陆、应用实例
#!/bin/sh
#
# 石牌国小防火墙设定指令稿
# 2002/8/27
# 设定者:李忠宪(修改自 iptables tutorial 1.1.11 by Oskar Andreasson )
# 原文件是依 DMZ 需求设计,已根据校园 NAT 网络之需求修改,其余改动部份包括:
# 新增通讯协议定义区块
# 新增执行时,自动清除已设定之规则
# 支援 FTP
# 修改所有规则,改采 multiport 方式以简化规则
# 原文件仅支持 IP 伪装(多对一对应),已扩充为支持一对一对应及多对多对应
# 原文件仅支援 DNS 及 WEB,新增 ftp、mail、wam、PCAnywhere、ssh......等多种服务器
# 修改若干规则设定上的小错误
#
# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#
###########################################################################
#
# 1. Configuration options.
#
# 1.0 Protocols Configuration.
# 定义会用到的通讯协议
HTTP="80"
HTTPS="443"
FTP="21"
FTP_DATA="20"
SMTP="25"
POP3="110"
IMAP="143"
SSH="22"
TELNET="23"
PCAW_TCP="5631"
PCAW_UDP="5632"
WEBMIN="10000"
WAM="12000"
DNS="53"
#
# 1.1 Internet Configuration.
#
# 定义 NIC IP 及 WAN 接口
INET_IP="163.21.xxx.253"
HTTP1_IP="163.21.xxx.2"
HTTP2_IP="163.21.xxx.4"
HTTP3_IP="163.21.xxx.9"
HTTP4_IP="163.21.xxx.6"
HTTP5_IP="163.21.xxx.7"
HTTP6_IP="163.21.xxx.10"
FTP1_IP="163.21.xxx.2"
FTP2_IP="163.21.xxx.6"
FTP3_IP="163.21.xxx.7"
MAIL1_IP="163.21.xxx.6"
MAIL2_IP="163.21.xxx.7"
PCAW1_IP="163.21.xxx.2"
PCAW2_IP="163.21.xxx.4"
WAM1_IP="163.21.xxx.6"
WAM2_IP="163.21.xxx.7"
DNS_IP="163.21.xxx.2"
IP_POOL="163.21.xxx.240-163.21.xxx.250"
INET_IFACE="eth1"
#
# 1.2 Local Area Network configuration.
#
# 定义 NAT IP 及 LAN 接口
LAN_IP="192.168.1.253"
LAN_HTTP1_IP="192.168.1.2"
LAN_HTTP2_IP="192.168.1.4"
LAN_HTTP3_IP="192.168.1.9"
LAN_HTTP4_IP="192.168.1.6"
LAN_HTTP5_IP="192.168.1.7"
LAN_HTTP6_IP="192.168.1.53"
LAN_FTP1_IP="192.168.1.2"
LAN_FTP2_IP="192.168.1.6"
LAN_FTP3_IP="192.168.1.7"
LAN_MAIL1_IP="192.168.1.6"
LAN_MAIL2_IP="192.168.1.7"
LAN_PCAW1_IP="192.168.1.2"
LAN_PCAW2_IP="192.168.1.4"
LAN_WAM1_IP="192.168.1.6"
LAN_WAM2_IP="192.168.1.7"
LAN_DNS_IP="192.168.1.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BROADCAST_ADDRESS="192.168.1.255"
LAN_IFACE="eth0"
#
# 1.4 Localhost Configuration.
#
# 定义 Loopback IP 及接口
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
# 1.5 IPTables Configuration.
#
# 设定 iptables 指令路径
IPTABLES="/sbin/iptables"
#
# 1.6 Other Configuration.
#
###########################################################################
#
# 2. Module loading.
#
#
# Needed to initially load modules
# 整理核心支持模块之清单
/sbin/depmod -a
#
# 2.1 Required modules
# 加载会用到的模块
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#
# 2.2 Non-Required modules
# 其余未使用之模块
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_irc
###########################################################################
#
# 3. /proc set up.
#
#
# 3.1 Required proc configuration
# 启动 Forward 接口
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# 3.2 Non-Required proc configuration
# 其余未使用之接口
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###########################################################################
#
# 4. rules set up.
#
######
# 4.1 Filter table
#
# 4.1.0 Reset the default policies in the nat table.
# 清除所有已设定之规则,回复到不设防状态
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X