一个简单的IPTABLES脚本

ancharn · 发表于 2006-12-19 13:12:18

以下脚本内容是我自己做实验时候的脚本，有两个top图，第一个是真实top，而第二个是试验时使用的虚拟机环境，有详细的描述怎样去搭建环境，希望给大家一些帮助！
请多提建议阿！呵呵！-

#!/bin/sh
#
# DESCRIPTION: This IPTABLES shell script is setting for IPTABLES LAB. So,
# it's sharing for everyone. And please contact me if you find
# any bugs in this script.
# Tip: this script can execute on the FireWall server only.
# If this script can NOT execute, maybe the following
# solutions can help you:
# 1) chmod +x lab_ipta.sh; ./lab_ipta.sh
# 2) maybe this script is a DOS format file, so you can
#    use dos2unix command to convert it to UNIX format,
#    for example: "dos2unix lab_ipta.sh". (unix2dos)
#
# VERSION: 2.1.3
# BUGS: Report bugs to ancharn@yahoo.com.cn
# SEE ALSO: iptables(8) (see manual page for details)
# AUTHOR: Eric Cheung, 12/20/2006.
#

# START OF SCRIPT
#
# SECTION I: TOP Map
# ------------------
# The REAL TOP MAP:
# The following top map is REALLY map.
#       ######
#    |-----> eth0 #       #
#    |       ######
#       |    192.168.3.180 (Web \
#    | server)
#  WAN                   FireWall                      |
# ###### ######    | #######
# #       # <-------------------------> eth0 #          # eth1 <------- # DMZ #
# ###### ######    | #######
#                                  62.36.21.254 192.168.3.54    |
#    |       ######
#    |-----> eth0 #       #
#             ######
#             192.168.3.153 (DNS \
# Server)
#
# ------------------
# The LAB TOP MAP:
# The following top map is LAB map (make by above top) for us to practice.
#
# WAN             FireWall                LAN
# ######             ######                               ######
# # Win# VMNet1<-------------->eth0 #       # eth1<------------>eth0 #       #
# ######             ######                           ######
# 62.36.21.1                   62.36.21.254 | 192.168.3.54       192.168.3.180/153/121
#
# Description: The FireWall and LAN hosts are Linux OS, and WAN host is \
# Windows host, the FireWall's NICs which eth0 and eth1 and \
# LAN's NIC eth0 connect to Windows NIC VMNet1(host only). \
# Windows host's default gateway(default route) is \
# 62.36.21.254/24, and FireWall's default gateway is \
# 62.36.21.1(default route is 62.36.21.1), the LAN host's \
# default gateway is 192.168.3.54. The LAN host is \
# WEB server/FTP server/DNS server.
#
#
# SECTION II: MODPROBE FILTER
# ---------------------------
#
echo ;echo "Starting iptables ...... ";echo
echo -n "  Open ip_forward ......  "
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Done."
echo -n "  Set rp_filter ...... "
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
   echo 1 > $f
done
echo "Done."
# -------------------------- MODPROBE ---------------------------- #
echo -n "  Modprobe now ...... "
  # set kernel version.
KERNELVERSION=`uname -r`
modprobe ` ( cd /lib/modules/$KERNELVERSION/kernel/net/ipv4/netfilter ; ls ) | awk -F . '{print $1}' `
echo "Done."

  # basic network settings
echo -n "  Setting NIC's IP address and routing ...... "
ifconfig eth0 62.36.21.254 netmask 255.255.255.0 up
ifconfig eth1 192.168.3.54 netmask 255.255.255.0 up
route del default
route add default gw 62.36.21.1
echo "Done"
echo " Setting eth0 interface IP address to 62.36.21.254 ."
ifconfig eth0
echo " Setting eth1 interface IP address to 192.168.3.54 ."
ifconfig eth1
echo " Setting default gateway is 62.36.21.1 ."
netstat -rn

  # set variable
FWEXTIP=`ifconfig eth0 |grep "inet addr" | cut -d : -f 2 | sed -e 's/Bcast//'`
FWINTIP=`ifconfig eth1 |grep "inet addr" | cut -d : -f 2 | sed -e 's/Bcast//'`
EXTIF=eth0
INTIF=eth1
LAN=192.168.3.0/24
WEBSRV=192.168.3.180
DNSSRV=192.168.3.153
FTPSRV=192.168.3.121

#
# SECTION III: SETTING IPTABLES
# -----------------------------
echo
echo "  Setting iptables policies ...... "
echo -n " Flush iptables ...... "
echo "Done."
iptables -Z
iptables -Z -t nat
iptables -F
iptables -F -t nat
iptables -X
iptables -X -t nat
echo -n " Setting iptables default policies ...... "
iptables -P INPUT DROP
iptables -P FORWARD DROP
echo "Done."

# Phase 1: Set your server's firewall.
  # the kernel's firewall settings.
  #
  # TCP Flooding's setting. This setting is NOT good for high-loading servers.
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
  #
  # unset reply of ping.
echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  #
  # record some problems packets.
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
   echo "1" > $i
done
  #
  # unset the routing from source.
for i in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
   echo "0" > $i
done
  #
  # unset the setting of redirect routing.
for i in /proc/sys/net/ipv4/conf/*/accept_redirects ; do
   echo "0" > $i
done
  #
  # unset send_redirect.
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
   echo "0" > $i
done
#
# Phase 2: Other settings.
  #
  # set allow ping packet INPUT(OUTPUT) firewallself.
echo -n " Setting ping to firewallself ...... "
iptables -A INPUT -i eth+ -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A OUTPUT -o eth+ -p icmp --icmp-type echo-reply -m limit --limit 1/s --limit-burst 1 -j ACCEPT
echo "Done."
  #
  # set LAN can access Internet with $FWEXTIP ip address from $EXTIF \
  # interface.
echo -n " Setting SNAT: LAN to Internet ...... "
iptables -A POSTROUTING -t nat -s $LAN  -o $EXTIF -j SNAT --to $FWEXTIP
echo "Done."
  #
  # set DNS query for Internet and LAN.
echo -n " Setting DNAT: DNS query ...... "
iptables -A PREROUTING -t nat -i $EXTIF -p udp --dport 53 -j DNAT --to $DNSSRV
iptables -A FORWARD -i $EXTIF  -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $EXTIF  -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -o $EXTIF -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -o $EXTIF -p udp --dport 53 -j ACCEPT
echo "Done."
  #
  # Publish $WEBSRV machine (Web Server) to Internet.
echo -n " Setting DNAT: HTTP server ...... "
iptables -A PREROUTING -t nat -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A PREROUTING -t nat -i $EXTIF -d $FWEXTIP -p tcp --dport 80 -j DNAT --to $WEBSRV
iptables -A FORWARD -i $EXTIF -o $INTIF -d $WEBSRV -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -o $EXTIF -i $INTIF -p tcp --sport 80 -s $WEBSRV -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo "Done."
  #
  #  Publish $FTPSRV machine (FTP Server) to Internet.
echo -n " Setting DNAT: FTP server ...... "
iptables -A PREROUTING -t nat -d $FWEXTIP -i $EXTIF -p tcp --dport 21 -j DNAT --to $FTPSRV
iptables -A PREROUTING -t nat -d $FWEXTIP -i $EXTIF -p tcp --dport 20 -j DNAT --to $FTPSRV
iptables -A FORWARD -d $FTPSRV -p tcp --dport 21 -o $INTIF -i $EXTIF -j ACCEPT
iptables -A FORWARD -s $FTPSRV -p tcp --sport 21 -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -s $FTPSRV -p tcp --sport 20 -i $INTIF -o $EXTIF -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -d $FTPSRV -p tcp --dport 20 -o $INTIF -i $EXTIF -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
echo "Done."
#
# Phase 3: Additional settings.
echo -n " Setting additional settings ...... "
  # syn flood
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
  # port scan
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
  # ping flood
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
  # tcp fragment flood
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

echo "Done."
echo; echo "End of the iptables script setting." ; echo

#
# END OF SCRIPT

konds · 发表于 2006-12-20 16:26:34

这个用来抓取网卡IP 的。你可以补充进脚本里

#Wan ip
INET_IP=\"10.10.10.10\"
INET_IFACE=\"eth0\"
INET_BROADCAST=\"255.0.0.0\"
# Lan conf
# 1-lan ip  2- lan mask gw
LAN_IFACE=\"eth1\"
LAN_IP=`/sbin/ifconfig $LAN_IFACE | grep inet|cut -d : -f 2 | cut -d \\ -f 1`
MASK=`/sbin/ifconfig $LAN_IFACE | grep Mas | cut -d : -f 4`
LAN_IP_RANGE=`/sbin/ifconfig $LAN_IFACE | grep Bca|cut -d : -f 3|cut -d \\ -f 1`
if [ \"$MASK\" = \"\" ]; then
echo \"external network device $LAN_IP is not ready.\"
exit 2
fi
#  io
LO_IFACE=\"lo\"
LO_IP=`/sbin/ifconfig $LO_IFACE|grep inet|cut -d : -f 2|cut -d \\ -f 1`
NET=$LAN_IP/$MASK
#  1:0 ip
Ext_iface=\"eth1:0\"
Ext_ip=`/sbin/ifconfig $Ext_iface | grep inet|cut -d : -f 2 | cut -d \\ -f 1`
Ext_mask=`/sbin/ifconfig $Ext_iface | grep Mas | cut -d : -f 4`
Ext_range=`/sbin/ifconfig $Ext_iface | grep Bca|cut -d : -f 3|cut -d \\ -f 1`
Ext_net=$Ext_ip/$Ext_mask
if [ \"$Ext_mask\" = \"\" ]; then
echo \"external network device $Ext_IP is not ready.\"
exit 2
fi

ancharn · 发表于 2006-12-20 16:29:32

Post by konds
这个用来抓取网卡IP 的。你可以补充进脚本里

#Wan ip
INET_IP=\"10.10.10.10\"
INET_IFACE=\"eth0\"
INET_BROADCAST=\"255.0.0.0\"
# Lan conf
# 1-lan ip  2- lan mask gw
LAN_IFACE=\"eth1\"
LAN_IP=`/sbin/ifconfig $LAN_IFACE | grep inet|cut -d : -f 2 | cut -d \\ -f 1`
MASK=`/sbin/ifconfig $LAN_IFACE | grep Mas | cut -d : -f 4`
LAN_IP_RANGE=`/sbin/ifconfig $LAN_IFACE | grep Bca|cut -d : -f 3|cut -d \\ -f 1`
if [ \"$MASK\" = \"\" ]; then
echo \"external network device $LAN_IP is not ready.\"
exit 2
fi
#  io
LO_IFACE=\"lo\"
LO_IP=`/sbin/ifconfig $LO_IFACE|grep inet|cut -d : -f 2|cut -d \\ -f 1`
NET=$LAN_IP/$MASK
#  1:0 ip
Ext_iface=\"eth1:0\"
Ext_ip=`/sbin/ifconfig $Ext_iface | grep inet|cut -d : -f 2 | cut -d \\ -f 1`
Ext_mask=`/sbin/ifconfig $Ext_iface | grep Mas | cut -d : -f 4`
Ext_range=`/sbin/ifconfig $Ext_iface | grep Bca|cut -d : -f 3|cut -d \\ -f 1`
Ext_net=$Ext_ip/$Ext_mask
if [ \"$Ext_mask\" = \"\" ]; then
echo \"external network device $Ext_IP is not ready.\"
exit 2
fi

多谢仁兄！:%

		自动登录	找回密码
密码			注册