分享
 
 
 

全都是外国人写的防火墙脚本,我也来写一个,希望大家跟我一块做好

王朝other·作者佚名  2008-05-18
窄屏简体版  字體: |||超大  

DMZ部分尚不完善,其中难免有疏漏,希望大家跟我一块改进,使他功能越来越强大,使用时请将firewall-dev copy 到/etc/rc.d/init.d将 firewall.conf copy /etc/下,你只需修改firewall.conf文件就可以了。可以用firewall-dev start|stop起动和关闭防火墙,功能增加中,如你有任何改动请发一份给我,arlenecc@263.net

本着GPL的原则希望有志之士跟我一块完善它,如有改动请通知我!!!!

firewall-dev

#!/bin/bash

# This is a firewall script with the function of stateful and

# ip filter, you can change it to meet you need,in a words:

# uplink means the output interface ,router means if you neet it

# to be a router or not,nat means if you are useing a dynamic ip

# address

# if you do ,then you can change it to "dynamic",interfaces means

# all the interface in you server ,services means all the services

# you server providing ,enjoy it !!! ----- write by arlenecc

#

##############################################################################

# #

# Copyright (c) 2002 arlenecc arlenecc@netease.com #

# All rights reserved #

# #

##############################################################################

#

# now begins the firewall

UPLINK=`less /root/firewall.conf | grep "UPLINK" | cut -d = -f 2 `

UPIP=`less /root/firewall.conf | grep "UPIP" | cut -d = -f 2`

ROUTER=`less /root/firewall.conf | grep "ROUTER" | cut -d = -f 2`

NAT=`less /root/firewall.conf | grep "NAT" | cut -d = -f 2`

INTERFACES=`less /root/firewall.conf | grep "INTERFACES" | cut -d = -f 2`

SERVICES=`less /root/firewall.conf | grep "SERVICES" | cut -d = -f 2`

DENYPORTS=`less /root/firewall.conf | grep "DENYPORTS" | cut -d = -f 2`

DENYUDPPORT=`less /root/firewall.conf | grep "DENYUDPPORT" | cut -d = -f 2`

LAN_IF=`less /root/firewall.conf | grep "LAN_IF" | cut -d = -f 2`

LAN_NET=`less /root/firewall.conf | grep "LAN_NET" | cut -d = -f 2`

DMZ_NET=`less /root/firewall.conf | grep "DMZ_NET" | cut -d = -f 2`

DMZ_IF=`less /root/firewall.conf | grep "DMZ_IF" | cut -d = -f 2`

DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d = -f 2`

DMZ_UDP_PORT=`less /root/firewall.conf | grep "DMZ_UDP_PORT" | cut -d = -f 2`

WEB_IP=`less /root/firewall.conf | grep "WEB_IP" | cut -d = -f 2`

FTP_IP=`less /root/firewall.conf | grep "FTP_IP" | cut -d = -f 2`

H323_PORT=`less /root/firewall.conf | grep "H323_PORT" | cut -d = -f 2`

H323=`less /root/firewall.conf | grep "H323" | cut -d = -f 2`

if [ "$1" = "start" ]

then

echo "Starting firewall......"

echo "NOW prepareing kernel for use,please wait....."

# if [ -e /proc/sys/net/ipv4/ip_forward ]

#

# then

# echo 1 >/proc/sys/net/ipv4/ip_forward

# fi

if [ "$NAT" = " dynamic " ]

then

echo "Enable dynamic ip support...."

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

echo " OK !!!!"

fi

if [ -e /proc/sys/net/ipv4/tcp_syncookies ]

then

echo "Enable the syn cook flood protection"

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo " OK !!!!"

fi

if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]

then

echo "Setting the maximum number of connections to track.... "

echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max

echo " OK !!!!"

fi

if [ -e /proc/sys/net/ipv4/ip_local_port_range ]

then

echo " Setting local port range for TCP/UDP connection...."

echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range

echo " OK !!!!"

fi

if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]

then

echo "Enable bad error message protection......."

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo " OK !!!! "

fi

if [ -e /proc/sys/net/ipv4/tcp_ecn ]

then

echo "Disabling tcp_ecn,please wait..."

echo 0 >/proc/sys/net/ipv4/tcp_ecn

echo " OK !!!! "

fi

for x in ${INTERFACES}

do

echo " Enabling rp_filter on ${x} ,please wait...."

echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter

echo " ${x} OK !!!! "

done

if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]

then

echo "Disabing ICMP redirects,please wait...."

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo " OK !!!! "

fi

if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]

then

echo "Disabling source routing of packets,please wait...."

for i in /proc/sys/net/ipv4/conf/*/accept_source_route

do

echo 0 > $i

echo " $i OK !!!! "

done

fi

if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]

then

echo "Ignore any broadcast icmp echo requests......"

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo " OK !!!! "

fi

# if [ -e /proc/sys/net/ipv4/config/all/log_martians ]

#

# then

# echo "LOG packets with impossible addresses to kernel log...."

# echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# echo " OK !!!! "

# fi

#echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

#modprobe ip_tables

depmod -a

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

iptables -F INPUT

iptables -F FORWARD

iptables -F OUTPUT

iptables -F -t nat

iptables -F -t mangle

iptables -Z

iptables -X

iptables -N CHECK_FLAGS

iptables -F CHECK_FLAGS

iptables -N tcpHandler

iptables -F tcpHandler

iptables -N udpHandler

iptables -F udpHandler

iptables -N icmpHandler

iptables -F icmpHandler

iptables -N DROP-AND-LOG

iptables -F DROP-AND-LOG

echo "OK,the kernel is now prepared to use for building a firewall!!!"

echo "Waitting ........................"

echo "Creating a drop chain....."

iptables -A DROP-AND-LOG -j LOG --log-level 5

iptables -A DROP-AND-LOG -j DROP

echo " OK !!!!"

echo "Now starting the check_flag rules,please wait...."

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN "

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "

iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "

iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "

iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 "

iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN"

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP

echo " OK !!!! Finished check_flags rules...."

echo "Now starting the input rules,please wait......."

for x in ${DENYPORTS}

do

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} TCP IN:"

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP

iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} SYN IN:"

iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j DROP

done

for x in ${DENYUDPPORT}

do

iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"

iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j DROP

iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT:${x} UDP IN:"

iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP

done

#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT

for x in ${SERVICES}

do

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

done

iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG

#iptables -A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -i ${UPLINK} -j LOG --log-prefix " INVALID INPUT "

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -A INPUT -i ${LAN_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i ${DMZ_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j REJECT

iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM DMZ:"

iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJECT --reject-with tcp-reset

iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD UDP FROM DMZ:"

iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP

iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD ICMP FROM DMZ:"

iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP

iptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"

iptables -A INPUT -p tcp -i ${UPLINK} --syn -j DROP

iptables -A INPUT -p icmp -i ${UPLINK} -j LOG --log-prefix "INVAILD ICMP IN:"

iptables -A INPUT -p icmp -i ${UPLINK} -j REJECT --reject-with icmp-net-unreachable

iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"

iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable

iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"

iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset

iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j LOG --log-prefix "NEW,INVALID state:"

iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j DROP

iptables -A INPUT -i ${UPLINK} -f -j LOG --log-prefix "INVAILD FRAGMENTS ${UPLINK}:"

iptables -A INPUT -i ${UPLINK} -f -j DROP

iptables -A INPUT -i ${LAN_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${LAN_IF}:"

iptables -A INPUT -i ${LAN_IF} -f -j DROP

iptables -A INPUT -i ${DMZ_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${DMZ_IF}:"

iptables -A INPUT -i ${DMZ_IF} -f -j DROP

iptables -A INPUT -i ${UPLINK} -j DROP

echo " OK !!!! The input rules has been successful applied ,continure......"

echo " Now starting FORWARD rules ,please wait ....."

iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT

iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN TCP: "

iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler

iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN UDP:"

iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler

iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICMP: "

iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler

iptables -A tcpHandler -p tcp -m limit --limit 5/minute --limit-burst 10 -j RETURN

iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "

iptables -A tcpHandler -p tcp -j DROP

iptables -A udpHandler -p udp -m limit --limit 5/minute --limit-burst 10 -j RETURN

iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"

iptables -A udpHandler -p udp -j DROP

iptables -A icmpHandler -p icmp -m limit --limit 5/minute --limit-burst 10 -j RETURN

iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"

iptables -A icmpHandler -p icmp -j DROP

iptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -j ACCEPT

iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT

#iptables -A FORWARD -o ${UPLINK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:"

iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j REJECT --reject-with tcp-reset

iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j LOG --log-prefix "INVAILD UDP FORWARD FROM DMZ:"

iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j DROP

iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:"

iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j DROP

iptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT

iptables -A FORWARD -s ${LAN_NET} -d ${DMZ_NET} -i ${LAN_IF} -j ACCEPT

iptables -A FORWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i ${DMZ_IF} ! --syn -j ACCEPT

iptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT

iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA"

iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j DROP

iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD UDP FORWARD DATA"

iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j DROP

iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVALID ICMP FORWARD DATA"

iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROP

iptables -A FORWARD -m state --state NEW,INVALID -j DROP

iptables -A FORWARD -j DROP

echo " OK !!!! The forward rules has been successful applied,conniture......"

echo " Now applying output rules,please wait ...."

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -s ${LAN_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -s ${DMZ_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -s ${LAN_NET} -o ${DMZ_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j LOG --log-prefix "INVAILD TCP OUTPUT FROM DMZ:"

iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j REJECT --reject-with tcp-reset

iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j LOG --log-prefix "INVAILD UDP OUTPUT FROM DMZ:"

iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j DROP

iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP OUTPUT FROM DMZ:"

iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j DROP

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"

iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW,INVALID STATE:"

iptables -A OUTPUT -m state --state NEW,INVALID -j DROP

iptables -A OUTPUT -j DROP

echo " OK !!!! The OUTPUT rules has been successful applied,conniture......."

echo " Now applying nat rules ,please wait ...."

#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE

#iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 23 -j REDIRECT --to-port 14867

iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK} -j DROP

iptables -t nat -A PREROUTING -d ${DMZ_NET} -i ${UPLINK} -j DROP

if [ " $ROUTER " = " yes " ]

then

echo " enabing ip_forward,please wait..."

echo 1 >/proc/sys/net/ipv4/ip_forward

echo "OK"

if [ " $NAT " = " dynamic " ]

then

echo "Enableing MASQUERADING (dynamic ip )..."

echo "Dynamic PPP connection,Now getting the dynamic ip address"

IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`

echo " Now you IP ADDRESS is : ${IP_ADDR} "

iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE

iptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR}

iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 80 -j DNAT --to ${WEB_IP}:80

iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21

iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20

if [ " $H323 " = " yes " ]

then

echo "Startting H323 NAT setting......"

for port in ${H323_PORT}

do

iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}

iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}

done

fi

echo " OK,NAT setting start succecc.."

elif [ " $NAT " != " " ]

then

echo "Enableing SNAT (static ip)..."

# iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}

iptables -t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP}

iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}

iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80

iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 20 -j DNAT --to ${FTP_IP}:20

iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --to ${FTP_IP}:21

if [ "$H323 " = " yes " ]

then

echo "Startting H323 NAT setting........"

for port in ${H323_PORT}

do

iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}

iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}

done

fi

echo " OK !!!!"

fi

fi

if [ " $SELF_SET " = " yes " ]

then

echo "Starting the rules you set yourself......"

# firewall

echo " OK !!!!"

echo " All rules has been successful applied,enjoy it...."

elif [ "$1" = "stop" ]

then

echo "Stoping Firewall...."

iptables -F INPUT

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -F FORWARD

iptables -F OUTPUT

iptables -t nat -F POSTROUTING

iptables -F tcpHandler

iptables -F udpHandler

iptables -F icmpHandler

iptables -F CHECK_FLAGS

iptables -F DROP-AND-LOG

iptables -X tcpHandler

iptables -X udpHandler

iptables -X icmpHandler

iptables -X CHECK_FLAGS

iptables -X DROP-AND-LOG

echo "The firewall has successful shuted down,be careful !!!"

fi

firewall.conf

UPLINK=eth1

UPIP=192.168.2.188

ROUTER=yes

NAT=192.168.2.188

INTERFACES=lo eth0 eth1 eth2

SERVICES=http ftp

DENYPORTS=1 7 9 15 107 135 137 138 139 369 389 445 515 752 873 8080 3128 2049 5432 5999 6063 9740 20034 12345 12346 27665 27444 31335 31337 8000 1433 3389 7007 22 23 25 110 79

DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369

LAN_IF=eth0

LAN_NET=192.168.1.0/24

DMZ_NET=192.168.3.0/24

DMZ_IF=eth2

DMZ_TCP_PORT=20 21 25 53 80 110

DMZ_UDP_PORT=53

WEB_IP=192.168.3.1

FTP_IP=192.168.3.2

H323_PORT=

H323=no

#here you can add the block rules yourself ,but be sure you do all these setting otherwise ,it will not work at all !!!!

SELF_SET=

BLOCK_TYPE=

PROTO=

INTE_IF=

SRC=

DST=

DPORT=

ACTION=

ACTION_TYPE=

#here you can add the icmp block rules yourself,Be sure you do all these setting otherwise ,it will not work at all !!!!

ICMP_IF=

ICMP_SRC=

ICMP_DST=

ICMP_ACTION=

ICMP_TYPE=

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有