|
DMZ部分尚不完善,其中难免有疏漏,希望大家跟我一块改进,使他功能越来越强大,使用时请将firewall-dev copy 到/etc/rc.d/init.d将 firewall.conf copy /etc/下,你只需修改firewall.conf文件就可以了。可以用firewall-dev start|stop起动和关闭防火墙,功能增加中,如你有任何改动请发一份给我,arlenecc@263.net
本着GPL的原则希望有志之士跟我一块完善它,如有改动请通知我!!!!
firewall-dev
- #!/bin/bash
- # This is a firewall script with the function of stateful and
- # ip filter, you can change it to meet you need,in a words:
- # uplink means the output interface ,router means if you neet it
- # to be a router or not,nat means if you are useing a dynamic ip
- # address
- # if you do ,then you can change it to "dynamic",interfaces means
- # all the interface in you server ,services means all the services
- # you server providing ,enjoy it !!! ----- write by arlenecc
- #
- ##############################################################################
- # #
- # Copyright (c) 2002 arlenecc [email]arlenecc@netease.com[/email] #
- # All rights reserved #
- # #
- ##############################################################################
- #
- # now begins the firewall
-
- UPLINK=`less /root/firewall.conf | grep "UPLINK" | cut -d = -f 2 `
-
- UPIP=`less /root/firewall.conf | grep "UPIP" | cut -d = -f 2`
-
- ROUTER=`less /root/firewall.conf | grep "ROUTER" | cut -d = -f 2`
-
- NAT=`less /root/firewall.conf | grep "NAT" | cut -d = -f 2`
-
- INTERFACES=`less /root/firewall.conf | grep "INTERFACES" | cut -d = -f 2`
-
- SERVICES=`less /root/firewall.conf | grep "SERVICES" | cut -d = -f 2`
-
- DENYPORTS=`less /root/firewall.conf | grep "DENYPORTS" | cut -d = -f 2`
-
- DENYUDPPORT=`less /root/firewall.conf | grep "DENYUDPPORT" | cut -d = -f 2`
-
- LAN_IF=`less /root/firewall.conf | grep "LAN_IF" | cut -d = -f 2`
-
- LAN_NET=`less /root/firewall.conf | grep "LAN_NET" | cut -d = -f 2`
-
- DMZ_NET=`less /root/firewall.conf | grep "DMZ_NET" | cut -d = -f 2`
-
- DMZ_IF=`less /root/firewall.conf | grep "DMZ_IF" | cut -d = -f 2`
-
- DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d = -f 2`
-
- DMZ_UDP_PORT=`less /root/firewall.conf | grep "DMZ_UDP_PORT" | cut -d = -f 2`
-
- WEB_IP=`less /root/firewall.conf | grep "WEB_IP" | cut -d = -f 2`
-
- FTP_IP=`less /root/firewall.conf | grep "FTP_IP" | cut -d = -f 2`
-
- H323_PORT=`less /root/firewall.conf | grep "H323_PORT" | cut -d = -f 2`
-
- H323=`less /root/firewall.conf | grep "H323" | cut -d = -f 2`
-
-
- if [ "$1" = "start" ]
- then
- echo "Starting firewall......"
- echo "NOW prepareing kernel for use,please wait....."
- # if [ -e /proc/sys/net/ipv4/ip_forward ]
- #
- # then
- # echo 1 >/proc/sys/net/ipv4/ip_forward
- # fi
- if [ "$NAT" = " dynamic " ]
- then
- echo "Enable dynamic ip support...."
- echo 1 > /proc/sys/net/ipv4/ip_dynaddr
- echo " OK !!!!"
- fi
- if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
- then
- echo "Enable the syn cook flood protection"
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies
- echo " OK !!!!"
- fi
- if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]
- then
- echo "Setting the maximum number of connections to track.... "
- echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
- echo " OK !!!!"
- fi
-
- if [ -e /proc/sys/net/ipv4/ip_local_port_range ]
- then
- echo " Setting local port range for TCP/UDP connection...."
- echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
- echo " OK !!!!"
- fi
-
- if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
- then
- echo "Enable bad error message protection......."
- echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
- echo " OK !!!! "
- fi
- if [ -e /proc/sys/net/ipv4/tcp_ecn ]
- then
- echo "Disabling tcp_ecn,please wait..."
- echo 0 >/proc/sys/net/ipv4/tcp_ecn
- echo " OK !!!! "
- fi
- for x in ${INTERFACES}
- do
- echo " Enabling rp_filter on ${x} ,please wait...."
- echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
- echo " ${x} OK !!!! "
- done
-
- if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]
-
- then
-
- echo "Disabing ICMP redirects,please wait...."
- echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
- echo " OK !!!! "
- fi
-
- if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]
- then
- echo "Disabling source routing of packets,please wait...."
- for i in /proc/sys/net/ipv4/conf/*/accept_source_route
-
- do
- echo 0 > $i
- echo " $i OK !!!! "
-
- done
-
- fi
- if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
- then
- echo "Ignore any broadcast icmp echo requests......"
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- echo " OK !!!! "
- fi
-
- # if [ -e /proc/sys/net/ipv4/config/all/log_martians ]
- #
- # then
- # echo "LOG packets with impossible addresses to kernel log...."
- # echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
- # echo " OK !!!! "
- # fi
- #echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
- #modprobe ip_tables
- depmod -a
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT DROP
- iptables -F INPUT
- iptables -F FORWARD
- iptables -F OUTPUT
- iptables -F -t nat
- iptables -F -t mangle
- iptables -Z
- iptables -X
- iptables -N CHECK_FLAGS
- iptables -F CHECK_FLAGS
- iptables -N tcpHandler
- iptables -F tcpHandler
- iptables -N udpHandler
- iptables -F udpHandler
- iptables -N icmpHandler
- iptables -F icmpHandler
- iptables -N DROP-AND-LOG
- iptables -F DROP-AND-LOG
- echo "OK,the kernel is now prepared to use for building a firewall!!!"
- echo "Waitting ........................"
- echo "Creating a drop chain....."
- iptables -A DROP-AND-LOG -j LOG --log-level 5
- iptables -A DROP-AND-LOG -j DROP
- echo " OK !!!!"
- echo "Now starting the check_flag rules,please wait...."
-
- iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN "
- iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "
- iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "
- iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "
- iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP
- iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 "
- iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP
- iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"
- iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
- iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"
- iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN"
- iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
- echo " OK !!!! Finished check_flags rules...."
- echo "Now starting the input rules,please wait......."
- for x in ${DENYPORTS}
- do
- iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} TCP IN:"
- iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP
- iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} SYN IN:"
- iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j DROP
- done
- for x in ${DENYUDPPORT}
- do
- iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"
- iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j DROP
- iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT:${x} UDP IN:"
- iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP
- done
- #iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
- for x in ${SERVICES}
-
- do
- iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- done
- iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG
- iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOG
- iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG
- iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG
- iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG
-
- #iptables -A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- #iptables -A INPUT -i ${UPLINK} -j LOG --log-prefix " INVALID INPUT "
- iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
- iptables -A INPUT -i ${LAN_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -i ${DMZ_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j REJECT
- iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM DMZ:"
- iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJECT --reject-with tcp-reset
- iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD UDP FROM DMZ:"
- iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
- iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD ICMP FROM DMZ:"
- iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
- iptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"
- iptables -A INPUT -p tcp -i ${UPLINK} --syn -j DROP
- iptables -A INPUT -p icmp -i ${UPLINK} -j LOG --log-prefix "INVAILD ICMP IN:"
- iptables -A INPUT -p icmp -i ${UPLINK} -j REJECT --reject-with icmp-net-unreachable
- iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"
- iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable
- iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"
- iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset
- iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j LOG --log-prefix "NEW,INVALID state:"
- iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j DROP
- iptables -A INPUT -i ${UPLINK} -f -j LOG --log-prefix "INVAILD FRAGMENTS ${UPLINK}:"
- iptables -A INPUT -i ${UPLINK} -f -j DROP
- iptables -A INPUT -i ${LAN_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${LAN_IF}:"
- iptables -A INPUT -i ${LAN_IF} -f -j DROP
- iptables -A INPUT -i ${DMZ_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${DMZ_IF}:"
- iptables -A INPUT -i ${DMZ_IF} -f -j DROP
- iptables -A INPUT -i ${UPLINK} -j DROP
- echo " OK !!!! The input rules has been successful applied ,continure......"
- echo " Now starting FORWARD rules ,please wait ....."
- iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT
- iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
- iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
- iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
- iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
- iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
- iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
- iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN TCP: "
- iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler
- iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN UDP:"
- iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler
- iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICMP: "
- iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler
- iptables -A tcpHandler -p tcp -m limit --limit 5/minute --limit-burst 10 -j RETURN
- iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "
- iptables -A tcpHandler -p tcp -j DROP
- iptables -A udpHandler -p udp -m limit --limit 5/minute --limit-burst 10 -j RETURN
- iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"
- iptables -A udpHandler -p udp -j DROP
- iptables -A icmpHandler -p icmp -m limit --limit 5/minute --limit-burst 10 -j RETURN
- iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"
- iptables -A icmpHandler -p icmp -j DROP
- iptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -j ACCEPT
- iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT
- #iptables -A FORWARD -o ${UPLINK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- #iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:"
- iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j REJECT --reject-with tcp-reset
- iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j LOG --log-prefix "INVAILD UDP FORWARD FROM DMZ:"
- iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j DROP
- iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:"
- iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j DROP
- iptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT
- iptables -A FORWARD -s ${LAN_NET} -d ${DMZ_NET} -i ${LAN_IF} -j ACCEPT
- iptables -A FORWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i ${DMZ_IF} ! --syn -j ACCEPT
- iptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT
-
- iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA"
- iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
- iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD UDP FORWARD DATA"
- iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
- iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVALID ICMP FORWARD DATA"
- iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
- iptables -A FORWARD -m state --state NEW,INVALID -j DROP
- iptables -A FORWARD -j DROP
- echo " OK !!!! The forward rules has been successful applied,conniture......"
- echo " Now applying output rules,please wait ...."
- iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A OUTPUT -s ${LAN_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A OUTPUT -s ${DMZ_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A OUTPUT -s ${LAN_NET} -o ${DMZ_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j LOG --log-prefix "INVAILD TCP OUTPUT FROM DMZ:"
- iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j REJECT --reject-with tcp-reset
- iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j LOG --log-prefix "INVAILD UDP OUTPUT FROM DMZ:"
- iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j DROP
- iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP OUTPUT FROM DMZ:"
- iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j DROP
- iptables -A OUTPUT -o lo -j ACCEPT
- iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"
- iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP
- iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW,INVALID STATE:"
- iptables -A OUTPUT -m state --state NEW,INVALID -j DROP
- iptables -A OUTPUT -j DROP
- echo " OK !!!! The OUTPUT rules has been successful applied,conniture......."
- echo " Now applying nat rules ,please wait ...."
- #iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
- #iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 23 -j REDIRECT --to-port 14867
- iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK} -j DROP
- iptables -t nat -A PREROUTING -d ${DMZ_NET} -i ${UPLINK} -j DROP
- if [ " $ROUTER " = " yes " ]
- then
- echo " enabing ip_forward,please wait..."
- echo 1 >/proc/sys/net/ipv4/ip_forward
- echo "OK"
- if [ " $NAT " = " dynamic " ]
-
- then
- echo "Enableing MASQUERADING (dynamic ip )..."
- echo "Dynamic PPP connection,Now getting the dynamic ip address"
- IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`
- echo " Now you IP ADDRESS is : ${IP_ADDR} "
- iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
- iptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR}
- iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 80 -j DNAT --to ${WEB_IP}:80
- iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21
- iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20
- if [ " $H323 " = " yes " ]
- then
- echo "Startting H323 NAT setting......"
- for port in ${H323_PORT}
- do
-
- iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
- iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
- done
- fi
- echo " OK,NAT setting start succecc.."
- elif [ " $NAT " != " " ]
-
- then
- echo "Enableing SNAT (static ip)..."
-
- # iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
- iptables -t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
- iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
- iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80
- iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 20 -j DNAT --to ${FTP_IP}:20
- iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --to ${FTP_IP}:21
- if [ "$H323 " = " yes " ]
- then
- echo "Startting H323 NAT setting........"
- for port in ${H323_PORT}
-
- do
- iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
- iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
- done
- fi
- echo " OK !!!!"
- fi
- fi
- if [ " $SELF_SET " = " yes " ]
- then
- echo "Starting the rules you set yourself......"
- # firewall
- echo " OK !!!!"
- echo " All rules has been successful applied,enjoy it...."
- elif [ "$1" = "stop" ]
- then
- echo "Stoping Firewall...."
- iptables -F INPUT
- iptables -P INPUT ACCEPT
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD ACCEPT
- iptables -F FORWARD
- iptables -F OUTPUT
- iptables -t nat -F POSTROUTING
- iptables -F tcpHandler
- iptables -F udpHandler
- iptables -F icmpHandler
- iptables -F CHECK_FLAGS
- iptables -F DROP-AND-LOG
- iptables -X tcpHandler
- iptables -X udpHandler
- iptables -X icmpHandler
- iptables -X CHECK_FLAGS
- iptables -X DROP-AND-LOG
- echo "The firewall has successful shuted down,be careful !!!"
- fi
- firewall.conf
- UPLINK=eth1
- UPIP=192.168.2.188
- ROUTER=yes
- NAT=192.168.2.188
- INTERFACES=lo eth0 eth1 eth2
- SERVICES=http ftp
- DENYPORTS=1 7 9 15 107 135 137 138 139 369 389 445 515 752 873 8080 3128 2049 5432 5999 6063 9740 20034 12345 12346 27665 27444 31335 31337 8000 1433 3389 7007 22 23 25 110 79
- DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369
-
- LAN_IF=eth0
- LAN_NET=192.168.1.0/24
- DMZ_NET=192.168.3.0/24
- DMZ_IF=eth2
- DMZ_TCP_PORT=20 21 25 53 80 110
- DMZ_UDP_PORT=53
- WEB_IP=192.168.3.1
- FTP_IP=192.168.3.2
- H323_PORT=
- H323=no
- #here you can add the block rules yourself ,but be sure you do all these setting otherwise ,it will not work at all !!!!
- SELF_SET=
- BLOCK_TYPE=
- PROTO=
- INTE_IF=
- SRC=
- DST=
- DPORT=
- ACTION=
- ACTION_TYPE=
- #here you can add the icmp block rules yourself,Be sure you do all these setting otherwise ,it will not work at all !!!!
- ICMP_IF=
- ICMP_SRC=
- ICMP_DST=
- ICMP_ACTION=
- ICMP_TYPE=
复制代码 |
|