###内核设置[START]
# 核心轉送封包
echo 1 > /proc/sys/net/ipv4/ip_forward
# 打开TCP同步标签
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# 忽略這些廣播訊息。
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# 启动逆向路徑過濾
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 > $f
done
# 关闭过时的IP源路由
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $f
done
# 关闭有轻度安全问题的ICMP阻塞
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo 0 > $f
done
###内核设置[END]
###前序工作[START]
# 在我们编写规则前,关闭链接
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# 确定是否支持IPTables并且清理原规则
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
$IPT -t $i -F
done
for i in $CHAINS;
do
$IPT -t $i -X
done
for i in $CHAINS;
do
$IPT -t $i -Z
done
###前序工作[END]
###正式启动[START]
# 本地通过
$IPT -A INPUT -i $LPIF -s $LPNET -j ACCEPT
$IPT -A INPUT -i $IF -s $IP -j ACCEPT
# 丢弃广播
buildLog "广播丢弃" "DROP" "广播丢弃[BC]:"
$IPT -A INPUT -i $IF -d $BC -j "广播丢弃"
$IPT -A OUTPUT -o $IF -d $BC -j "广播丢弃"
$IPT -A FORWARD -o $IF -d $BC -j "广播丢弃"
# 丢弃IP欺骗
#buildLog "IP欺骗" "DROP" "IP欺骗[IP]:"
#$IPT -A INPUT -i $IF -s ! $NET -j "IP欺骗"
#$IPT -A OUTPUT -o $IF -d ! $NET -j "IP欺骗"
#$IPT -A FORWARD -i $IF -s ! $NET -j "IP欺骗"
#$IPT -A FORWARD -o $IF -d ! $NET -j "IP欺骗"
# 丢弃外部PING
buildLog "外部PING丢弃" "DROP" "外部PING丢弃[PING]:"
$IPT -A OUTPUT -o $IF -p icmp --icmp-type ! 8 -j "外部PING丢弃"
$IPT -A FORWARD -o $IF -p icmp --icmp-type ! 8 -j "外部PING丢弃"
# 允许服务
TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s time msn svn rsync irc ircs ircd"
UDPSERV="domain time qq msn irc ircs"
echo "FW: Allowing inside systems to use service[TCP]: "
for i in $TCPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $IF -p tcp -s $IP --dport $i --syn -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $IF -p tcp -s $NET --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
echo "FW: Allowing inside systems to use service[UDP]: "
for i in $UDPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $IF -p udp -s $IP --dport $i -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $IF -p udp -s $NET --dport $i -m state --state NEW -j ACCEPT
done
echo ""
###正式启动[END]
###后续手续[START]
# 允许本地链接 只允许lo eth0
$IPT -A OUTPUT -o $LPIF -s $LPIP -j ACCEPT
$IPT -A FORWARD -i $LPIF -s $LPNET -j ACCEPT
$IPT -A INPUT -i $LPIF -s $LPNET -j ACCEPT
$IPT -A OUTPUT -o $LPIF -s $IP -j ACCEPT
$IPT -A FORWARD -i $LPIF -s $NET -j ACCEPT
$IPT -A INPUT -i $LPIF -s $NET -j ACCEPT
# 允许PING
# lo
$IPT -A OUTPUT -o $LPIF -p icmp -s $LPIP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $LPIF -p icmp -s $LPNET --icmp-type 8 -m state --state NEW -j ACCEPT
# eth0
$IPT -A OUTPUT -o $LPIF -p icmp -s $IP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $LPIF -p icmp -s $NET --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LPIF -p icmp -s $NET --icmp-type 8 -m state --state NEW -j ACCEPT
# output
$IPT -A OUTPUT -o $IF -p icmp -s $IP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $IF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPT -t nat -A PREROUTING -j ACCEPT
$IPT -t nat -A POSTROUTING -o $IF -s $NET -j MASQUERADE
$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT
$IPT -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# 拒绝和记录可能没有做的规则
buildLog "未分类丢弃" "DROP" "未分类丢弃[UNKOWN]:"
buildLog "未分类拒绝" "REJECT" "未分类拒绝[UNKOWN]:"
$IPT -A INPUT -j "未分类丢弃"
$IPT -A OUTPUT -j "未分类拒绝"
$IPT -A FORWARD -j "未分类丢弃"
###后续手续[END]