|
|
发表于 2003-10-7 07:54:31
|
显示全部楼层
#!/bin/bash
#
# Script name: ipt_masq
# A simple script for masquerading, used in Linux (kernel 2.4.x).
#
# Copyleft 2002 by netman (netman@study-area.org).
#
# Redistribution of this file is permitted under the terms of
# the GNU General Public License (GPL).
#
# Date: 2002/02/04
# Version: 1.2
PATH=/sbin:/usr/sbin:/bin:/usr/bin
RC_SQUID=/etc/rc.d/init.d/squid
EXT_IF=ppp0
INT_IF=eth1
ALLOWED_ICMP="0 3 3/4 4 11 12 14 16 18"
DENIED_ICMP="8"
#
# ------------- ensure iptables ----------
which iptables &>/dev/null || {
echo
echo "$(basename $0): iptables program is not found."
echo " Please install the program first."
echo
exit 1
}
# ------------- disable ipchains ----------
lsmod | grep ipchains &>/dev/null && {
echo "Disabling ipchains..."
rmmod ipchains &>/dev/null
}
# ------------- modules -----------
echo "Loading modules..."
modprobe ip_tables &>/dev/null || {
echo -n "$(basename $0): loading ip_tables module failure."
echo " Please Fix it!"
exit 3
}
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o
do
module=$(basename $file)
modprobe ${module%.*} &>/dev/null
done
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o
do
module=$(basename $file)
modprobe ${module%.*} &>/dev/null
done
# ------------- ipforwarding -----------
echo "Turning on IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
# ------------- anti spoofing -----------
echo "Turning on anti-spoofing..."
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $file
done
# ------------- flushing ----------
echo "Cleaning up..."
iptables -F -t filter
iptables -X -t filter
iptables -Z -t filter
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
# ------------- policies -------------
echo "Setting up policies to ACCEPT..."
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# ------------- ICMP -------------
echo "Creating icmpfilter chain..."
iptables -N icmpfilter
for TYPE in $DENIED_ICMP; do
iptables -A icmpfilter -i $EXT_IF -p icmp \
--icmp-type $TYPE -j DROP
done
for TYPE in $ALLOWED_ICMP; do
iptables -A icmpfilter -i $EXT_IF -p icmp \
--icmp-type $TYPE -j ACCEPT
done
# ------------- block -------------
echo "Creating block chain..."
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW,INVALID -i $EXT_IF -j DROP
iptables -A block -m state --state NEW -i ! $EXT_IF -j ACCEPT
iptables -A block -j DROP
# ------------- filter -------------
echo "Filtering packets..."
iptables -A INPUT -j icmpfilter
iptables -A INPUT -j block
iptables -A FORWARD -j icmpfilter
iptables -A FORWARD -j block
# ------------- masq -------------
echo "Masquerading internel network..."
iptables -t nat -A POSTROUTING -s 192.168.0.0/29 -o $EXT_IF -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.3/32 -d 192.168.0.3
# ------------- tproxy -------------
$RC_SQUID status | grep pid &>/dev/null && {
echo "Enabling transparent proxy..."
INT_IP=$(ifconfig | grep "$INT_IF " -A 1 \
| awk '/inet/ {print $2}' | sed -e s/addr\://)
if [ -z "$INT_IP" ]; then
echo
echo "$(basename $0): there is no IP found on $INT_IF."
echo " Please make sure $INT_IF is setup properly."
echo
exit 3
fi
#iptables -t nat -A PREROUTING -d $INT_IP -i $INT_IF \
#-p tcp -m tcp --dport 80 -j ACCEPT
#iptables -t nat -A PREROUTING -i $INT_IF -p tcp -m tcp \
#--dport 80 -j REDIRECT --to-ports 3128
}
exit 0
## EOS
有了这个脚本全部搞定 |
|
IP卡
狗仔卡
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡