Linux服务器上适用的防火墙(转自CU)

很久没来了,其实也不是什么新东西,2001年底就写了很多了,主要是改正了以前版本里面的逻辑错误,整理了一下,把原来的WAN+LAN+DMZ改成了放在单独的linux服务器上的版本,使用LINUX服务器的兄弟们有福了,可以节省N多的脑细胞,呵呵,有问题邮件联系 arlenecc@rainlow.com

#!/bin/bash

echo -e " \t\t \033[1;31m RainLow firewall \033[m server version 1.0rc1 -- 09/24/2004 \n"

echo -e "############################################################"

echo -e " This software may be used and distributed according to "

echo -e "the terms of the GNU General Public License (GPL) provided"

echo -e "credit is given to the original author. "

echo -e "\t\t\t \033[1;31m Copyright (c) 2004 rainlow \033[m \n"

echo -e "\t\t\t\t All rights reserved \n\n\n"

echo -e "############################################################"

# now begins the firewall

echo -e "\n\t\t\t Welcome to \033[3;31m Rainlow Firewall \033[0m \n\n"

echo -e " \t\t\t\t \033[1;32m http://www.rainlow.com \033[m \n"

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

. /etc/init.d/functions

exit_failure()

{

echo -en " \t \033[3;031m [ FAILED ] \033[0m \n"

echo -en " \033[3;031m -> FATAL: $FAILURE \033[0m \n"

echo -en " \033[3;031m -> ** ABORTED **.\033[0m \n"

exit 1

}

check_root()

{

ROOT_ID=0

echo "Checking if you are root...."

if [ "$UID" = "$ROOT_ID" ]

then

echo -e "\n\t OK ! continue....\n"

echo -e "\a"

else

echo -e " Sorry,you are not root and not permitted to do this option...\n"

echo -e "\a"

FAILURE="you can not run this command ,you must be root to do this"

exit_failure

fi

}

check_enviroment()

{

echo -e "\t\t \033[1;31m Now Checking software envrioment \033[m \n"

OS=`uname -s`

_OS=$OS

if [ "$_OS" != "Linux" ];then

FAILURE="Sorry this version can only work under linux "

exit_failure

else

echo -en "\t\t \033[1;32m PASS \033[m \n"

fi

KERNELMAJ=`uname -r | sed -e 's,\..*,,'`

KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

if [ "$KERNELMAJ" -lt 2 ] ; then

FAILURE="Sorry you kernel is too old,please upgrade it first!"

exit_failure

fi

if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 4 ] ; then

FAILURE="only kernel greater than 2.4 is supported"

exit_failure

fi

if ((`iptables -V 2>&1 | grep -c "Command not found"` )); then

FAILURE="can not find iptables command you must install iptables first"

exit_failure

fi

if !(( `which modprobe 2>&1 | grep -c "which: no modprobe in"` )) && ( [ -a /proc/modules ] || ! [ -a /proc/version ] ); then

if (( `lsmod | grep -c "ipchains"` )); then

rmmod ipchains > /dev/null 2>&1

fi

fi

}

wait()

{

echo | awk '{printf "||" ,$1}'

for x in `seq 1 10`;

do

sleep 1

echo "#" | awk '{printf "%s",$1}'

done

echo -en "\n"

}

iptables()

{

/sbin/iptables "$@"

}

mp()

{

/sbin/modprobe "$@"

}

load_module()

{

if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]

then

echo -e "\n\tLoading iptables modules please wait...."

mp ip_tables

mp ipt_LOG

mp ipt_owner

mp ipt_MASQURADE

mp ipt_REJECT

mp ipt_conntrack_ftp

mp ipt_conntrack_irc

mp iptable_filter

mp iptable_nat

mp iptable_mangle

mp ip_conntrack

mp ipt_limit

mp ipt_state

mp ipt_unclean

mp ipt_TCPMSS

mp ipt_TOS

mp ipt_TTL

mp ipt_quota

mp ipt_iplimit

mp ipt_pkttype

mp ipt_ipv4options

mp ipt_MARK

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

else

echo -e "\tSorry,no iptables modules found !!"

fi

}

ip_stack_adjust()

{

if [ -e /proc/sys/net/ipv4/ip_forward ]

then

echo -e "enable ip_forward.please wait...."

echo 0 >/proc/sys/net/ipv4/ip_forward

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/ip_default_ttl ]

then

echo -e "changing default ttl...."

echo 88 >/proc/sys/net/ipv4/ip_default_ttl

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

echo -e "\n\t disable dynamic ip support...."

echo 0 > /proc/sys/net/ipv4/ip_dynaddr

echo -e "\t\t\t\t\033[3;032m [ OK ] \033[0m\n"

if [ -e /proc/sys/net/ipv4/ip_no_pmtu_disc ]

then

echo -e "disable path mtu discovery.please wait...."

echo 0 >/proc/sys/net/ipv4/ip_no_pmtu_disc

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/ipfrag_high_thresh ]

then

echo -e "changing ipfrag_high_thresh.please wait...."

echo 5800 >/proc/sys/net/ipv4/ipfrag_high_thresh

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/ipfrag_low_thresh ]

then

echo -e "changing ipfrag_low_thresh.please wait...."

echo 2048 >/proc/sys/net/ipv4/ipfrag_low_thresh

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/ipfrag_time ]

then

echo -e "changing ipfrag_low_thresh.please wait...."

echo 20 >/proc/sys/net/ipv4/ipfrag_time

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/ipfrag_secret_interval ]

then

echo -e "changing ipfrag_secret_interval.please wait...."

echo 600 >/proc/sys/net/ipv4/ipfrag_secret_interval

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_syn_retries ]

then

echo -e "changing tcp_syn_retries.please wait...."

echo 4 >/proc/sys/net/ipv4/tcp_syn_retries

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_synack_retries ]

then

echo -e "changing tcp_synack_retries.please wait...."

echo 4 >/proc/sys/net/ipv4/tcp_synack_retries

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]

then

echo -e "changing tcp_keepalive_time.please wait...."

echo 300 >/proc/sys/net/ipv4/tcp_keepalive_time

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_keepalive_probes ]

then

echo -e "changing tcp_keepalive_probes.please wait...."

echo 4 >/proc/sys/net/ipv4/tcp_keepalive_probes

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_keepalive_intvl ]

then

echo -e "changing tcp_keepalive_intvl.please wait...."

echo 60 >/proc/sys/net/ipv4/tcp_keepalive_intvl

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_retries1 ]

then

echo -e "changing tcp_retriest.please wait...."

echo 3 >/proc/sys/net/ipv4/tcp_retries1

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_retries2 ]

then

echo -e "changing tcp_retriest.please wait...."

echo 15 >/proc/sys/net/ipv4/tcp_retries2

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_orphan_retries ]

then

echo -e "disable tcp_orphan_retriest.please wait...."

echo 0 >/proc/sys/net/ipv4/tcp_orphan_retries

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_max_tw_buckets ]

then

echo -e "changing tcp_max_tw_bucketst.please wait...."

echo 4000 >/proc/sys/net/ipv4/tcp_max_tw_buckets

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_tw_recycle ]

then

echo -e "changing tcp_recycle.please wait...."

echo 1 >/proc/sys/net/ipv4/tcp_tw_recycle

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_tw_reuse ]

then

echo -e "changing tcp_tw_reuse.please wait...."

echo 1 >/proc/sys/net/ipv4/tcp_tw_reuse

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_max_orphans ]

then

echo -e "changing tcp_max_orphans.please wait...."

echo 2000 >/proc/sys/net/ipv4/tcp_max_orphans

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_max_syn_backlog ]

then

echo -e "changing tcp_max_syn_backlog.please wait...."

echo 8000 >/proc/sys/net/ipv4/tcp_max_syn_backlog

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]

then

echo -e "enable tcp_window_scaling.please wait...."

echo 1 >/proc/sys/net/ipv4/tcp_window_scaling

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_timestamps ]

then

echo -e "disable tcp_timestamps.please wait...."

echo 0 >/proc/sys/net/ipv4/tcp_timestamps

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

for x in /proc/sys/net/ipv4/conf/*/rp_filter

do

echo 1 > ${x}

done

if [ -e /proc/sys/net/ipv4/tcp_syncookies ]

then

echo -e "\n\tEnable the syncookies flood protection"

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]

then

echo -e "\n\tSetting the maximum number of connections to track.... "

echo "80000" > /proc/sys/net/ipv4/ip_conntrack_max

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/ip_local_port_range ]

then

echo -e " \n\tSetting local port range for TCP/UDP connection...."

echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]

then

echo -e "\n\tEnable bad error message protection......."

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_ecn ]

then

echo -e "\n\tDisabling tcp_ecn,please wait..."

echo 0 >/proc/sys/net/ipv4/tcp_ecn

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_reordering ]

then

echo -e "\n\tchangling tcp_reordering,please wait..."

echo 0 >/proc/sys/net/ipv4/tcp_reordering

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_wmem ]

then

echo -e "\n\tchanging tcp_wmem,please wait..."

echo "4096 16384 131072" >/proc/sys/net/ipv4/tcp_wmem

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_rmem ]

then

echo -e "\n\tchanging tcp_rmem,please wait..."

echo "4096 87380 174760" >/proc/sys/net/ipv4/tcp_rmem

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_mem ]

then

echo -e "\n\tchanging tcp_mem,please wait..."

echo "97280 97792 98304" >/proc/sys/net/ipv4/tcp_mem

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_adv_win_scale ]

then

echo -e "\n\tchanging tcp_adv_win_scale,please wait..."

echo 2 >/proc/sys/net/ipv4/tcp_adv_win_scale

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_rfc1337 ]

then

echo -e "\n\tchanging tcp_rfc1337,please wait..."

echo 0 >/proc/sys/net/ipv4/tcp_rfc1337

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]

then

echo -e "\n\tDisabing ICMP redirects,please wait...."

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]

then

echo -e "\n\tDisabling source routing of packets,please wait...."

for i in /proc/sys/net/ipv4/conf/*/accept_source_route

do

echo 0 > $i

done

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]

then

echo -e "\n\tIgnore any broadcast icmp echo requests......"

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/icmp_destunreach_rate ]

then

echo -e "modify icmp_destunreach_rate and icmp_echoreply_rate.."

echo 5 > /proc/sys/net/ipv4/icmp_destunreach_rate

echo 5 > /proc/sys/net/ipv4/icmp_echoreply_rate

echo 5 > /proc/sys/net/ipv4/icmp_ratelimit

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/bootp_relay ]

then

echo -e "\n\tDisable the bootp_relay......"

echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

#

if [ -e /proc/sys/net/ipv4/tcp_timestamps ]

then

echo -e "\n\tDisable the tcp_timestamps......"

echo 0 > /proc/sys/net/ipv4/tcp_timestamps

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]

then

echo -e "\n\tSetting up tcp_fin_timeout...."

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]

then

echo -e "\n\tDisabling tcp_window_scaling...."

echo 0 > /proc/sys/net/ipv4/tcp_window_scaling

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_sack ]

then

echo -e "\n\tDisabling tcp_sack...."

echo 0 > /proc/sys/net/ipv4/tcp_sack

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/tcp_abort_on_overflowe ]

then

echo -e "\n\t Enabling tcp_abort_on_overflow"

echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]

then

echo -e "\n\t Enabling icmp_ignore_bogus_error_responses"

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/forwarding ]

then

echo -e "\n\t disabling forwarding"

echo 1 > /proc/sys/net/ipv4/forwarding

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/mc_forwarding ]

then

echo -e "\n\t disabling mc_forwarding"

echo 1 > /proc/sys/net/ipv4/mc_forwarding

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/config/all/log_martians ]

then

echo -e "\n\tnot LOG packets with impossible addresses to kernel log...."

echo 0 > /proc/sys/net/ipv4/conf/all/log_martians

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

for x in /proc/sys/net/ipv4/conf/*/log_martians; do

echo 1 > $x

done

if [ -e /proc/sys/net/ipv4/conf/all/proxy_arp ]

then

echo -e "\n\tdisable proxy_arp...."

echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]

then

echo -e "\n\tdisable send_redirects...."

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]

then

echo -e "\n\tenable secure_redirects...."

echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

}

unload_module()

{

for MODULE in ipt_TTL iptable_mangle ipt_mark ipt_MARK ipt_MASQUERADE ip_nat_irc ip_nat_ftp ipt_LOG \

ipt_limit ipt_REJECT ip_conntrack_irc ip_conntrack_ftp ipt_state iptable_nat iptable_filter ip_tables; do

if (( `lsmod | grep -c "$MODULE"` )); then

rmmod $MODULE > /dev/null 2>&1

fi

done

}

load_config()

{

FW_LOCATE=/etc/firewall

if [ ! -e "$FW_LOCATE" ]

then

mkdir $FW_LOCATE

fi

if [ ! -f /etc/firewall/firewall.conf ]

then

echo "can not find firewall.conf,creating one with default setting..."

echo -e " UPLINK=eth1 \n UPIP=211.137.58.48 \n INTERFACES=lo eth0 \n LOAD_MODULES=no \n LOG_ILLEGAL_FLAGS=yes \n DENYIP=10.0.0.1 10.0.0.255 \n DENYUDPPORT=7 9 19 107 137 138 139 161 199 369 \n TCP_PORT_LOG=135 137 138 139 445 500 1433 3306 515 513 \n OPEN_TCP= 21 22 \n OPEN_UDP= \n LAN_IF=eth0 \n MALFORMED_PACKET_LOG=no \n MANAGE_IP=61.129.112.46 \n DISABLE_ALL_LOG=no \n " > /etc/firewall/firewall.conf

fi

echo -e "\t\t\t Loading the firewall configuration.......\n"

UPLINK=`grep "UPLINK" /etc/firewall/firewall.conf | cut -d = -f 2 `

UPIP=`grep "UPIP" /etc/firewall/firewall.conf | cut -d = -f 2`

INTERFACES=`grep "INTERFACES" /etc/firewall/firewall.conf | cut -d = -f 2`

LOAD_MODULES=`grep "LOAD_MODULES" /etc/firewall/firewall.conf | cut -d = -f 2`

LOG_ILLEGAL_FLAGS=`grep "LOG_ILLEGAL_FLAGS" /etc/firewall/firewall.conf | cut -d = -f 2`

OPEN_TCP=`grep "OPEN_TCP" /etc/firewall/firewall.conf | cut -d = -f 2`

OPEN_UDP=`grep "OPEN_UDP" /etc/firewall/firewall.conf | cut -d = -f 2`

TCP_PORT_LOG=`grep "TCP_PORT_LOG" /etc/firewall/firewall.conf | cut -d = -f 2`

DENYIP=`grep "DENYIP" /etc/firewall/firewall.conf | cut -d = -f 2`

UDP_PORT_LOG=`grep "UDP_PORT_LOG" /etc/firewall/firewall.conf | cut -d = -f 2`

MALFORMED_PACKET_LOG=` grep "MALFORED_PACKET_LOG" /etc/firewall/firewall.conf | cut -d = -f 2 `

MANAGE_IP=` grep "MANAGE_IP" /etc/firewall/firewall.conf | cut -d = -f 2 `

DISABLE_ALL_LOG=` grep "DISABLE_ALL_LOG" /etc/firewall/firewall.conf | cut -d = -f 2 `

if [ "$DISABLE_ALL_LOG" == "yes" ]; then

MALFORMED_PACKET_LOG=no

UDP_PORT_LOG=

TCP_PORT_LOG=

LOG_ILLEGAL_FLAGS=no

fi

}

check_root

check_enviroment

# if [ "$NAT" == "DHCP" ]; then

# if [ -z "$UPIP" ]; then

# echo " [ WAIT ]"

# echo -n "-> $UPLINK has no IP address. Waiting for DHCP"

# for COUNT in 1 2 3 4 5 6 7 8 9 10; do

# sleep 1

# echo -n "*#"

# UPIP=`ifconfig ${UPLINK} | grep inet | cut -d : -f 2 | cut -d " " -f 1`

# if [ -n "$UPIP" ]; then

# echo " [ FOUND ]"

# break

# else

# if [ "$COUNT" == "10" ]; then

# echo " [ MISSING ]"

# echo "-> WARNING: IP address for $UPLINK not found. "

# fi

# fi

# done

# fi

#fi

if [ "$1" = "start" ]

then

echo "Starting firewall......"

ip_stack_adjust

load_config

echo -e "Now prepareing the kernel to use for a firewall ,please wait....."

#if [ "$NAT" = " dynamic " ]

# then

# echo -e "\n\tEnable dynamic ip support...."

# echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# echo -e "\t\t\t\t\033[3;032m [ OK ] \033[0m\n"

# fi

#echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay

#depmod -a

#define the load modules function

if [ "$LOAD_MODULES" = "yes" ]

then

if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]

then

echo -e "\n\tLoading iptables modules please wait...."

mp ip_tables

mp ipt_LOG

mp ipt_owner

mp ipt_MASQURADE

mp ipt_REJECT

mp ipt_conntrack_ftp

mp ipt_conntrack_irc

mp iptable_filter

mp iptable_nat

mp iptable_mangle

mp ip_conntrack

mp ipt_limit

mp ipt_state

mp ipt_unclean

mp ipt_TCPMSS

mp ipt_TOS

mp ipt_TTL

mp ipt_quota

mp ipt_iplimit

mp ipt_pkttype

mp ipt_ipv4options

mp ipt_MARK

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

else

echo -e "\tSorry,no iptables modules found !!"

fi

fi

#prepare the firewall tables for use

iptables -t filter -P INPUT DROP

iptables -t filter -P FORWARD DROP

iptables -t filter -P OUTPUT DROP

iptables -t filter -F INPUT

iptables -t filter -F FORWARD

iptables -t filter -F OUTPUT

iptables -F -t nat

iptables -F -t mangle

iptables -Z

iptables -X

iptables -N CHECK_FLAGS

iptables -F CHECK_FLAGS

iptables -N tcpHandler

iptables -F tcpHandler

iptables -N udpHandler

iptables -F udpHandler

iptables -N icmpHandler

iptables -F icmpHandler

iptables -N DROP-AND-LOG

iptables -F DROP-AND-LOG

iptables -N syn-flood

iptables -F syn-flood

echo -e "\tOK,the kernel is now prepared to use for building a firewall!!!"

echo -e "\n\t starting firewall ,Waitting ........................"

echo -e "\n\tCreating a drop and log chain....."

iptables -A DROP-AND-LOG -j LOG --log-level 6

iptables -A DROP-AND-LOG -j DROP

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

#design a chain for syn-flood protect

echo -e "\t define a chain for syn-flood pretect.."

iptables -A syn-flood -m limit --limit 4000/s --limit-burst 6000 -j RETURN

iptables -A syn-flood -j DROP

iptables -A INPUT -i ${UPLINK} -p tcp --syn -j syn-flood

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

iptables -A tcpHandler -p tcp -m limit --limit 4000/s --limit-burst 6000 -j RETURN

iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "

iptables -A tcpHandler -p tcp -j DROP

iptables -A udpHandler -p udp -m limit --limit 200/s --limit-burst 400 -j RETURN

iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"

iptables -A udpHandler -p udp -j DROP

iptables -A icmpHandler -p icmp -m limit --limit 200/s --limit-burst 400 -j RETURN

iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"

iptables -A icmpHandler -p icmp -j DROP

#define a chain for log malformed packages

if [ "$MALFORMED_PACKET_LOG" = "yes" ]

then

echo -e "\tNow logging malformed packages"

iptables -A INPUT -i ${UPLINK} -m unclean -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP malformed packet:"

iptables -A INPUT -i ${UPLINK} -m unclean -j DROP

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

fi

# drop malformed packages

# iptables -A INPUT -i ${UPLINK} -m unclean -j DROP

echo -e "\tNow starting the check_flag rules,please wait...."

echo -e "\tLogging illegal TCP flags...."

if [ " $LOG_ILLEGAL_FLAGS " = " yes " ]

then

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ALL FIN :" --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,FIN FIN :" --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,PSH PSH:" --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,URG URG:" --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN " --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " SYN/RST SCAN" --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " FIN/RST SCAN" --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN " --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 " --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 " --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:" --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "XMAS-PSH:" --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "NULL_SCAN" --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID SCAN:" --log-tcp-options --log-ip-options

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP

else

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -j DROP

iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m"

fi

#DROP packages with a invalid FLAG

iptables -A INPUT -i ${UPLINK} -p tcp -j CHECK_FLAGS

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tFinished check_flags rules...."

echo -e "\tNow starting the input rules,please wait......."

#for i in $OPEN_TCP_QUOTA; do

# printf " firewall ->port $i tcp open with quota $QUOTA..."

#iptables -A INPUT -i $UPLINK -p tcp --syn -m state --state NEW -m limit --limit 2/s --dport $i -m quota --quota $QUOTA -j ACCEPT

#iptables -A INPUT -i $UPLINK -p tcp --dport $i -j DROP

#done

#for i in $OPEN_UDP_QUOTA; do

# echo " firewall ->port $i udp open with quota $QUOTA..."

#iptables -A INPUT -i $UPLINK -p udp -m state --state NEW -m limit --limit 2/s --dport $i -m quota --quota $QUOTA -j ACCEPT

#iptables -A INPUT -i $UPLINK -p udp --dport $i -j DROP

#done

#build a chain for deny ip or ip range

for x in ${DENYIP}

do

iptables -A INPUT -i ${UPLINK} -p tcp -s ${x} -m state --state NEW -j LOG --log-prefix "INVAILD:${x} TCP IN:"

iptables -A INPUT -i ${UPLINK} -p tcp -s ${x} -m state --state NEW -j DROP

iptables -A INPUT -i ${UPLINK} -p tcp --syn -s ${x} -j LOG --log-prefix "INVAILD:${x} SYN IN:"

iptables -A INPUT -i ${UPLINK} -p tcp --syn -s ${x} -j DROP

iptables -A INPUT -i ${UPLINK} -p ALL -s ${x} -m limit --limit 6/m -j LOG --log-level 6 --log-prefix "DENYED IP ${x} IN:"

iptables -A INPUT -i ${UPLINK} -p ALL -s ${x} -j DROP

iptables -A FORWARD -s ${x} -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 6 --log-prefix "DENYED ${x} FORWARD:"

iptables -A FORWARD -s ${x} -m state --state NEW,ESTABLISHED,RELATED -j DROP

iptables -A FORWARD -d ${x} -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 6 --log-prefix "DENYED ${x} FORWARD:"

iptables -A FORWARD -d ${x} -m state --state NEW,ESTABLISHED,RELATED -j DROP

done

#build a chain for the tcp port or port range you want to log

for x in ${TCP_PORT_LOG}

do

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j LOG --log-prefix "INVALID:${x} SYN IN:"

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j DROP

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD${x}PORT IN:"

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "PORT:${x} attempt:" --log-tcp-options --log-ip-options --log-tcp-sequence

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -j DROP

done

#bulid a chain for the udp port or port range you want to deny

for x in ${UDP_PORT_LOG}

do

iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m limit --limit 3/m -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"

iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP

done

#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT

#iptables -A INPUT -i ${LAN} -p tcp -s ${MANAGE_IP} -j ACCEPT

for x in ${MANAGE_IP}

do

iptables -t filter -A INPUT -p tcp -s ${x} --dport 22 -j ACCEPT

iptables -t filter -A OUTPUT -p tcp -d ${x} -j ACCEPT

done

#build a chain for the tcp port or port range you want to open on this firewll

for x in ${OPEN_TCP}

do

iptables -A INPUT -p tcp --dport ${x} --syn -j ACCEPT

iptables -A INPUT -p tcp --dport ${x} -j ACCEPT

iptables -A INPUT -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

done

#build a chain for the udp port or port range you want to open on this firewall

for x in ${OPEN_UDP}

do

iptables -A INPUT -p udp --dport ${x} -j ACCEPT

iptables -A INPUT -p udp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

done

#build a chain to drop and log IGMP

iptables -A INPUT -p igmp -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP IGMP"

iptables -A INPUT -p igmp -j DROP

#drop and log invalid ip range

iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP

iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 169.254.0.0/16 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 192.0.2.0/24 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -p ! udp -d 224.0.0.0/4 -j DROP

iptables -A INPUT -i ${UPLINK} -p udp -d 224.0.0.0/4 -j ACCEPT

iptables -A INPUT -i ${UPLINK} -d 127.0.0.1 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 127.0.0.1 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 0.0.0.0 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 255.255.255.255 -j DROP-AND-LOG

#drop and log invalid manage ip in

#iptables -A lan-input -p tcp --dport 23 -i ${LAN_IF} -s ! ${MANAGE_IP} -j LOG --log-level 6 --log-prefix " INVALID MANAGE_IP IN:"

#iptables -A lan-input -p tcp --dport 23 -i ${LAN_IF} -s ! ${MANGLE_IP} -j DROP

#build a chain for ipsec vpn

#iptables -A INPUT -p udp -i ${UPLINK} --sport 500 --dport 500 -j ACCEPT

#iptables -A INPUT -p 50 -i ${UPLINK} -j ACCEPT

#iptables -A INPUT -p 51 -i ${UPLINK} -j ACCEPT

#iptables -A INPUT -p 47 -i ${UPLINK} -j ACCEPT

#iptables -A FORWARD -p udp -i ${UPLINK} --sport 500 --dport 500 -j ACCEPT

#iptables -A FORWARD -p 50 -i ${UPLINK} -j ACCEPT

#iptables -A FORWARD -p 51 -i ${UPLINK} -j ACCEPT

#iptables -A FORWARD -p 47 -i ${UPLINK} -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP

iptables -A INPUT -p icmp --icmp-type 13 -j DROP

iptables -A OUTPUT -p icmp --icmp-type 14 -j DROP

iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state NEW,INVALID -m limit --limit 3/m -j LOG --log-prefix "INVALID NEW"

iptables -A INPUT -m state --state NEW,INVALID -j DROP

iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "DROP NEW NOT SYN:"

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -A INPUT -p tcp --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"

iptables -A INPUT -p tcp --syn -j DROP

echo -e "\t Logging INVALID ICMP packages:"

iptables -A INPUT -i ${UPLINK} -p icmp ! --icmp-type echo-reply -m limit --limit 20/m -j LOG --log-level 6 --log-prefix "INVAILD ICMP IN:"

iptables -A INPUT -i ${UPLINK} -f -p icmp -j LOG --log-prefix "Fragmented incoming ICMP: "

iptables -A INPUT -i ${UPLINK} -f -p icmp -j DROP

iptables -A INPUT -p icmp --icmp-type source-quench -d $UPIP -j ACCEPT

iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

#iptables -A INPUT -i ${UPLINK} -p icmp -j REJECT --reject-with icmp-net-unreachable

#iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"

#iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable

#iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"

#iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset

iptables -A INPUT -i ${UPLINK} -s 0/0 -f -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "INVAILD FRAGMENT:"

iptables -A INPUT -i ${UPLINK} -s 0/0 -f -j DROP

iptables -A INPUT -i ${UPLINK} -j DROP

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tThe input rules has been successful applied ,continure..."

echo -e "\t Now starting FORWARD rules ,please wait ....."

iptables -A FORWARD -p igmp -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP IGMP:"

iptables -A FORWARD -p igmp -j DROP

iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT

iptables -A FORWARD --fragment -p icmp -j LOG --log-prefix "Fragmented forwarded ICMP: "

iptables -A FORWARD --fragment -p icmp -j DROP

iptables -A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT

iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT

iptables -A FORWARD -p icmp --icmp-type source-quench -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT

iptables -A FORWARD -p icmp -m limit --limit 50/s --limit-burst 100 -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP

iptables -A FORWARD -p tcp --tcp-flags ALL FIN -j DROP

iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP

iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP

iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP

iptables -A FORWARD -p tcp --tcp-option 64 -j DROP

iptables -A FORWARD -p tcp --tcp-option 128 -j DROP

iptables -A FORWARD -p tcp --syn -m limit --limit 2000/s -j ACCEPT

iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID forward: "

iptables -A FORWARD -m state --state INVALID -j DROP

iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 4000/s --limit-burst 6000 -j LOG --log-prefix " CONN TCP: "

iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler

iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 200/s --limit-burst 400 -j LOG --log-prefix " CONN UDP:"

iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler

iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 200/s --limit-burst 400 -j LOG --log-prefix " CONN ICMP: "

iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tThe forward rules has been successful applied,conniture..."

echo -e "\tNow applying output rules,please wait ...."

#for i in ${DENY_USER}

# do

# echo -e "\tNo world wide visit for user:${i} "

# iptables -A OUTPUT -m owner --uid-owner ${i} -j LOG --log-prefix "DROP packet from ${i}:"

# iptables -A OUTPUT -m owner --uid-owner ${i} -j DROP

# done

#iptables -A OUTPUT -p udp -o ${UPLINK} --sport 500 --dport 500 -j ACCEPT

#iptables -A OUTPUT -p 50 -o ${UPLINK} -j ACCEPT

#iptables -A OUTPUT -p 51 -o ${UPLINK} -j ACCEPT

#iptables -A OUTPUT -p 47 -o ${UPLINK} -j ACCEPT

#if [ "$DHCP_SERVER" = "1" ]; then

# iptables -A OUTPUT -o $LAN_INTERFACE -p udp -s $BROADCAST_SRC --sport 67 -d $BROADCAST_DEST --dport 68 -j ACCEPT

#fi

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT --fragment -p icmp -j LOG --log-prefix "Fragmented outgoing ICMP: "

iptables -A OUTPUT --fragment -p icmp -j DROP

iptables -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP

iptables -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID output: "

iptables -A OUTPUT -m state --state INVALID -j DROP

iptables -A OUTPUT -p icmp -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"

iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW:"

iptables -A OUTPUT -m state --state NEW,INVALID -j DROP

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\t The OUTPUT rules has been successful applied,conniture..."

#echo -e "\t Now applying nat rules ,please wait ...."

#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE

#iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK} -j DROP

#if [ " $ROUTER " = " yes " ]

# then

# echo -e "\t enabing ip_forward,please wait..."

# echo 1 >/proc/sys/net/ipv4/ip_forward

# echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

# if [ " $NAT " = " dynamic " ]

# then

# echo -e "\tEnableing MASQUERADING (dynamic ip )..."

# echo -e "\tDynamic PPP connection,Now getting the dynamic ip address"

# IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`

# echo -e "\t Now you IP ADDRESS is : ${IP_ADDR} "

# iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE

# iptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR}

# iptables -t nat -A POSTROUTING -o ${UPLINK} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} -p tcp --dport 80 -j DNAT --to ${WEB_IP}:80

# iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 22 -j DNAT --to ${ADMIN_IP}:22

# echo -e "\t OK,NAT setting start succecc.."

# elif [ " $NAT " != " " ]

# then

# echo -e "\tEnableing SNAT (static ip)..."

# iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}

# iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}

# iptables -t nat -A POSTROUTING -o ${UPLINK} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80

# iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 88 -j DNAT --to ${ADMIN_IP}:22

# echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

# fi

#fi

echo -e "\a"

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

echo -e "\tAll rules has been successful applied,enjoy it...."

elif [ "$1" = "stop" ] || [ "$1" = "flush" ] || [ "$1" = "clear" ]

then

echo -e "\tStoping Firewall...."

iptables -t filter -F > /dev/null 2>&1

iptables -t filter -X > /dev/null 2>&1

iptables -t nat -F > /dev/null 2>&1

iptables -t nat -X > /dev/null 2>&1

iptables -t mangle -F > /dev/null 2>&1

iptables -t mangle -X > /dev/null 2>&1

iptables -t filter -P INPUT ACCEPT > /dev/null 2>&1

iptables -t filter -P OUTPUT ACCEPT > /dev/null 2>&1

iptables -t filter -P FORWARD ACCEPT > /dev/null 2>&1

iptables -F tcpHandler > /dev/null 2>&1

iptables -F udpHandler > /dev/null 2>&1

iptables -F icmpHandler > /dev/null 2>&1

iptables -F CHECK_FLAGS > /dev/null 2>&1

iptables -F DROP-AND-LOG > /dev/null 2>&1

iptables -F syn-flood > /dev/null 2>&1

iptables -X tcpHandler > /dev/null 2>&1

iptables -X udpHandler > /dev/null 2>&1

iptables -X icmpHandler > /dev/null 2>&1

iptables -X CHECK_FLAGS > /dev/null 2>&1

iptables -X DROP-AND-LOG > /dev/null 2>&1

iptables -X syn-flood > /dev/null 2>&1

echo -e "\a"

echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"

echo -e "\t\tThe firewall has successful shuted down,be careful !"

fi

最后进行编辑的是 arlenecc on 2004-09-24 16:09, 总计第 2 次编辑

# RainLow firewall server version-- 09/05/2004

# This software may be used and distributed according to

#the terms of the GNU General Public License (GPL) provided

#credit is given to the original author.

# Copyright (c) 2004 rainlow

# All rights reserved

############################################################

#echo -e "\n\t\t\t Welcome to \033[3;031m RainLow Tech. \033[0m\n\n"

#echo -e " \t\t\t\t \033[1;32m http://www.rainlow.com \033[m \n"

# means the interface you connected to internet,if you use ADSL you should set

# it to ppp0

UPLINK=eth0

# means if you use fixed IP address you can set here

UPIP=221.137.58.48

# means the interface you have

INTERFACES=lo eth0

#means if you want to load all modules needed for this program

LOAD_MODULES=no

#means if you want to log the illegal tcp flags(most of these flags is used for a scanner)

LOG_ILLEGAL_FLAGS=yes

# means the IP address you want to log and DENY

DENYIP=10.0.0.1 10.0.0.255

# means the UDP port you want to log and drop the connections

UDP_PORT_LOG=7 9 19 107 137 138 139 161 199 162 369

#means the tcp port you want to log and drop the connections

TCP_PORT_LOG=135 136 137 138 139 445 500 1433 3306 515 513

#means tcp ports you want to open on this server

OPEN_TCP=25 110 22 21

#means udp ports you want to open,please only use this if you are provide services on firewall,dangerous

OPEN_UDP=

#means if you will log malformed packets

MALFORMED_PACKET_LOG=no

#means the ip address you want to manage the firewall remotely

MANAGE_IP=61.129.112.46

#means if you want to disable all log function(to save disk and other resource)

DISABLE_ALL_LOG=no

• ·IT经理世界：管理者的三根救命稻草
• ·鼠标悬停时反白显示的导航条代码(原创)
• ·Vi 编辑器
• ·Linux开机程序内幕-转
• ·Linux 使用技巧集锦(一)转
• ·分享我第一次写的PHP+MYSQL分页类
• ·PowerBuilder 8.0 开发环境集成
• ·关于包Package信息的论述
• ·关于将java程序做成exe文件（几种做法）
• ·初学Java，从给定的字符串中抓取Email地