分享
 
 
 

脚本范例

王朝other·作者佚名  2008-05-18
窄屏简体版  字體: |||超大  

管理脚本范例

[目录]

--------------------------------------------------------------------------------

Mail Server脚本

This is the configuration script file for our Mail Server. This is configured to allows unlimited traffic on the Loopback interface, ICMP, DNS Server and Client (53), SSH Server (22), SMTP Server and Client (25), IMAP server (143), and OUTGOING TRACEROUTE requests by default.

If you don't want some services listed in the firewall rules files for the Mail Server that I make ON by default, comment them out with a "#" at the beginning of the line. If you want some other

services that I commented out with a "#", then remove the "#" at the beginning of their lines.

Create the firewall script file, touch /etc/rc.d/init.d/firewall on your Mail Server and add:

#!/bin/sh

#

# ----------------------------------------------------------------------------

# Last modified by Gerhard Mourani: 04-25-2000

# ----------------------------------------------------------------------------

# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler

#

# Permission to use, copy, modify, and distribute this software and its

# documentation for educational, research, private and non-profit purposes,

# without fee, and without a written agreement is hereby granted.

# This software is provided as an example and basis for individual firewall

# development. This software is provided without warranty.

#

# Any material furnished by Robert L. Ziegler is furnished on an

# "as is" basis. He makes no warranties of any kind, either expressed

# or implied as to any matter including, but not limited to, warranty

# of fitness for a particular purpose, exclusivity or results obtained

# from use of the material.

# ----------------------------------------------------------------------------

#

# Invoked from /etc/rc.d/init.d/firewall.

# chkconfig: - 60 95

# description: Starts and stops the IPCHAINS Firewall

# used to provide Firewall network services.

# Source function library.

. /etc/rc.d/init.d/functions

# Source networking configuration.

. /etc/sysconfig/network

# Check that networking is up.

if [ ${NETWORKING} = "no" ]

then

exit 0

fi

if [ ! -x /sbin/ipchains ]; then

exit 0

fi

# See how we were called.

case "$1" in

start)

echo -n "Starting Firewalling Services: "

# Some definitions for easy maintenance.

# ----------------------------------------------------------------------------

# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0" # Internet connected interface

LOOPBACK_INTERFACE="lo" # Your local naming convention

IPADDR="my.ip.address" # Your IP address

ANYWHERE="any/0" # Match any IP address

NAMESERVER_1="my.name.server.1" # Everyone must have at least one

NAMESERVER_2="my.name.server.2" # Your secondary name server

MY_ISP="my.isp.address.range/24" # ISP NOC address range

SMTP_SERVER="my.smtp.server" # Your Mail Hub Server.

SYSLOG_SERVER="syslog.internal.server" # Your syslog internal server

SYSLOG_CLIENT="sys.int.client.range/24" # Your syslog internal client range

LOOPBACK="127.0.0.0/8" # Reserved loopback address range

CLASS_A="10.0.0.0/8" # Class A private networks

CLASS_B="172.16.0.0/12" # Class B private networks

CLASS_C="192.168.0.0/16" # Class C private networks

CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses

CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses

BROADCAST_SRC="0.0.0.0" # Broadcast source address

BROADCAST_DEST="255.255.255.255" # Broadcast destination address

PRIVPORTS="0:1023" # Well known, privileged port range

UNPRIVPORTS="1024:65535" # Unprivileged port range

# ----------------------------------------------------------------------------

# SSH starts at 1023 and works down to 513 for

# each additional simultaneous incoming connection.

SSH_PORTS="1022:1023" # range for SSH privileged ports

# traceroute usually uses -S 32769:65535 -D 33434:33523

TRACEROUTE_SRC_PORTS="32769:65535"

TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------

# Default policy is DENY

# Explicitly accept desired INCOMING OUTGOING connections

# Remove all existing rules belonging to this filter

ipchains -F

# Clearing all current rules and user defined chains

ipchains -X

# Set the default policy of the filter to deny.

# Don't even bother sending an error message back.

ipchains -P input DENY

ipchains -P output DENY

ipchains -P forward DENY

# ----------------------------------------------------------------------------

# LOOPBACK

# Unlimited traffic on the loopback interface.

ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT

ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# ----------------------------------------------------------------------------

# Network Ghouls

# Deny access to jerks

# /etc/rc.d/rc.firewall.blocked contains a list of

# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY

# rules to block from any access.

# Refuse any connection from problem sites

#if [ -f /etc/rc.d/rc.firewall.blocked ]; then

# . /etc/rc.d/rc.firewall.blocked

#fi

# ----------------------------------------------------------------------------

# SPOOFING BAD ADDRESSES

# Refuse spoofed packets.

# Ignore blatantly illegal source addresses.

# Protect yourself from sending to bad addresses.

# Refuse spoofed packets pretending to be from the external address.

ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l

# Refuse packets claiming to be to or from a Class A private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l

# Refuse packets claiming to be to or from a Class B private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l

# Refuse packets claiming to be to or from a Class C private network

# ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l

# ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l

# ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l

# ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l

# Refuse packets claiming to be from the loopback interface

ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l

# Refuse broadcast address SOURCE packets

ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l

# Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)

# Multicast is illegal as a source address.

# Multicast uses UDP.

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l

# Refuse Class E reserved IP addresses

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l

# refuse addresses defined as reserved by the IANA

# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*

# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*

# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*

ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

#65: 01000001 - /3 includes 64 - need 65-79 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l

#80: 01010000 - /4 masks 80-95

ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l

# 96: 01100000 - /4 makses 96-111

ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l

#126: 01111110 - /3 includes 127 - need 112-126 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l

#217: 11011001 - /5 includes 216 - need 217-219 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l

#223: 11011111 - /6 masks 220-223

ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l

# ----------------------------------------------------------------------------

# ICMP

# To prevent denial of service attacks based on ICMP bombs, filter

# incoming Redirect (5) and outgoing Destination Unreachable (3).

# Note, however, disabling Destination Unreachable (3) is not

# advisable, as it is used to negotiate packet fragment size.

# For bi-directional ping.

# Message Types: Echo_Reply (0), Echo_Request (icon_cool.gif

# To prevent attacks, limit the src addresses to your ISP range.

#

# For outgoing traceroute.

# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)

# default UDP base: 33434 to base+nhops-1

#

# For incoming traceroute.

# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)

# To block this, deny OUTGOING 3 and 11

# 0: echo-reply (pong)

# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.

# 4: source-quench

# 5: redirect

# 8: echo-request (ping)

# 11: time-exceeded

# 12: parameter-problem

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 0 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 3 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 4 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 11 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 12 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $MY_ISP 8 -d $IPADDR -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 0 -d $MY_ISP -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 3 -d $MY_ISP -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 4 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 8 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 12 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 11 -d $MY_ISP -j ACCEPT

# ----------------------------------------------------------------------------

# UDP INCOMING TRACEROUTE

# traceroute usually uses -S 32769:65535 -D 33434:33523

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $MY_ISP $TRACEROUTE_SRC_PORTS

-d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $ANYWHERE $TRACEROUTE_SRC_PORTS

-d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l

# ----------------------------------------------------------------------------

# DNS server

# ----------

# DNS: full server

# server/client to server query or response

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 53 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR 53

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# DNS client Zone Transfers (53)

# ---------------

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $NAMESERVER_1 53

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR $UNPRIVPORTS

-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $NAMESERVER_1 53

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $NAMESERVER_1 53 -j ACCEPT

# ----------------------------------------------------------------------------

# TCP accept only on selected ports

# ---------------------------------

# ------------------------------------------------------------------

# SSH server (22)

# ---------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 22 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 22

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $SSH_PORTS

-d $IPADDR 22 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 22

-d $ANYWHERE $SSH_PORTS -j ACCEPT

# ------------------------------------------------------------------

# AUTH server (113)

# -----------------

# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE

-d $IPADDR 113 -j REJECT

# ------------------------------------------------------------------

# SYSLOG server (514)

# -----------------

# Provides full remote logging. Using this feature you're able to

# control all syslog messages on one host.

# ipchains -A input -i $EXTERNAL_INTERFACE -p udp

# -s $SYSLOG_CLIENT

# -d $IPADDR 514 -j ACCEPT

# SYSLOG client (514)

# -----------------

# ipchains -A output -i $EXTERNAL_INTERFACE -p udp

# -s $IPADDR 514

# -d $SYSLOG_SERVER 514 -j ACCEPT

# ------------------------------------------------------------------

# SMTP server (25)

# ----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 25 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 25

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# SMTP client (25)

# ----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $ANYWHERE 25

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $ANYWHERE 25 -j ACCEPT

# ------------------------------------------------------------------

# IMAP server (143)

# -----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 143 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 143

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# POP server (110)

# -----------------

# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

# -s $ANYWHERE $UNPRIVPORTS

# -d $IPADDR 110 -j ACCEPT

# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

# -s $IPADDR 110

# -d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# OUTGOING TRACEROUTE

# -------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR $TRACEROUTE_SRC_PORTS

-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT

# ----------------------------------------------------------------------------

# Enable logging for selected denied packets

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-d $IPADDR -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-d $IPADDR $PRIVPORTS -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-d $IPADDR $UNPRIVPORTS -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 5 -d $IPADDR -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 13:255 -d $IPADDR -j DENY -l

# ----------------------------------------------------------------------------

;;

stop)

echo -n "Shutting Firewalling Services: "

# Remove all existing rules belonging to this filter

ipchains -F

# Delete all user-defined chain to this filter

ipchains -X

# Reset the default policy of the filter to accept.

ipchains -P input ACCEPT

ipchains -P output ACCEPT

ipchains -P forward ACCEPT

;;

status)

status firewall

;;

restart|reload)

$0 stop

$0 start

;;

*)

echo "Usage: firewall {start|stop|status|restart|reload}"

exit 1

esac

exit 0

Now, make this script executable and change its default permissions:

[root@deep] /#chmod 700 /etc/rc.d/init.d/firewall

[root@deep] /#chown 0.0 /etc/rc.d/init.d/firewall

Create the symbolic rc.d links for your Firewall with the command:

[root@deep] /#chkconfig --add firewall

[root@deep] /#chkconfig --level 345 firewall on

Now, your firewall rules are configured to use System V init (System V init is in charge of starting all the normal processes that need to run at boot time) and it will be automatically started each time if your server reboot.

To manually stop the firewall on your system, use the following command:

[root@deep] /# /etc/rc.d/init.d/firewall stop

Shutting Firewalling Services: [ OK ]

To manually start the firewall on your system, use the following command:

[root@deep] /# /etc/rc.d/init.d/firewall start

Starting Firewalling Services: [ OK ]

webserver脚本

This is the configuration script file for our Web Server. This configuration allows unlimited traffic on the Loopback interface, ICMP, DNS Caching and Client Server (53), SSH Server (22), HTTP Server (80),HTTPS Server (443), SMTP Client (25), FTP Server (20, 21), and OUTGOING TRACEROUTE requests by default.

If you don't want some services listed in the firewall rules files for the Web Server that I make ON by default, comment them out with a "#" at the beginning of the line. If you want some other services that I commented out with a "#", then remove the "#" at the beginning of those lines.

Create the firewall script file, touch /etc/rc.d/init.d/firewall on your Web Server and add:

#!/bin/sh

#

# ----------------------------------------------------------------------------

# Last modified by Gerhard Mourani: 04-25-2000

# ----------------------------------------------------------------------------

# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler

#

# Permission to use, copy, modify, and distribute this software and its

# documentation for educational, research, private and non-profit purposes,

# without fee, and without a written agreement is hereby granted.

# This software is provided as an example and basis for individual firewall

# development. This software is provided without warranty.

#

# Any material furnished by Robert L. Ziegler is furnished on an

# "as is" basis. He makes no warranties of any kind, either expressed

# or implied as to any matter including, but not limited to, warranty

# of fitness for a particular purpose, exclusivity or results obtained

# from use of the material.

# ----------------------------------------------------------------------------

#

# Invoked from /etc/rc.d/init.d/firewall.

# chkconfig: - 60 95

# description: Starts and stops the IPCHAINS Firewall

# used to provide Firewall network services.

# Source function library.

. /etc/rc.d/init.d/functions

# Source networking configuration.

. /etc/sysconfig/network

# Check that networking is up.

if [ ${NETWORKING} = "no" ]

then

exit 0

fi

if [ ! -x /sbin/ipchains ]; then

exit 0

fi

# See how we were called.

case "$1" in

start)

echo -n "Starting Firewalling Services: "

# Some definitions for easy maintenance.

# ----------------------------------------------------------------------------

# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0" # Internet connected interface

LOOPBACK_INTERFACE="lo" # Your local naming convention

IPADDR="my.ip.address" # Your IP address

ANYWHERE="any/0" # Match any IP address

NAMESERVER_1="my.name.server.1" # Everyone must have at least one

NAMESERVER_2="my.name.server.2" # Your secondary name server

MY_ISP="my.isp.address.range/24" # ISP NOC address range

SMTP_SERVER="my.smtp.server" # Your Mail Hub Server.

SYSLOG_SERVER="syslog.internal.server" # Your syslog internal server

SYSLOG_CLIENT="sys.int.client.range/24" # Your syslog internal client range

LOOPBACK="127.0.0.0/8" # Reserved loopback address range

CLASS_A="10.0.0.0/8" # Class A private networks

CLASS_B="172.16.0.0/12" # Class B private networks

CLASS_C="192.168.0.0/16" # Class C private networks

CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses

CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses

BROADCAST_SRC="0.0.0.0" # Broadcast source address

BROADCAST_DEST="255.255.255.255" # Broadcast destination address

PRIVPORTS="0:1023" # Well known, privileged port range

UNPRIVPORTS="1024:65535" # Unprivileged port range

# ----------------------------------------------------------------------------

# SSH starts at 1023 and works down to 513 for

# each additional simultaneous incoming connection.

SSH_PORTS="1022:1023" # range for SSH privileged ports

# traceroute usually uses -S 32769:65535 -D 33434:33523

TRACEROUTE_SRC_PORTS="32769:65535"

TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------

# Default policy is DENY

# Explicitly accept desired INCOMING OUTGOING connections

# Remove all existing rules belonging to this filter

ipchains -F

# Clearing all current rules and user defined chains

ipchains -X

# Set the default policy of the filter to deny.

# Don't even bother sending an error message back.

ipchains -P input DENY

ipchains -P output DENY

ipchains -P forward DENY

# ----------------------------------------------------------------------------

# LOOPBACK

# Unlimited traffic on the loopback interface.

ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT

ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# ----------------------------------------------------------------------------

# Network Ghouls

# Deny access to jerks

# /etc/rc.d/rc.firewall.blocked contains a list of

# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY

# rules to block from any access.

# Refuse any connection from problem sites

#if [ -f /etc/rc.d/rc.firewall.blocked ]; then

# . /etc/rc.d/rc.firewall.blocked

#fi

# ----------------------------------------------------------------------------

# SPOOFING BAD ADDRESSES

# Refuse spoofed packets.

# Ignore blatantly illegal source addresses.

# Protect yourself from sending to bad addresses.

# Refuse spoofed packets pretending to be from the external address.

ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l

# Refuse packets claiming to be to or from a Class A private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l

# Refuse packets claiming to be to or from a Class B private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l

# Refuse packets claiming to be to or from a Class C private network

# ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l

# ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l

# ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l

# ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l

# Refuse packets claiming to be from the loopback interface

ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l

# Refuse broadcast address SOURCE packets

ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l

# Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)

# Multicast is illegal as a source address.

# Multicast uses UDP.

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l

# Refuse Class E reserved IP addresses

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l

# refuse addresses defined as reserved by the IANA

# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*

# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*

# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*

ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

#65: 01000001 - /3 includes 64 - need 65-79 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l

#80: 01010000 - /4 masks 80-95

ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l

# 96: 01100000 - /4 makses 96-111

ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l

#126: 01111110 - /3 includes 127 - need 112-126 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l

#217: 11011001 - /5 includes 216 - need 217-219 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l

#223: 11011111 - /6 masks 220-223

ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l

# ----------------------------------------------------------------------------

# ICMP

# To prevent denial of service attacks based on ICMP bombs, filter

# incoming Redirect (5) and outgoing Destination Unreachable (3).

# Note, however, disabling Destination Unreachable (3) is not

# advisable, as it is used to negotiate packet fragment size.

# For bi-directional ping.

# Message Types: Echo_Reply (0), Echo_Request (icon_cool.gif

# To prevent attacks, limit the src addresses to your ISP range.

#

# For outgoing traceroute.

# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)

# default UDP base: 33434 to base+nhops-1

#

# For incoming traceroute.

# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)

# To block this, deny OUTGOING 3 and 11

# 0: echo-reply (pong)

# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.

# 4: source-quench

# 5: redirect

# 8: echo-request (ping)

# 11: time-exceeded

# 12: parameter-problem

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 0 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 3 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 4 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 11 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 12 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $MY_ISP 8 -d $IPADDR -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 0 -d $MY_ISP -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 3 -d $MY_ISP -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 4 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 8 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 12 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 11 -d $MY_ISP -j ACCEPT

# ----------------------------------------------------------------------------

# UDP INCOMING TRACEROUTE

# traceroute usually uses -S 32769:65535 -D 33434:33523

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $MY_ISP $TRACEROUTE_SRC_PORTS

-d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $ANYWHERE $TRACEROUTE_SRC_PORTS

-d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l

# ----------------------------------------------------------------------------

# DNS forwarding, caching only nameserver (53)

# --------------------------------------------

# server to server query or response

# Caching only name server only requires UDP, not TCP

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $NAMESERVER_1 53

-d $

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有