LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
查看: 1139|回复: 2

一个简单的IPTABLES脚本

[复制链接]
发表于 2006-12-19 13:12:18 | 显示全部楼层 |阅读模式
以下脚本内容是我自己做实验时候的脚本,有两个top图,第一个是真实top,而第二个是试验时使用的虚拟机环境,有详细的描述怎样去搭建环境,希望给大家一些帮助!
请多提建议阿!呵呵!-

#!/bin/sh
#
# DESCRIPTION: This IPTABLES shell script is setting for IPTABLES LAB. So,
#                it's sharing for everyone. And please contact me if you find
#                any bugs in this script.
#                Tip: this script can execute on the FireWall server only.
#                        If this script can NOT execute, maybe the following
#                        solutions can help you:
#                        1) chmod +x lab_ipta.sh; ./lab_ipta.sh
#                        2) maybe this script is a DOS format file, so you can
#                           use dos2unix command to convert it to UNIX format,
#                           for example: "dos2unix lab_ipta.sh". (unix2dos)
#
# VERSION:        2.1.3
# BUGS:         Report bugs to ancharn@yahoo.com.cn
# SEE ALSO:        iptables(8) (see manual page for details)
# AUTHOR:         Eric Cheung, 12/20/2006.
#

# START OF SCRIPT
#
# SECTION I: TOP Map
# ------------------
# The REAL TOP MAP:
# The following top map is REALLY map.
#                                                             ######
#                                                   |-----> eth0 #         #
#                                                   |              ######
#                                                     |      192.168.3.180 (Web \
#                                                   |                server)       
#  WAN                                         FireWall                           |               
# ######                        ######                   |        #######                       
# #         # <-------------------------> eth0 #           # eth1 <-------        # DMZ #
# ######                        ######            |        #######         
#                                        62.36.21.254    192.168.3.54      |       
#                                                   |             ######
#                                                   |-----> eth0 #          #
#                                                                  ######
#                                                          192.168.3.153 (DNS \
#                                                                Server)
#
# ------------------
# The LAB TOP MAP:
# The following top map is LAB map (make by above top) for us to practice.
#
#   WAN                                   FireWall                               LAN
# ######                          ######                                    ######       
# # Win# VMNet1<-------------->eth0 #         # eth1<------------>eth0 #         #
# ######                           ######                                       ######
# 62.36.21.1                      62.36.21.254 | 192.168.3.54           192.168.3.180/153/121
#
# Description: The FireWall and LAN hosts are Linux OS, and WAN host is \
#                 Windows host, the FireWall's NICs which eth0 and eth1 and \
#                LAN's NIC eth0 connect to Windows NIC VMNet1(host only). \
#                Windows host's default gateway(default route) is \
#                62.36.21.254/24, and FireWall's default gateway is \
#                62.36.21.1(default route is 62.36.21.1), the LAN host's \
#                default gateway is 192.168.3.54. The LAN host is \
#                WEB server/FTP server/DNS server.
#
#
# SECTION II: MODPROBE FILTER
# ---------------------------
#
        echo ;echo "Starting iptables ...... ";echo
        echo -n "  Open ip_forward ......  "
        echo "1" > /proc/sys/net/ipv4/ip_forward
        echo "Done."
        echo -n "  Set rp_filter ...... "
        for f in /proc/sys/net/ipv4/conf/*/rp_filter
        do
          echo 1 > $f
        done
        echo "Done."
        # -------------------------- MODPROBE ---------------------------- #
        echo -n "  Modprobe now ...... "
  # set kernel version.
        KERNELVERSION=`uname -r`
        modprobe ` ( cd /lib/modules/$KERNELVERSION/kernel/net/ipv4/netfilter ; ls ) | awk -F . '{print $1}' `
        echo "Done."       

  # basic network settings
        echo -n "  Setting NIC's IP address and routing ...... "
        ifconfig eth0 62.36.21.254 netmask 255.255.255.0 up
        ifconfig eth1 192.168.3.54 netmask 255.255.255.0 up
        route del default
        route add default gw 62.36.21.1
        echo "Done"
        echo "    Setting eth0 interface IP address to 62.36.21.254 ."
        ifconfig eth0
        echo "    Setting eth1 interface IP address to 192.168.3.54 ."
        ifconfig eth1
        echo "    Setting default gateway is 62.36.21.1 ."
        netstat -rn

  # set variable
        FWEXTIP=`ifconfig eth0 |grep "inet addr" | cut -d : -f 2 | sed -e 's/Bcast//'`
        FWINTIP=`ifconfig eth1 |grep "inet addr" | cut -d : -f 2 | sed -e 's/Bcast//'`
        EXTIF=eth0
        INTIF=eth1
        LAN=192.168.3.0/24
        WEBSRV=192.168.3.180
        DNSSRV=192.168.3.153
        FTPSRV=192.168.3.121

#       
# SECTION III: SETTING IPTABLES
# -----------------------------
        echo
        echo "  Setting iptables policies ...... "
        echo -n "    Flush iptables ...... "
        echo "Done."
iptables -Z
iptables -Z -t nat
iptables -F
iptables -F -t nat
iptables -X
iptables -X -t nat
        echo -n "    Setting iptables default policies ...... "
iptables -P INPUT DROP
iptables -P FORWARD DROP
        echo "Done."

# Phase 1: Set your server's firewall.
  # the kernel's firewall settings.
  #
  # TCP Flooding's setting. This setting is NOT good for high-loading servers.
        echo 1 >/proc/sys/net/ipv4/tcp_syncookies
  #
  # unset reply of ping.
        echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  #
  # record some problems packets.
        for i in /proc/sys/net/ipv4/conf/*/log_martians; do
          echo "1" > $i
        done
  #
  # unset the routing from source.
        for i in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
          echo "0" > $i
        done
  #
  # unset the setting of redirect routing.
        for i in /proc/sys/net/ipv4/conf/*/accept_redirects ; do
          echo "0" > $i
        done
  #
  # unset send_redirect.
        for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
          echo "0" > $i
        done
#
# Phase 2: Other settings.
  #
  # set allow ping packet INPUT(OUTPUT) firewallself.
        echo -n "    Setting ping to firewallself ...... "
iptables -A INPUT -i eth+ -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A OUTPUT -o eth+ -p icmp --icmp-type echo-reply -m limit --limit 1/s --limit-burst 1 -j ACCEPT
        echo "Done."
  #
  # set LAN can access Internet with $FWEXTIP ip address from $EXTIF \
  # interface.
        echo -n "    Setting SNAT: LAN to Internet ...... "
iptables -A POSTROUTING -t nat -s $LAN  -o $EXTIF -j SNAT --to $FWEXTIP
        echo "Done."
  #
  # set DNS query for Internet and LAN.
        echo -n "    Setting DNAT: DNS query ...... "
iptables -A PREROUTING -t nat -i $EXTIF -p udp --dport 53 -j DNAT --to $DNSSRV
iptables -A FORWARD -i $EXTIF  -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $EXTIF  -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -o $EXTIF -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -o $EXTIF -p udp --dport 53 -j ACCEPT
        echo "Done."
  #
  # Publish $WEBSRV machine (Web Server) to Internet.
        echo -n "    Setting DNAT: HTTP server ...... "
iptables -A PREROUTING -t nat -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A PREROUTING -t nat -i $EXTIF -d $FWEXTIP -p tcp --dport 80 -j DNAT --to $WEBSRV
iptables -A FORWARD -i $EXTIF -o $INTIF -d $WEBSRV -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -o $EXTIF -i $INTIF -p tcp --sport 80 -s $WEBSRV -m state --state RELATED,ESTABLISHED -j ACCEPT
          echo "Done."
  #
  #  Publish $FTPSRV machine (FTP Server) to Internet.
        echo -n "    Setting DNAT: FTP server ...... "
iptables -A PREROUTING -t nat -d $FWEXTIP -i $EXTIF -p tcp --dport 21 -j DNAT --to $FTPSRV
iptables -A PREROUTING -t nat -d $FWEXTIP -i $EXTIF -p tcp --dport 20 -j DNAT --to $FTPSRV
iptables -A FORWARD -d $FTPSRV -p tcp --dport 21 -o $INTIF -i $EXTIF -j ACCEPT
iptables -A FORWARD -s $FTPSRV -p tcp --sport 21 -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -s $FTPSRV -p tcp --sport 20 -i $INTIF -o $EXTIF -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A FORWARD -d $FTPSRV -p tcp --dport 20 -o $INTIF -i $EXTIF -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
        echo "Done."
#
# Phase 3: Additional settings.
        echo -n "    Setting additional settings ...... "
  # syn flood
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
  # port scan
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
  # ping flood
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
  # tcp fragment flood
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

        echo "Done."
        echo; echo "End of the iptables script setting." ; echo

#
# END OF SCRIPT
单选投票, 共有 8 人参与投票
50.00% (4)
12.50% (1)
0.00% (0)
25.00% (2)
12.50% (1)
您所在的用户组没有投票权限
发表于 2006-12-20 16:26:34 | 显示全部楼层
这个用来抓取网卡IP 的。你可以补充进脚本里

#Wan ip
INET_IP=\"10.10.10.10\"
INET_IFACE=\"eth0\"
INET_BROADCAST=\"255.0.0.0\"
# Lan conf
# 1-lan ip  2- lan mask gw
LAN_IFACE=\"eth1\"
LAN_IP=`/sbin/ifconfig $LAN_IFACE | grep inet|cut -d : -f 2 | cut -d \\ -f 1`
MASK=`/sbin/ifconfig $LAN_IFACE | grep Mas | cut -d : -f 4`
LAN_IP_RANGE=`/sbin/ifconfig $LAN_IFACE | grep Bca|cut -d : -f 3|cut -d \\ -f 1`
if [ \"$MASK\" = \"\" ]; then
echo \"external network device $LAN_IP is not ready.\"
exit 2
fi
#  io
LO_IFACE=\"lo\"
LO_IP=`/sbin/ifconfig $LO_IFACE|grep inet|cut -d : -f 2|cut -d \\ -f 1`
NET=$LAN_IP/$MASK
#  1:0 ip
Ext_iface=\"eth1:0\"
Ext_ip=`/sbin/ifconfig $Ext_iface | grep inet|cut -d : -f 2 | cut -d \\ -f 1`
Ext_mask=`/sbin/ifconfig $Ext_iface | grep Mas | cut -d : -f 4`
Ext_range=`/sbin/ifconfig $Ext_iface | grep Bca|cut -d : -f 3|cut -d \\ -f 1`
Ext_net=$Ext_ip/$Ext_mask
if [ \"$Ext_mask\" = \"\" ]; then
echo \"external network device $Ext_IP is not ready.\"
exit 2
fi
回复

使用道具 举报

 楼主| 发表于 2006-12-20 16:29:32 | 显示全部楼层
Post by konds
这个用来抓取网卡IP 的。你可以补充进脚本里

#Wan ip
INET_IP=\"10.10.10.10\"
INET_IFACE=\"eth0\"
INET_BROADCAST=\"255.0.0.0\"
# Lan conf
# 1-lan ip  2- lan mask gw
LAN_IFACE=\"eth1\"
LAN_IP=`/sbin/ifconfig $LAN_IFACE | grep inet|cut -d : -f 2 | cut -d \\ -f 1`
MASK=`/sbin/ifconfig $LAN_IFACE | grep Mas | cut -d : -f 4`
LAN_IP_RANGE=`/sbin/ifconfig $LAN_IFACE | grep Bca|cut -d : -f 3|cut -d \\ -f 1`
if [ \"$MASK\" = \"\" ]; then
echo \"external network device $LAN_IP is not ready.\"
exit 2
fi
#  io
LO_IFACE=\"lo\"
LO_IP=`/sbin/ifconfig $LO_IFACE|grep inet|cut -d : -f 2|cut -d \\ -f 1`
NET=$LAN_IP/$MASK
#  1:0 ip
Ext_iface=\"eth1:0\"
Ext_ip=`/sbin/ifconfig $Ext_iface | grep inet|cut -d : -f 2 | cut -d \\ -f 1`
Ext_mask=`/sbin/ifconfig $Ext_iface | grep Mas | cut -d : -f 4`
Ext_range=`/sbin/ifconfig $Ext_iface | grep Bca|cut -d : -f 3|cut -d \\ -f 1`
Ext_net=$Ext_ip/$Ext_mask
if [ \"$Ext_mask\" = \"\" ]; then
echo \"external network device $Ext_IP is not ready.\"
exit 2
fi



多谢仁兄!:%
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表