很久没来了,其实也不是什么新东西,2001年底就写了很多了,主要是改正了以前版本里面的逻辑错误,整理了一下,把原来的WAN+LAN+DMZ改成了放在单独的linux服务器上的版本,使用LINUX服务器的兄弟们有福了,可以节省N多的脑细胞,呵呵,有问题邮件联系 arlenecc@rainlow.com
#!/bin/bash
echo -e " \t\t \033[1;31m RainLow firewall \033[m server version 1.0rc1 -- 09/24/2004 \n"
echo -e "############################################################"
echo -e " This software may be used and distributed according to "
echo -e "the terms of the GNU General Public License (GPL) provided"
echo -e "credit is given to the original author. "
echo -e "\t\t\t \033[1;31m Copyright (c) 2004 rainlow \033[m \n"
echo -e "\t\t\t\t All rights reserved \n\n\n"
echo -e "############################################################"
# now begins the firewall
echo -e "\n\t\t\t Welcome to \033[3;31m Rainlow Firewall \033[0m \n\n"
echo -e " \t\t\t\t \033[1;32m http://www.rainlow.com \033[m \n"
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
. /etc/init.d/functions
exit_failure()
{
echo -en " \t \033[3;031m [ FAILED ] \033[0m \n"
echo -en " \033[3;031m -> FATAL: $FAILURE \033[0m \n"
echo -en " \033[3;031m -> ** ABORTED **.\033[0m \n"
exit 1
}
check_root()
{
ROOT_ID=0
echo "Checking if you are root...."
if [ "$UID" = "$ROOT_ID" ]
then
echo -e "\n\t OK ! continue....\n"
echo -e "\a"
else
echo -e " Sorry,you are not root and not permitted to do this option...\n"
echo -e "\a"
FAILURE="you can not run this command ,you must be root to do this"
exit_failure
fi
}
check_enviroment()
{
echo -e "\t\t \033[1;31m Now Checking software envrioment \033[m \n"
OS=`uname -s`
_OS=$OS
if [ "$_OS" != "Linux" ];then
FAILURE="Sorry this version can only work under linux "
exit_failure
else
echo -en "\t\t \033[1;32m PASS \033[m \n"
fi
KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
if [ "$KERNELMAJ" -lt 2 ] ; then
FAILURE="Sorry you kernel is too old,please upgrade it first!"
exit_failure
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 4 ] ; then
FAILURE="only kernel greater than 2.4 is supported"
exit_failure
fi
if ((`iptables -V 2>&1 | grep -c "Command not found"` )); then
FAILURE="can not find iptables command you must install iptables first"
exit_failure
fi
if !(( `which modprobe 2>&1 | grep -c "which: no modprobe in"` )) && ( [ -a /proc/modules ] || ! [ -a /proc/version ] ); then
if (( `lsmod | grep -c "ipchains"` )); then
rmmod ipchains > /dev/null 2>&1
fi
fi
}
wait()
{
echo | awk '{printf "||" ,$1}'
for x in `seq 1 10`;
do
sleep 1
echo "#" | awk '{printf "%s",$1}'
done
echo -en "\n"
}
iptables()
{
/sbin/iptables "$@"
}
mp()
{
/sbin/modprobe "$@"
}
load_module()
{
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]
then
echo -e "\n\tLoading iptables modules please wait...."
mp ip_tables
mp ipt_LOG
mp ipt_owner
mp ipt_MASQURADE
mp ipt_REJECT
mp ipt_conntrack_ftp
mp ipt_conntrack_irc
mp iptable_filter
mp iptable_nat
mp iptable_mangle
mp ip_conntrack
mp ipt_limit
mp ipt_state
mp ipt_unclean
mp ipt_TCPMSS
mp ipt_TOS
mp ipt_TTL
mp ipt_quota
mp ipt_iplimit
mp ipt_pkttype
mp ipt_ipv4options
mp ipt_MARK
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
else
echo -e "\tSorry,no iptables modules found !!"
fi
}
ip_stack_adjust()
{
if [ -e /proc/sys/net/ipv4/ip_forward ]
then
echo -e "enable ip_forward.please wait...."
echo 0 >/proc/sys/net/ipv4/ip_forward
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/ip_default_ttl ]
then
echo -e "changing default ttl...."
echo 88 >/proc/sys/net/ipv4/ip_default_ttl
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
echo -e "\n\t disable dynamic ip support...."
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echo -e "\t\t\t\t\033[3;032m [ OK ] \033[0m\n"
if [ -e /proc/sys/net/ipv4/ip_no_pmtu_disc ]
then
echo -e "disable path mtu discovery.please wait...."
echo 0 >/proc/sys/net/ipv4/ip_no_pmtu_disc
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/ipfrag_high_thresh ]
then
echo -e "changing ipfrag_high_thresh.please wait...."
echo 5800 >/proc/sys/net/ipv4/ipfrag_high_thresh
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/ipfrag_low_thresh ]
then
echo -e "changing ipfrag_low_thresh.please wait...."
echo 2048 >/proc/sys/net/ipv4/ipfrag_low_thresh
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/ipfrag_time ]
then
echo -e "changing ipfrag_low_thresh.please wait...."
echo 20 >/proc/sys/net/ipv4/ipfrag_time
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/ipfrag_secret_interval ]
then
echo -e "changing ipfrag_secret_interval.please wait...."
echo 600 >/proc/sys/net/ipv4/ipfrag_secret_interval
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_syn_retries ]
then
echo -e "changing tcp_syn_retries.please wait...."
echo 4 >/proc/sys/net/ipv4/tcp_syn_retries
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_synack_retries ]
then
echo -e "changing tcp_synack_retries.please wait...."
echo 4 >/proc/sys/net/ipv4/tcp_synack_retries
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]
then
echo -e "changing tcp_keepalive_time.please wait...."
echo 300 >/proc/sys/net/ipv4/tcp_keepalive_time
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_keepalive_probes ]
then
echo -e "changing tcp_keepalive_probes.please wait...."
echo 4 >/proc/sys/net/ipv4/tcp_keepalive_probes
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_keepalive_intvl ]
then
echo -e "changing tcp_keepalive_intvl.please wait...."
echo 60 >/proc/sys/net/ipv4/tcp_keepalive_intvl
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_retries1 ]
then
echo -e "changing tcp_retriest.please wait...."
echo 3 >/proc/sys/net/ipv4/tcp_retries1
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_retries2 ]
then
echo -e "changing tcp_retriest.please wait...."
echo 15 >/proc/sys/net/ipv4/tcp_retries2
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_orphan_retries ]
then
echo -e "disable tcp_orphan_retriest.please wait...."
echo 0 >/proc/sys/net/ipv4/tcp_orphan_retries
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_max_tw_buckets ]
then
echo -e "changing tcp_max_tw_bucketst.please wait...."
echo 4000 >/proc/sys/net/ipv4/tcp_max_tw_buckets
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_tw_recycle ]
then
echo -e "changing tcp_recycle.please wait...."
echo 1 >/proc/sys/net/ipv4/tcp_tw_recycle
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_tw_reuse ]
then
echo -e "changing tcp_tw_reuse.please wait...."
echo 1 >/proc/sys/net/ipv4/tcp_tw_reuse
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_max_orphans ]
then
echo -e "changing tcp_max_orphans.please wait...."
echo 2000 >/proc/sys/net/ipv4/tcp_max_orphans
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_max_syn_backlog ]
then
echo -e "changing tcp_max_syn_backlog.please wait...."
echo 8000 >/proc/sys/net/ipv4/tcp_max_syn_backlog
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]
then
echo -e "enable tcp_window_scaling.please wait...."
echo 1 >/proc/sys/net/ipv4/tcp_window_scaling
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_timestamps ]
then
echo -e "disable tcp_timestamps.please wait...."
echo 0 >/proc/sys/net/ipv4/tcp_timestamps
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
for x in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > ${x}
done
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo -e "\n\tEnable the syncookies flood protection"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]
then
echo -e "\n\tSetting the maximum number of connections to track.... "
echo "80000" > /proc/sys/net/ipv4/ip_conntrack_max
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/ip_local_port_range ]
then
echo -e " \n\tSetting local port range for TCP/UDP connection...."
echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo -e "\n\tEnable bad error message protection......."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo -e "\n\tDisabling tcp_ecn,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_ecn
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_reordering ]
then
echo -e "\n\tchangling tcp_reordering,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_reordering
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_wmem ]
then
echo -e "\n\tchanging tcp_wmem,please wait..."
echo "4096 16384 131072" >/proc/sys/net/ipv4/tcp_wmem
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_rmem ]
then
echo -e "\n\tchanging tcp_rmem,please wait..."
echo "4096 87380 174760" >/proc/sys/net/ipv4/tcp_rmem
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_mem ]
then
echo -e "\n\tchanging tcp_mem,please wait..."
echo "97280 97792 98304" >/proc/sys/net/ipv4/tcp_mem
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_adv_win_scale ]
then
echo -e "\n\tchanging tcp_adv_win_scale,please wait..."
echo 2 >/proc/sys/net/ipv4/tcp_adv_win_scale
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_rfc1337 ]
then
echo -e "\n\tchanging tcp_rfc1337,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_rfc1337
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]
then
echo -e "\n\tDisabing ICMP redirects,please wait...."
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]
then
echo -e "\n\tDisabling source routing of packets,please wait...."
for i in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $i
done
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
then
echo -e "\n\tIgnore any broadcast icmp echo requests......"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/icmp_destunreach_rate ]
then
echo -e "modify icmp_destunreach_rate and icmp_echoreply_rate.."
echo 5 > /proc/sys/net/ipv4/icmp_destunreach_rate
echo 5 > /proc/sys/net/ipv4/icmp_echoreply_rate
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/bootp_relay ]
then
echo -e "\n\tDisable the bootp_relay......"
echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
#
if [ -e /proc/sys/net/ipv4/tcp_timestamps ]
then
echo -e "\n\tDisable the tcp_timestamps......"
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]
then
echo -e "\n\tSetting up tcp_fin_timeout...."
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]
then
echo -e "\n\tDisabling tcp_window_scaling...."
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_sack ]
then
echo -e "\n\tDisabling tcp_sack...."
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_abort_on_overflowe ]
then
echo -e "\n\t Enabling tcp_abort_on_overflow"
echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo -e "\n\t Enabling icmp_ignore_bogus_error_responses"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/forwarding ]
then
echo -e "\n\t disabling forwarding"
echo 1 > /proc/sys/net/ipv4/forwarding
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/mc_forwarding ]
then
echo -e "\n\t disabling mc_forwarding"
echo 1 > /proc/sys/net/ipv4/mc_forwarding
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/config/all/log_martians ]
then
echo -e "\n\tnot LOG packets with impossible addresses to kernel log...."
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
for x in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $x
done
if [ -e /proc/sys/net/ipv4/conf/all/proxy_arp ]
then
echo -e "\n\tdisable proxy_arp...."
echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]
then
echo -e "\n\tdisable send_redirects...."
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]
then
echo -e "\n\tenable secure_redirects...."
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
}
unload_module()
{
for MODULE in ipt_TTL iptable_mangle ipt_mark ipt_MARK ipt_MASQUERADE ip_nat_irc ip_nat_ftp ipt_LOG \
ipt_limit ipt_REJECT ip_conntrack_irc ip_conntrack_ftp ipt_state iptable_nat iptable_filter ip_tables; do
if (( `lsmod | grep -c "$MODULE"` )); then
rmmod $MODULE > /dev/null 2>&1
fi
done
}
load_config()
{
FW_LOCATE=/etc/firewall
if [ ! -e "$FW_LOCATE" ]
then
mkdir $FW_LOCATE
fi
if [ ! -f /etc/firewall/firewall.conf ]
then
echo "can not find firewall.conf,creating one with default setting..."
echo -e " UPLINK=eth1 \n UPIP=211.137.58.48 \n INTERFACES=lo eth0 \n LOAD_MODULES=no \n LOG_ILLEGAL_FLAGS=yes \n DENYIP=10.0.0.1 10.0.0.255 \n DENYUDPPORT=7 9 19 107 137 138 139 161 199 369 \n TCP_PORT_LOG=135 137 138 139 445 500 1433 3306 515 513 \n OPEN_TCP= 21 22 \n OPEN_UDP= \n LAN_IF=eth0 \n MALFORMED_PACKET_LOG=no \n MANAGE_IP=61.129.112.46 \n DISABLE_ALL_LOG=no \n " > /etc/firewall/firewall.conf
fi
echo -e "\t\t\t Loading the firewall configuration.......\n"
UPLINK=`grep "UPLINK" /etc/firewall/firewall.conf | cut -d = -f 2 `
UPIP=`grep "UPIP" /etc/firewall/firewall.conf | cut -d = -f 2`
INTERFACES=`grep "INTERFACES" /etc/firewall/firewall.conf | cut -d = -f 2`
LOAD_MODULES=`grep "LOAD_MODULES" /etc/firewall/firewall.conf | cut -d = -f 2`
LOG_ILLEGAL_FLAGS=`grep "LOG_ILLEGAL_FLAGS" /etc/firewall/firewall.conf | cut -d = -f 2`
OPEN_TCP=`grep "OPEN_TCP" /etc/firewall/firewall.conf | cut -d = -f 2`
OPEN_UDP=`grep "OPEN_UDP" /etc/firewall/firewall.conf | cut -d = -f 2`
TCP_PORT_LOG=`grep "TCP_PORT_LOG" /etc/firewall/firewall.conf | cut -d = -f 2`
DENYIP=`grep "DENYIP" /etc/firewall/firewall.conf | cut -d = -f 2`
UDP_PORT_LOG=`grep "UDP_PORT_LOG" /etc/firewall/firewall.conf | cut -d = -f 2`
MALFORMED_PACKET_LOG=` grep "MALFORED_PACKET_LOG" /etc/firewall/firewall.conf | cut -d = -f 2 `
MANAGE_IP=` grep "MANAGE_IP" /etc/firewall/firewall.conf | cut -d = -f 2 `
DISABLE_ALL_LOG=` grep "DISABLE_ALL_LOG" /etc/firewall/firewall.conf | cut -d = -f 2 `
if [ "$DISABLE_ALL_LOG" == "yes" ]; then
MALFORMED_PACKET_LOG=no
UDP_PORT_LOG=
TCP_PORT_LOG=
LOG_ILLEGAL_FLAGS=no
fi
}
check_root
check_enviroment
# if [ "$NAT" == "DHCP" ]; then
# if [ -z "$UPIP" ]; then
# echo " [ WAIT ]"
# echo -n "-> $UPLINK has no IP address. Waiting for DHCP"
# for COUNT in 1 2 3 4 5 6 7 8 9 10; do
# sleep 1
# echo -n "*#"
# UPIP=`ifconfig ${UPLINK} | grep inet | cut -d : -f 2 | cut -d " " -f 1`
# if [ -n "$UPIP" ]; then
# echo " [ FOUND ]"
# break
# else
# if [ "$COUNT" == "10" ]; then
# echo " [ MISSING ]"
# echo "-> WARNING: IP address for $UPLINK not found. "
# fi
# fi
# done
# fi
#fi
if [ "$1" = "start" ]
then
echo "Starting firewall......"
ip_stack_adjust
load_config
echo -e "Now prepareing the kernel to use for a firewall ,please wait....."
#if [ "$NAT" = " dynamic " ]
# then
# echo -e "\n\tEnable dynamic ip support...."
# echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# echo -e "\t\t\t\t\033[3;032m [ OK ] \033[0m\n"
# fi
#echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay
#depmod -a
#define the load modules function
if [ "$LOAD_MODULES" = "yes" ]
then
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]
then
echo -e "\n\tLoading iptables modules please wait...."
mp ip_tables
mp ipt_LOG
mp ipt_owner
mp ipt_MASQURADE
mp ipt_REJECT
mp ipt_conntrack_ftp
mp ipt_conntrack_irc
mp iptable_filter
mp iptable_nat
mp iptable_mangle
mp ip_conntrack
mp ipt_limit
mp ipt_state
mp ipt_unclean
mp ipt_TCPMSS
mp ipt_TOS
mp ipt_TTL
mp ipt_quota
mp ipt_iplimit
mp ipt_pkttype
mp ipt_ipv4options
mp ipt_MARK
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
else
echo -e "\tSorry,no iptables modules found !!"
fi
fi
#prepare the firewall tables for use
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -F INPUT
iptables -t filter -F FORWARD
iptables -t filter -F OUTPUT
iptables -F -t nat
iptables -F -t mangle
iptables -Z
iptables -X
iptables -N CHECK_FLAGS
iptables -F CHECK_FLAGS
iptables -N tcpHandler
iptables -F tcpHandler
iptables -N udpHandler
iptables -F udpHandler
iptables -N icmpHandler
iptables -F icmpHandler
iptables -N DROP-AND-LOG
iptables -F DROP-AND-LOG
iptables -N syn-flood
iptables -F syn-flood
echo -e "\tOK,the kernel is now prepared to use for building a firewall!!!"
echo -e "\n\t starting firewall ,Waitting ........................"
echo -e "\n\tCreating a drop and log chain....."
iptables -A DROP-AND-LOG -j LOG --log-level 6
iptables -A DROP-AND-LOG -j DROP
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
#design a chain for syn-flood protect
echo -e "\t define a chain for syn-flood pretect.."
iptables -A syn-flood -m limit --limit 4000/s --limit-burst 6000 -j RETURN
iptables -A syn-flood -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --syn -j syn-flood
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
iptables -A tcpHandler -p tcp -m limit --limit 4000/s --limit-burst 6000 -j RETURN
iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "
iptables -A tcpHandler -p tcp -j DROP
iptables -A udpHandler -p udp -m limit --limit 200/s --limit-burst 400 -j RETURN
iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"
iptables -A udpHandler -p udp -j DROP
iptables -A icmpHandler -p icmp -m limit --limit 200/s --limit-burst 400 -j RETURN
iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"
iptables -A icmpHandler -p icmp -j DROP
#define a chain for log malformed packages
if [ "$MALFORMED_PACKET_LOG" = "yes" ]
then
echo -e "\tNow logging malformed packages"
iptables -A INPUT -i ${UPLINK} -m unclean -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP malformed packet:"
iptables -A INPUT -i ${UPLINK} -m unclean -j DROP
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
# drop malformed packages
# iptables -A INPUT -i ${UPLINK} -m unclean -j DROP
echo -e "\tNow starting the check_flag rules,please wait...."
echo -e "\tLogging illegal TCP flags...."
if [ " $LOG_ILLEGAL_FLAGS " = " yes " ]
then
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ALL FIN :" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,FIN FIN :" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,PSH PSH:" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,URG URG:" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN " --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " SYN/RST SCAN" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " FIN/RST SCAN" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN " --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 " --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 " --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "XMAS-PSH:" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "NULL_SCAN" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID SCAN:" --log-tcp-options --log-ip-options
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
else
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -j DROP
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m"
fi
#DROP packages with a invalid FLAG
iptables -A INPUT -i ${UPLINK} -p tcp -j CHECK_FLAGS
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tFinished check_flags rules...."
echo -e "\tNow starting the input rules,please wait......."
#for i in $OPEN_TCP_QUOTA; do
# printf " firewall ->port $i tcp open with quota $QUOTA..."
#iptables -A INPUT -i $UPLINK -p tcp --syn -m state --state NEW -m limit --limit 2/s --dport $i -m quota --quota $QUOTA -j ACCEPT
#iptables -A INPUT -i $UPLINK -p tcp --dport $i -j DROP
#done
#for i in $OPEN_UDP_QUOTA; do
# echo " firewall ->port $i udp open with quota $QUOTA..."
#iptables -A INPUT -i $UPLINK -p udp -m state --state NEW -m limit --limit 2/s --dport $i -m quota --quota $QUOTA -j ACCEPT
#iptables -A INPUT -i $UPLINK -p udp --dport $i -j DROP
#done
#build a chain for deny ip or ip range
for x in ${DENYIP}
do
iptables -A INPUT -i ${UPLINK} -p tcp -s ${x} -m state --state NEW -j LOG --log-prefix "INVAILD:${x} TCP IN:"
iptables -A INPUT -i ${UPLINK} -p tcp -s ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --syn -s ${x} -j LOG --log-prefix "INVAILD:${x} SYN IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --syn -s ${x} -j DROP
iptables -A INPUT -i ${UPLINK} -p ALL -s ${x} -m limit --limit 6/m -j LOG --log-level 6 --log-prefix "DENYED IP ${x} IN:"
iptables -A INPUT -i ${UPLINK} -p ALL -s ${x} -j DROP
iptables -A FORWARD -s ${x} -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 6 --log-prefix "DENYED ${x} FORWARD:"
iptables -A FORWARD -s ${x} -m state --state NEW,ESTABLISHED,RELATED -j DROP
iptables -A FORWARD -d ${x} -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-level 6 --log-prefix "DENYED ${x} FORWARD:"
iptables -A FORWARD -d ${x} -m state --state NEW,ESTABLISHED,RELATED -j DROP
done
#build a chain for the tcp port or port range you want to log
for x in ${TCP_PORT_LOG}
do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j LOG --log-prefix "INVALID:${x} SYN IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD${x}PORT IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "PORT:${x} attempt:" --log-tcp-options --log-ip-options --log-tcp-sequence
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -j DROP
done
#bulid a chain for the udp port or port range you want to deny
for x in ${UDP_PORT_LOG}
do
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m limit --limit 3/m -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP
done
#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
#iptables -A INPUT -i ${LAN} -p tcp -s ${MANAGE_IP} -j ACCEPT
for x in ${MANAGE_IP}
do
iptables -t filter -A INPUT -p tcp -s ${x} --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -d ${x} -j ACCEPT
done
#build a chain for the tcp port or port range you want to open on this firewll
for x in ${OPEN_TCP}
do
iptables -A INPUT -p tcp --dport ${x} --syn -j ACCEPT
iptables -A INPUT -p tcp --dport ${x} -j ACCEPT
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
#build a chain for the udp port or port range you want to open on this firewall
for x in ${OPEN_UDP}
do
iptables -A INPUT -p udp --dport ${x} -j ACCEPT
iptables -A INPUT -p udp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
#build a chain to drop and log IGMP
iptables -A INPUT -p igmp -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP IGMP"
iptables -A INPUT -p igmp -j DROP
#drop and log invalid ip range
iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 169.254.0.0/16 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 192.0.2.0/24 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -p ! udp -d 224.0.0.0/4 -j DROP
iptables -A INPUT -i ${UPLINK} -p udp -d 224.0.0.0/4 -j ACCEPT
iptables -A INPUT -i ${UPLINK} -d 127.0.0.1 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 127.0.0.1 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 0.0.0.0 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 255.255.255.255 -j DROP-AND-LOG
#drop and log invalid manage ip in
#iptables -A lan-input -p tcp --dport 23 -i ${LAN_IF} -s ! ${MANAGE_IP} -j LOG --log-level 6 --log-prefix " INVALID MANAGE_IP IN:"
#iptables -A lan-input -p tcp --dport 23 -i ${LAN_IF} -s ! ${MANGLE_IP} -j DROP
#build a chain for ipsec vpn
#iptables -A INPUT -p udp -i ${UPLINK} --sport 500 --dport 500 -j ACCEPT
#iptables -A INPUT -p 50 -i ${UPLINK} -j ACCEPT
#iptables -A INPUT -p 51 -i ${UPLINK} -j ACCEPT
#iptables -A INPUT -p 47 -i ${UPLINK} -j ACCEPT
#iptables -A FORWARD -p udp -i ${UPLINK} --sport 500 --dport 500 -j ACCEPT
#iptables -A FORWARD -p 50 -i ${UPLINK} -j ACCEPT
#iptables -A FORWARD -p 51 -i ${UPLINK} -j ACCEPT
#iptables -A FORWARD -p 47 -i ${UPLINK} -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
iptables -A INPUT -p icmp --icmp-type 13 -j DROP
iptables -A OUTPUT -p icmp --icmp-type 14 -j DROP
iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW,INVALID -m limit --limit 3/m -j LOG --log-prefix "INVALID NEW"
iptables -A INPUT -m state --state NEW,INVALID -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "DROP NEW NOT SYN:"
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"
iptables -A INPUT -p tcp --syn -j DROP
echo -e "\t Logging INVALID ICMP packages:"
iptables -A INPUT -i ${UPLINK} -p icmp ! --icmp-type echo-reply -m limit --limit 20/m -j LOG --log-level 6 --log-prefix "INVAILD ICMP IN:"
iptables -A INPUT -i ${UPLINK} -f -p icmp -j LOG --log-prefix "Fragmented incoming ICMP: "
iptables -A INPUT -i ${UPLINK} -f -p icmp -j DROP
iptables -A INPUT -p icmp --icmp-type source-quench -d $UPIP -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
#iptables -A INPUT -i ${UPLINK} -p icmp -j REJECT --reject-with icmp-net-unreachable
#iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"
#iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable
#iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"
#iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i ${UPLINK} -s 0/0 -f -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "INVAILD FRAGMENT:"
iptables -A INPUT -i ${UPLINK} -s 0/0 -f -j DROP
iptables -A INPUT -i ${UPLINK} -j DROP
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tThe input rules has been successful applied ,continure..."
echo -e "\t Now starting FORWARD rules ,please wait ....."
iptables -A FORWARD -p igmp -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP IGMP:"
iptables -A FORWARD -p igmp -j DROP
iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD --fragment -p icmp -j LOG --log-prefix "Fragmented forwarded ICMP: "
iptables -A FORWARD --fragment -p icmp -j DROP
iptables -A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 50/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-option 64 -j DROP
iptables -A FORWARD -p tcp --tcp-option 128 -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 2000/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID forward: "
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 4000/s --limit-burst 6000 -j LOG --log-prefix " CONN TCP: "
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 200/s --limit-burst 400 -j LOG --log-prefix " CONN UDP:"
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 200/s --limit-burst 400 -j LOG --log-prefix " CONN ICMP: "
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tThe forward rules has been successful applied,conniture..."
echo -e "\tNow applying output rules,please wait ...."
#for i in ${DENY_USER}
# do
# echo -e "\tNo world wide visit for user:${i} "
# iptables -A OUTPUT -m owner --uid-owner ${i} -j LOG --log-prefix "DROP packet from ${i}:"
# iptables -A OUTPUT -m owner --uid-owner ${i} -j DROP
# done
#iptables -A OUTPUT -p udp -o ${UPLINK} --sport 500 --dport 500 -j ACCEPT
#iptables -A OUTPUT -p 50 -o ${UPLINK} -j ACCEPT
#iptables -A OUTPUT -p 51 -o ${UPLINK} -j ACCEPT
#iptables -A OUTPUT -p 47 -o ${UPLINK} -j ACCEPT
#if [ "$DHCP_SERVER" = "1" ]; then
# iptables -A OUTPUT -o $LAN_INTERFACE -p udp -s $BROADCAST_SRC --sport 67 -d $BROADCAST_DEST --dport 68 -j ACCEPT
#fi
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT --fragment -p icmp -j LOG --log-prefix "Fragmented outgoing ICMP: "
iptables -A OUTPUT --fragment -p icmp -j DROP
iptables -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID output: "
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -p icmp -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"
iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW:"
iptables -A OUTPUT -m state --state NEW,INVALID -j DROP
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\t The OUTPUT rules has been successful applied,conniture..."
#echo -e "\t Now applying nat rules ,please wait ...."
#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
#iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK} -j DROP
#if [ " $ROUTER " = " yes " ]
# then
# echo -e "\t enabing ip_forward,please wait..."
# echo 1 >/proc/sys/net/ipv4/ip_forward
# echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
# if [ " $NAT " = " dynamic " ]
# then
# echo -e "\tEnableing MASQUERADING (dynamic ip )..."
# echo -e "\tDynamic PPP connection,Now getting the dynamic ip address"
# IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`
# echo -e "\t Now you IP ADDRESS is : ${IP_ADDR} "
# iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
# iptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR}
# iptables -t nat -A POSTROUTING -o ${UPLINK} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} -p tcp --dport 80 -j DNAT --to ${WEB_IP}:80
# iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 22 -j DNAT --to ${ADMIN_IP}:22
# echo -e "\t OK,NAT setting start succecc.."
# elif [ " $NAT " != " " ]
# then
# echo -e "\tEnableing SNAT (static ip)..."
# iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
# iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
# iptables -t nat -A POSTROUTING -o ${UPLINK} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80
# iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 88 -j DNAT --to ${ADMIN_IP}:22
# echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
# fi
#fi
echo -e "\a"
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
echo -e "\tAll rules has been successful applied,enjoy it...."
elif [ "$1" = "stop" ] || [ "$1" = "flush" ] || [ "$1" = "clear" ]
then
echo -e "\tStoping Firewall...."
iptables -t filter -F > /dev/null 2>&1
iptables -t filter -X > /dev/null 2>&1
iptables -t nat -F > /dev/null 2>&1
iptables -t nat -X > /dev/null 2>&1
iptables -t mangle -F > /dev/null 2>&1
iptables -t mangle -X > /dev/null 2>&1
iptables -t filter -P INPUT ACCEPT > /dev/null 2>&1
iptables -t filter -P OUTPUT ACCEPT > /dev/null 2>&1
iptables -t filter -P FORWARD ACCEPT > /dev/null 2>&1
iptables -F tcpHandler > /dev/null 2>&1
iptables -F udpHandler > /dev/null 2>&1
iptables -F icmpHandler > /dev/null 2>&1
iptables -F CHECK_FLAGS > /dev/null 2>&1
iptables -F DROP-AND-LOG > /dev/null 2>&1
iptables -F syn-flood > /dev/null 2>&1
iptables -X tcpHandler > /dev/null 2>&1
iptables -X udpHandler > /dev/null 2>&1
iptables -X icmpHandler > /dev/null 2>&1
iptables -X CHECK_FLAGS > /dev/null 2>&1
iptables -X DROP-AND-LOG > /dev/null 2>&1
iptables -X syn-flood > /dev/null 2>&1
echo -e "\a"
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
echo -e "\t\tThe firewall has successful shuted down,be careful !"
fi
最后进行编辑的是 arlenecc on 2004-09-24 16:09, 总计第 2 次编辑
# RainLow firewall server version-- 09/05/2004
# This software may be used and distributed according to
#the terms of the GNU General Public License (GPL) provided
#credit is given to the original author.
# Copyright (c) 2004 rainlow
# All rights reserved
############################################################
#echo -e "\n\t\t\t Welcome to \033[3;031m RainLow Tech. \033[0m\n\n"
#echo -e " \t\t\t\t \033[1;32m http://www.rainlow.com \033[m \n"
# means the interface you connected to internet,if you use ADSL you should set
# it to ppp0
UPLINK=eth0
# means if you use fixed IP address you can set here
UPIP=221.137.58.48
# means the interface you have
INTERFACES=lo eth0
#means if you want to load all modules needed for this program
LOAD_MODULES=no
#means if you want to log the illegal tcp flags(most of these flags is used for a scanner)
LOG_ILLEGAL_FLAGS=yes
# means the IP address you want to log and DENY
DENYIP=10.0.0.1 10.0.0.255
# means the UDP port you want to log and drop the connections
UDP_PORT_LOG=7 9 19 107 137 138 139 161 199 162 369
#means the tcp port you want to log and drop the connections
TCP_PORT_LOG=135 136 137 138 139 445 500 1433 3306 515 513
#means tcp ports you want to open on this server
OPEN_TCP=25 110 22 21
#means udp ports you want to open,please only use this if you are provide services on firewall,dangerous
OPEN_UDP=
#means if you will log malformed packets
MALFORMED_PACKET_LOG=no
#means the ip address you want to manage the firewall remotely
MANAGE_IP=61.129.112.46
#means if you want to disable all log function(to save disk and other resource)
DISABLE_ALL_LOG=no