firewall.conf | grep "DMZ_UDP_PORT" | cut -d = -f 2`

WEB_IP=`less /root/firewall.conf | grep "WEB_IP" | cut -d = -f 2`

FTP_IP=`less /root/firewall.conf | grep "FTP_IP" | cut -d = -f 2`

H323_PORT=`less /root/firewall.conf | grep "H323_PORT" | cut -d = -f 2`

H323=`less /root/firewall.conf | grep "H323" | cut -d = -f 2`



if [ "$1" = "start" ]
then
echo "Starting firewall......"

echo "NOW prepareing kernel for use,please wait....."

# if [ -e /proc/sys/net/ipv4/ip_forward ]
#
# then
# echo 1 >/proc/sys/net/ipv4/ip_forward
# fi
if [ "$NAT" = " dynamic " ]
then
echo "Enable dynamic ip support...."
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo "Enable the syn cook flood protection"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]
then
echo "Setting the maximum number of connections to track.... "
echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
echo " OK !!!!"
fi

if [ -e /proc/sys/net/ipv4/ip_local_port_range ]
then
echo " Setting local port range for TCP/UDP connection...."
echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
echo " OK !!!!"
fi

if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo "Enable bad error message protection......."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " OK !!!! "
fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo "Disabling tcp_ecn,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_ecn
echo " OK !!!! "
fi

for x in ${INTERFACES}
do
echo " Enabling rp_filter on ${x} ,please wait...."
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
echo " ${x} OK !!!! "
done

if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]

then

echo "Disabing ICMP redirects,please wait...."
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo " OK !!!! "
fi

if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]

then
echo "Disabling source routing of packets,please wait...."
for i in /proc/sys/net/ipv4/conf/*/accept_source_route

do
echo 0 > $i
echo " $i OK !!!! "

done

fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
then
echo "Ignore any broadcast icmp echo requests......"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " OK !!!! "
fi

# if [ -e /proc/sys/net/ipv4/config/all/log_martians ]
#
# then
# echo "LOG packets with impossible addresses to kernel log...."
# echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# echo " OK !!!! "
# fi
#echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
#modprobe ip_tables
depmod -a


iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
iptables -F -t mangle
iptables -Z
iptables -X
iptables -N CHECK_FLAGS
iptables -F CHECK_FLAGS
iptables -N tcpHandler
iptables -F tcpHandler
iptables -N udpHandler
iptables -F udpHandler
iptables -N icmpHandler
iptables -F icmpHandler
iptables -N DROP-AND-LOG
iptables -F DROP-AND-LOG


echo "OK,the kernel is now prepared to use for building a firewall!!!"
echo "Waitting ........................"
echo "Creating a drop chain....."
iptables -A DROP-AND-LOG -j LOG --log-level 5
iptables -A DROP-AND-LOG -j DROP
echo " OK !!!!"
echo "Now starting the check_flag rules,please wait...."

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN "
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "
iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 "
iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP

echo " OK !!!! Finished check_flags rules...."


echo "Now starting the input rules,please wait......."
for x in ${DENYPORTS}


do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} TCP IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} SYN IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j DROP
done

for x in ${DENYUDPPORT}

do
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT:${x} UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP
done


#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT


for x in ${SERVICES}

do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done

iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG


#iptables -A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i ${UPLINK} -j LOG --log-prefix " INVALID INPUT "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i ${LAN_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ${DMZ_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j REJECT
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM DMZ:"
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD UDP FROM DMZ:"
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD ICMP FROM DMZ:"
iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j DROP
iptables -A INPUT -p icmp -i ${UPLINK} -j LOG --log-prefix "INVAILD ICMP IN:"
iptables -A INPUT -p icmp -i ${UPLINK} -j REJECT --reject-with icmp-net-unreachable
iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"
iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j LOG --log-prefix "NEW,INVALID state:"
iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j DROP
iptables -A INPUT -i ${UPLINK} -f -j LOG --log-prefix "INVAILD FRAGMENTS ${UPLINK}:"
iptables -A INPUT -i ${UPLINK} -f -j DROP
iptables -A INPUT -i ${LAN_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${LAN_IF}:"
iptables -A INPUT -i ${LAN_IF} -f -j DROP
iptables -A INPUT -i ${DMZ_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${DMZ_IF}:"
iptables -A INPUT -i ${DMZ_IF} -f -j DROP
iptables -A INPUT -i ${UPLINK} -j DROP
echo " OK !!!! The input rules has been successful applied ,continure......"

echo " Now starting FORWARD rules ,please wait ....."

iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN TCP: "
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN UDP:"
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICMP: "
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler
iptables -A tcpHandler -p tcp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "
iptables -A tcpHandler -p tcp -j DROP
iptables -A udpHandler -p udp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"
iptables -A udpHandler -p udp -j DROP
iptables -A icmpHandler -p icmp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"
iptables -A icmpHandler -p icmp -j DROP

iptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -j ACCEPT
iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT
#iptables -A FORWARD -o ${UPLINK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j REJECT --reject-with tcp-reset
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j LOG --log-prefix "INVAILD UDP FORWARD FROM DMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j DROP
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j DROP
iptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -s ${LAN_NET} -d ${DMZ_NET} -i ${LAN_IF} -j ACCEPT
iptables -A FORWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i ${DMZ_IF} ! --syn -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT


iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA"
iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD UDP FORWARD DATA"
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVALID ICMP FORWARD DATA"
iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -j DROP

echo " OK !!!! The forward rules has been successful applied,conniture......"
echo " Now applying output rules,please wait ...."
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${LAN_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${DMZ_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${LAN_NET} -o ${DMZ_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j LOG --log-prefix "INVAILD TCP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j LOG --log-prefix "INVAILD UDP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j DROP
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"
iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW,INVALID STATE:"
iptables -A OUTPUT -m state --state NEW,INVALID -j DROP

iptables -A OUTPUT -j DROP

echo " OK !!!! The OUTPUT rules has been successful applied,conniture......."

echo " Now applying nat rules ,please wait ...."
#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
#iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 23 -j REDIRECT --to-port 14867
iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK} -j DROP
iptables -t nat -A PREROUTING -d ${DMZ_NET} -i ${UPLINK} -j DROP


if [ " $ROUTER " = " yes " ]

then
echo " enabing ip_forward,please wait..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "OK"
if [ " $NAT " = " dynamic " ]

then
echo "Enableing MASQUERADING (dynamic ip )..."
echo "Dynamic PPP connection,Now getting the dynamic ip address"
IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`
echo " Now you IP ADDRESS is : ${IP_ADDR} "
iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
iptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR}
iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 80 -j DNAT --to ${WEB_IP}:80
iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21
iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20
if [ " $H323 " = " yes " ]
then
echo "Startting H323 NAT setting......"
for port in ${H323_PORT}
do

iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
done
fi
echo " OK,NAT setting start succecc.."
elif [ " $NAT " != " " ]

then
echo "Enableing SNAT (static ip)..."

# iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
iptables -t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 20 -j DNAT --to ${FTP_IP}:20
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --to ${FTP_IP}:21
if [ "$H323 " = " yes " ]
then
echo "Startting H323 NAT setting........"
for port in ${H323_PORT}

do
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
done
fi
echo " OK !!!!"

fi
fi
if [ " $SELF_SET " = " yes " ]
then
echo "Starting the rules you set yourself......"
# firewall
echo " OK !!!!"

echo " All rules has been successful applied,enjoy it...."


elif [ "$1" = "stop" ]

then
echo "Stoping Firewall...."
iptables -F INPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F POSTROUTING
iptables -F tcpHandler
iptables -F udpHandler
iptables -F icmpHandler
iptables -F CHECK_FLAGS
iptables -F DROP-AND-LOG
iptables -X tcpHandler
iptables -X udpHandler
iptables -X icmpHandler
iptables -X CHECK_FLAGS
iptables -X DROP-AND-LOG
echo "The firewall has successful shuted down,be careful !!!"
fi


firewall.conf

UPLINK=eth1
UPIP=192.168.2.188
ROUTER=yes
NAT=192.168.2.188
INTERFACES=lo eth0 eth1 eth2
SERVICES=http ftp
DENYPORTS=1 7 9 15 107 135 137 138 139 369 389 445 515 752 873 8080 3128 2049 5432 5999 6063 9740 20034 12345 12346 27665 27444 31335 31337 8000 1433 3389 7007 22 23 25 110 79
DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369

LAN_IF=eth0
LAN_NET=192.168.1.0/24
DMZ_NET=192.168.3.0/24
DMZ_IF=eth2
DMZ_TCP_PORT=20 21 25 53 80 110
DMZ_UDP_PORT=53
WEB_IP=192.168.3.1
FTP_IP=192.168.3.2
H323_PORT=
H323=no

#here you can add the block rules yourself ,but be sure you do all these setting otherwise ,it will not work at all !!!!
SELF_SET=
BLOCK_TYPE=
PROTO=
INTE_IF=
SRC=
DST=
DPORT=
ACTION=
ACTION_TYPE=
#here you can add the icmp block rules yourself,Be sure you do all these setting otherwise ,it will not work at all !!!!
ICMP_IF=
ICMP_SRC=
ICMP_DST=
ICMP_ACTION=
ICMP_TYPE=
文章录入:skyuu    责任编辑:skyuu 
  • 上一篇文章:

  • 下一篇文章:
    • 【字体: 】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口
    网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)
    发表评论:
    姓名:  评 分: 1分 2分 3分 4分 5分
     
  • 严禁发表危害国家安全、政治、黄色淫秽等内容的评论。
  • 用户需对自己在使用幽幽天空服务过程中的行为承担法律责任。
  • 本站管理员有权保留或删除评论内容。
  • 评论内容只代表机友个人观点,与本网站立场无关。
    • 免责声明:本站刊载的文章均来自网络,若有侵犯您的权益请点击下面QQ联系我!
    幽幽天空 WwW.SKYuu.CoM. 2004-2007 Copyright © All Rights Reserved.
    赣ICP备05001384号      业务联系QQ:624264050 有您请事留言!建站联系请留言!