LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
查看: 6745|回复: 12

转一个国产的防火墙脚本

[复制链接]
发表于 2002-11-5 11:29:36 | 显示全部楼层 |阅读模式
DMZ部分尚不完善,其中难免有疏漏,希望大家跟我一块改进,使他功能越来越强大,使用时请将firewall-dev copy 到/etc/rc.d/init.d将  firewall.conf copy /etc/下,你只需修改firewall.conf文件就可以了。可以用firewall-dev start|stop起动和关闭防火墙,功能增加中,如你有任何改动请发一份给我,arlenecc@263.net
本着GPL的原则希望有志之士跟我一块完善它,如有改动请通知我!!!!


firewall-dev

  1. #!/bin/bash
  2. #          This is a firewall script with the function of  stateful and
  3. #          ip filter,  you can change it to meet you need,in a words:
  4. #          uplink means the output interface ,router means if you neet it
  5. #          to be a router or not,nat means if you are useing a dynamic ip
  6. #          address
  7. #          if you do ,then you can change it to "dynamic",interfaces means
  8. #          all the interface in you server ,services means all the services
  9. #          you server providing ,enjoy it !!!   ----- write by arlenecc
  10. #
  11. ##############################################################################
  12. #                                                                            #
  13. #    Copyright (c) 2002 arlenecc          [email]arlenecc@netease.com[/email]               #
  14. #    All rights reserved                                                     #
  15. #                                                                            #
  16. ##############################################################################
  17. #
  18. #          now begins the firewall

  19.   
  20. UPLINK=`less /root/firewall.conf | grep "UPLINK" | cut -d = -f 2 `

  21. UPIP=`less /root/firewall.conf | grep "UPIP" | cut -d = -f 2`
  22.    
  23. ROUTER=`less /root/firewall.conf | grep "ROUTER" | cut -d = -f 2`

  24. NAT=`less /root/firewall.conf | grep "NAT" | cut -d = -f 2`
  25.   
  26. INTERFACES=`less /root/firewall.conf | grep "INTERFACES" | cut -d = -f 2`
  27.    
  28. SERVICES=`less /root/firewall.conf | grep "SERVICES" | cut -d = -f 2`
  29.    
  30. DENYPORTS=`less /root/firewall.conf | grep "DENYPORTS" | cut -d = -f 2`
  31.   
  32. DENYUDPPORT=`less /root/firewall.conf | grep "DENYUDPPORT" | cut -d = -f 2`

  33. LAN_IF=`less /root/firewall.conf | grep "LAN_IF" | cut -d = -f 2`
  34.   
  35. LAN_NET=`less /root/firewall.conf | grep "LAN_NET" | cut -d = -f 2`
  36.   
  37. DMZ_NET=`less /root/firewall.conf | grep "DMZ_NET" | cut -d = -f 2`

  38. DMZ_IF=`less /root/firewall.conf | grep "DMZ_IF" | cut -d = -f 2`

  39.   DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d = -f 2`
  40.   
  41.   DMZ_UDP_PORT=`less /root/firewall.conf | grep "DMZ_UDP_PORT" | cut -d = -f 2`
  42.   
  43.   WEB_IP=`less /root/firewall.conf | grep "WEB_IP" | cut -d = -f 2`
  44.   
  45.   FTP_IP=`less /root/firewall.conf | grep "FTP_IP" | cut -d = -f 2`
  46.   
  47.   H323_PORT=`less /root/firewall.conf | grep "H323_PORT" | cut -d = -f 2`

  48.   H323=`less /root/firewall.conf | grep "H323" | cut -d = -f 2`

  49.    
  50.   


  51.    if [ "$1" = "start" ]
  52.    then
  53.         echo "Starting firewall......"

  54. echo "NOW prepareing kernel for use,please wait....."

  55.   # if [ -e /proc/sys/net/ipv4/ip_forward ]
  56.   #
  57.   #    then
  58.   #       echo 1 >/proc/sys/net/ipv4/ip_forward
  59.   #    fi
  60.   if [ "$NAT" = " dynamic " ]
  61.       then
  62.           echo "Enable dynamic ip support...."
  63.           echo 1 > /proc/sys/net/ipv4/ip_dynaddr
  64.          echo "    OK !!!!"
  65.   fi
  66.   if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
  67.       then
  68.             echo "Enable the syn cook flood protection"
  69.             echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  70.             echo "     OK !!!!"
  71.   fi
  72.   if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]
  73.        then
  74.          echo "Setting the maximum number of connections to track.... "
  75.          echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
  76.          echo "          OK !!!!"
  77.   fi

  78.   if [ -e /proc/sys/net/ipv4/ip_local_port_range ]
  79.         then
  80.           echo " Setting local port range for TCP/UDP connection...."   
  81.           echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
  82.           echo "            OK !!!!"
  83.   fi
  84.   
  85.   if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
  86.        then
  87.           echo "Enable bad error message protection......."
  88.           echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  89.           echo "    OK !!!! "
  90.   fi
  91.   if [ -e /proc/sys/net/ipv4/tcp_ecn ]
  92.      then
  93.          echo "Disabling tcp_ecn,please wait..."
  94.          echo 0 >/proc/sys/net/ipv4/tcp_ecn
  95.          echo "     OK  !!!!  "
  96.      fi

  97.    for x in ${INTERFACES}
  98.      do
  99.           echo " Enabling rp_filter on ${x} ,please wait...."
  100.           echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
  101.           echo "  ${x}  OK  !!!!  "
  102.      done
  103.   
  104.    if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]
  105.             
  106.              then
  107.             
  108.              echo "Disabing ICMP redirects,please wait...."   
  109.              echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
  110.              echo "    OK  !!!!   "
  111.    fi     
  112.    
  113.    if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]

  114.        then
  115.           echo "Disabling source routing of packets,please wait...."
  116.           for i in /proc/sys/net/ipv4/conf/*/accept_source_route  
  117.             
  118.                do
  119.                   echo 0 > $i
  120.                   echo "     $i    OK !!!!       "
  121.                  
  122.             done
  123.            
  124.    fi                  
  125.   if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
  126.      then
  127.          echo "Ignore any broadcast icmp echo requests......"
  128.          echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  129.          echo "      OK !!!!    "
  130.   fi
  131.   
  132. # if [ -e /proc/sys/net/ipv4/config/all/log_martians ]
  133. #
  134. #      then
  135. #         echo "LOG packets with impossible addresses to kernel log...."
  136. #         echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
  137. #         echo "    OK  !!!!   "
  138. # fi   
  139. #echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
  140. #modprobe ip_tables
  141. depmod -a


  142. iptables -P INPUT DROP
  143. iptables -P FORWARD DROP
  144. iptables -P OUTPUT DROP
  145. iptables -F INPUT
  146. iptables -F FORWARD
  147. iptables -F OUTPUT
  148. iptables -F -t nat
  149. iptables -F -t mangle
  150. iptables -Z
  151. iptables -X  
  152. iptables -N CHECK_FLAGS
  153. iptables -F CHECK_FLAGS
  154. iptables -N tcpHandler
  155. iptables -F tcpHandler
  156. iptables -N udpHandler
  157. iptables -F udpHandler
  158. iptables -N icmpHandler
  159. iptables -F icmpHandler
  160. iptables -N DROP-AND-LOG
  161. iptables -F DROP-AND-LOG


  162. echo "OK,the kernel is now prepared to use for building a firewall!!!"
  163. echo "Waitting ........................"
  164. echo "Creating a drop chain....."
  165. iptables -A DROP-AND-LOG -j LOG --log-level 5
  166. iptables -A DROP-AND-LOG -j DROP
  167. echo "     OK !!!!"
  168. echo "Now starting the check_flag rules,please wait...."
  169.    
  170.     iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN "
  171.     iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  172.     iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "
  173.     iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  174.     iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "
  175.     iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  176.     iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "
  177.     iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP
  178.     iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 "
  179.     iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP
  180.     iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"
  181.     iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
  182.     iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"
  183.     iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  184.     iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN"
  185.     iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP

  186. echo "  OK !!!! Finished check_flags rules...."


  187. echo "Now starting the input rules,please wait......."
  188.    for x in ${DENYPORTS}


  189.         do
  190.           iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} TCP IN:"   
  191.           iptables -A INPUT -i ${UPLINK} -p tcp  --dport ${x} -m state --state NEW -j DROP
  192.           iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} SYN IN:"
  193.           iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j DROP
  194.         done

  195.    for x in ${DENYUDPPORT}

  196.          do
  197.            iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"
  198.            iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j DROP
  199.            iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT:${x} UDP IN:"
  200.            iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP
  201.         done


  202. #iptables -A INPUT -i ! ${UPLINK} -j ACCEPT


  203.    for  x in ${SERVICES}
  204.         
  205.           do   
  206.                iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
  207.                iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  208.           done

  209.    iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG
  210.    iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOG
  211.    iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG
  212.    iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG
  213.    iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG
  214.   

  215. #iptables -A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  216. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  217. #iptables -A INPUT -i ${UPLINK} -j LOG --log-prefix " INVALID INPUT "
  218. iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  219. iptables -A INPUT -i ${LAN_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  220. iptables -A INPUT -i ${DMZ_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  221. iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j REJECT
  222. iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM DMZ:"
  223. iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJECT --reject-with tcp-reset
  224. iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD UDP FROM DMZ:"
  225. iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
  226. iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD ICMP FROM DMZ:"
  227. iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
  228. iptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"
  229. iptables -A INPUT -p tcp -i ${UPLINK} --syn -j DROP
  230. iptables -A INPUT -p icmp -i ${UPLINK} -j LOG --log-prefix "INVAILD ICMP IN:"
  231. iptables -A INPUT -p icmp -i ${UPLINK} -j REJECT --reject-with icmp-net-unreachable
  232. iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"
  233. iptables -A INPUT  -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable
  234. iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"
  235. iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset
  236. iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j LOG --log-prefix "NEW,INVALID state:"
  237. iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j DROP
  238. iptables -A INPUT -i ${UPLINK} -f -j LOG --log-prefix "INVAILD FRAGMENTS ${UPLINK}:"
  239. iptables -A INPUT -i ${UPLINK} -f -j DROP
  240. iptables -A INPUT -i ${LAN_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${LAN_IF}:"
  241. iptables -A INPUT -i ${LAN_IF} -f -j DROP
  242. iptables -A INPUT -i ${DMZ_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${DMZ_IF}:"
  243. iptables -A INPUT -i ${DMZ_IF} -f -j DROP
  244. iptables -A INPUT -i ${UPLINK} -j DROP
  245. echo "  OK !!!! The input rules has been successful applied ,continure......"

  246. echo " Now starting FORWARD rules ,please wait ....."

  247. iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT
  248. iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
  249. iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
  250. iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
  251. iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
  252. iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  253. iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  254. iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  255. iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  256. iptables -A FORWARD  -p tcp --syn -m limit --limit 1/s -j ACCEPT
  257. iptables -A FORWARD  -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
  258. iptables -A FORWARD  -m state --state ESTABLISHED,RELATED -j ACCEPT
  259. iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  260. iptables -A FORWARD  -i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  261. iptables -A FORWARD -i ${UPLINK}  -p tcp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN TCP: "
  262. iptables -A FORWARD -i ${UPLINK}  -p tcp -m state --state NEW -j tcpHandler
  263. iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN UDP:"
  264. iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler
  265. iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICMP: "
  266. iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler
  267. iptables -A tcpHandler -p tcp -m limit --limit 5/minute --limit-burst 10 -j RETURN
  268. iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "
  269. iptables -A tcpHandler -p tcp -j DROP
  270. iptables -A udpHandler -p udp -m limit --limit 5/minute --limit-burst 10 -j RETURN
  271. iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"
  272. iptables -A udpHandler -p udp -j DROP
  273. iptables -A icmpHandler -p icmp -m limit --limit 5/minute --limit-burst 10 -j RETURN
  274. iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"
  275. iptables -A icmpHandler -p icmp -j DROP

  276. iptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
  277. iptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
  278. iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -j ACCEPT
  279. iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT
  280. #iptables -A FORWARD -o ${UPLINK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  281. #iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  282. iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:"
  283. iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j REJECT --reject-with tcp-reset
  284. iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j LOG --log-prefix "INVAILD UDP FORWARD FROM DMZ:"
  285. iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j DROP
  286. iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:"
  287. iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j DROP
  288. iptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT
  289. iptables -A FORWARD -s ${LAN_NET} -d ${DMZ_NET} -i ${LAN_IF} -j ACCEPT
  290. iptables -A FORWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i ${DMZ_IF} ! --syn -j ACCEPT
  291. iptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT


  292. iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA"
  293. iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
  294. iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG  --log-prefix "INVAILD UDP FORWARD DATA"
  295. iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
  296. iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVALID ICMP FORWARD DATA"
  297. iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
  298. iptables -A FORWARD -m state --state NEW,INVALID -j DROP
  299. iptables -A FORWARD -j DROP

  300. echo "   OK !!!! The forward rules has been successful applied,conniture......"
  301. echo " Now applying output rules,please wait ...."
  302. iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  303. iptables -A OUTPUT -s ${LAN_NET}  -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  304. iptables -A OUTPUT -s ${DMZ_NET}  -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  305. iptables -A OUTPUT -s ${LAN_NET}  -o ${DMZ_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  306. iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j LOG --log-prefix "INVAILD TCP OUTPUT FROM DMZ:"
  307. iptables -A OUTPUT -s ${DMZ_NET}  -o ${LAN_IF} -p tcp -j REJECT --reject-with tcp-reset
  308. iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j LOG --log-prefix "INVAILD UDP OUTPUT FROM DMZ:"
  309. iptables -A OUTPUT -s ${DMZ_NET}  -o ${LAN_IF} -p udp -j DROP
  310. iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP OUTPUT FROM DMZ:"
  311. iptables -A OUTPUT -s ${DMZ_NET}  -o ${LAN_IF} -p icmp -j DROP
  312. iptables -A OUTPUT -o lo -j ACCEPT
  313. iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"
  314. iptables -A OUTPUT  -p icmp -m state --state INVALID -j DROP
  315. iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW,INVALID STATE:"
  316. iptables -A OUTPUT -m state --state NEW,INVALID -j DROP

  317. iptables -A OUTPUT -j DROP

  318. echo "    OK !!!! The OUTPUT rules has been successful applied,conniture......."

  319. echo " Now applying nat rules ,please wait ...."
  320. #iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
  321. #iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 23 -j REDIRECT --to-port 14867
  322. iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK}  -j DROP
  323. iptables -t nat -A PREROUTING -d ${DMZ_NET} -i ${UPLINK} -j DROP



  324. if [ " $ROUTER " = " yes " ]

  325.      then
  326.           echo " enabing ip_forward,please wait..."
  327.           echo 1 >/proc/sys/net/ipv4/ip_forward
  328.           echo "OK"
  329.              if [ " $NAT " = " dynamic " ]
  330.                   
  331.                  then
  332.                     echo "Enableing MASQUERADING (dynamic ip )..."
  333.                     echo "Dynamic PPP connection,Now getting the dynamic ip address"
  334.                     IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`
  335.                     echo " Now you IP ADDRESS is : ${IP_ADDR} "
  336.                     iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
  337.                     iptables -t nat -A POSTROUTING -o ${UPLINK}  -s ${DMZ_NET} -j SNAT --to ${IP_ADDR}
  338.                     iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 80 -j DNAT --to ${WEB_IP}:80
  339.                     iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21
  340.                     iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20
  341.            if [ " $H323 " = " yes " ]
  342.                  then
  343.                       echo "Startting H323 NAT setting......"
  344.                     for port in ${H323_PORT}
  345.                        do
  346.                         
  347.                          iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
  348.                         iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}  
  349.                         done  
  350.             fi   
  351.                     echo "      OK,NAT setting start succecc.."
  352.              elif [ " $NAT " != " " ]
  353.                   
  354.                   then
  355.                       echo "Enableing SNAT (static ip)..."
  356.                         
  357.            # iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
  358.              iptables -t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
  359.              iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
  360.              iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80
  361.              iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 20 -j DNAT --to ${FTP_IP}:20
  362.              iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --to ${FTP_IP}:21
  363.              if [ "$H323 " = " yes " ]
  364.                    then
  365.                       echo "Startting H323 NAT setting........"   
  366.                       for port in ${H323_PORT}
  367.         
  368.                        do
  369.                           iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
  370.                           iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
  371.                       done
  372.             fi
  373.                       echo "    OK !!!!"

  374.                  fi
  375.            fi
  376. if [ " $SELF_SET " = " yes " ]
  377.   then
  378.      echo "Starting the rules you set yourself......"
  379.     # firewall
  380.      echo "     OK !!!!"

  381. echo " All rules has been successful applied,enjoy it...."



  382.        elif [ "$1" = "stop" ]

  383.        then
  384.            echo "Stoping Firewall...."
  385.            iptables -F INPUT
  386.            iptables -P INPUT ACCEPT
  387.            iptables -P OUTPUT ACCEPT
  388.            iptables -P FORWARD ACCEPT
  389.            iptables -F FORWARD
  390.            iptables -F OUTPUT
  391.            iptables -t nat -F POSTROUTING
  392.            iptables -F tcpHandler
  393.            iptables -F udpHandler
  394.            iptables -F icmpHandler
  395.            iptables -F CHECK_FLAGS
  396.            iptables -F DROP-AND-LOG
  397.            iptables -X tcpHandler
  398.            iptables -X udpHandler
  399.            iptables -X icmpHandler
  400.            iptables -X CHECK_FLAGS
  401.            iptables -X DROP-AND-LOG
  402.            echo "The firewall has successful shuted down,be careful  !!!"
  403.        fi


  404. firewall.conf

  405.   UPLINK=eth1
  406.   UPIP=192.168.2.188
  407.   ROUTER=yes
  408.   NAT=192.168.2.188
  409.   INTERFACES=lo eth0 eth1 eth2
  410.   SERVICES=http ftp
  411.   DENYPORTS=1 7 9 15 107 135 137 138 139 369 389 445 515 752 873 8080 3128 2049 5432 5999 6063 9740 20034 12345 12346 27665 27444 31335 31337  8000 1433  3389 7007 22  23 25 110 79
  412. DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369

  413.   LAN_IF=eth0
  414.   LAN_NET=192.168.1.0/24
  415.   DMZ_NET=192.168.3.0/24
  416.   DMZ_IF=eth2
  417.   DMZ_TCP_PORT=20 21 25 53 80 110
  418.   DMZ_UDP_PORT=53
  419.   WEB_IP=192.168.3.1
  420.   FTP_IP=192.168.3.2
  421.   H323_PORT=
  422.   H323=no

  423. #here you can add the block rules yourself ,but be sure you do all these setting otherwise ,it will not work at all !!!!
  424. SELF_SET=
  425. BLOCK_TYPE=
  426. PROTO=
  427. INTE_IF=
  428. SRC=
  429. DST=
  430. DPORT=
  431. ACTION=
  432. ACTION_TYPE=
  433. #here you can add the icmp block rules yourself,Be sure you do all these setting otherwise ,it will not work at all !!!!
  434. ICMP_IF=
  435. ICMP_SRC=
  436. ICMP_DST=
  437. ICMP_ACTION=
  438. ICMP_TYPE=
复制代码
发表于 2002-12-3 19:40:07 | 显示全部楼层
太复杂了。
明天我给作者写封信吧,问一下作者老兄是不是把这个脚本完成了。
发表于 2004-1-6 14:51:33 | 显示全部楼层
南北老兄信写了吗?有没有更完善的?
成年旧事了,今天翻精华的时候看到了。呵呵!
发表于 2004-5-9 23:55:36 | 显示全部楼层
是啊,我也想知道
发表于 2004-5-10 11:10:32 | 显示全部楼层
顶上去!

仔细看了后果然收益匪浅
发表于 2004-10-21 11:03:19 | 显示全部楼层
CP下来慢慢看!~
先顶一个吧!!
发表于 2004-10-21 23:43:43 | 显示全部楼层
小弟很菜,不知他有什么功能,只是一个防火墙吗?
能不能做代理服务器,共享上网,路由之类的,我只想要一个网吧的代理服务器的脚本不知那位兄弟可以给一个,只要安全,够网吧使用就够了.
发表于 2005-2-28 17:40:35 | 显示全部楼层
后来如何了
等回复呢
回复 支持 反对

使用道具 举报

发表于 2005-2-28 20:58:18 | 显示全部楼层
确实好东东,高人,真是高人
回复 支持 反对

使用道具 举报

发表于 2005-3-1 17:44:14 | 显示全部楼层
很好`但linux下的iptables已经很不错了!
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表