全都是外國人寫的防火牆指令碼,我也來寫一個,希望大家跟我一塊做好(轉)

post0發表於2007-08-10
原文網址 : http://blog.itpub.net/8225414/viewspace-940681/
防火牆指令碼
全都是外國人寫的防火牆指令碼,我也來寫一個,希望大家跟我一塊做好(轉)[@more@]

DMZ部分尚不完善,其中難免有疏漏,希望大家跟我一塊改進,使他功能越來越強大,使用時請將firewall-dev copy 到/etc/rc.d/init.d將 firewall.conf copy /etc/下,你只需修改firewall.conf檔案就可以了。可以用firewall-dev start|stop起動和關閉防火牆,功能增加中,如你有任何改動請發一份給我,arlenecc@263.net

本著GPL的原則希望有志之士跟我一塊完善它,如有改動請通知我!!!!

firewall-dev

#!/bin/bash

# This is a firewall script with the function of stateful and

# ip filter, you can change it to meet you need,in a words:

# uplink means the output interface ,router means if you neet it

# to be a router or not,nat means if you are useing a dynamic ip

# address

# if you do ,then you can change it to "dynamic",interfaces means

# all the interface in you server ,services means all the services

# you server providing ,enjoy it !!! ----- write by arlenecc

#

##############################################################################

# #

# Copyright (c) 2002 arlenecc arlenecc@netease.com #

# All rights reserved #

# #

##############################################################################

#

# now begins the firewall

UPLINK=`less /root/firewall.conf | grep "UPLINK" | cut -d = -f 2 `

UPIP=`less /root/firewall.conf | grep "UPIP" | cut -d = -f 2`

ROUTER=`less /root/firewall.conf | grep "ROUTER" | cut -d = -f 2`

NAT=`less /root/firewall.conf | grep "NAT" | cut -d = -f 2`

INTERFACES=`less /root/firewall.conf | grep "INTERFACES" | cut -d = -f 2`

SERVICES=`less /root/firewall.conf | grep "SERVICES" | cut -d = -f 2`

DENYPORTS=`less /root/firewall.conf | grep "DENYPORTS" | cut -d = -f 2`

DENYUDPPORT=`less /root/firewall.conf | grep "DENYUDPPORT" | cut -d = -f 2`

LAN_IF=`less /root/firewall.conf | grep "LAN_IF" | cut -d = -f 2`

LAN_NET=`less /root/firewall.conf | grep "LAN_NET" | cut -d = -f 2`

DMZ_NET=`less /root/firewall.conf | grep "DMZ_NET" | cut -d = -f 2`

DMZ_IF=`less /root/firewall.conf | grep "DMZ_IF" | cut -d = -f 2`

DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d = -f 2`

DMZ_UDP_PORT=`less /root/firewall.conf | grep "DMZ_UDP_PORT" | cut -d = -f 2`

WEB_IP=`less /root/firewall.conf | grep "WEB_IP" | cut -d = -f 2`

FTP_IP=`less /root/firewall.conf | grep "FTP_IP" | cut -d = -f 2`

H323_PORT=`less /root/firewall.conf | grep "H323_PORT" | cut -d = -f 2`

H323=`less /root/firewall.conf | grep "H323" | cut -d = -f 2`

if [ "$1" = "start" ]

then

echo "Starting firewall......"

echo "NOW prepareing kernel for use,please wait....."

# if [ -e /proc/sys/net/ipv4/ip_forward ]

#

# then

# echo 1 >/proc/sys/net/ipv4/ip_forward

# fi

if [ "$NAT" = " dynamic " ]

then

echo "Enable dynamic ip support...."

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

echo " OK !!!!"

fi

if [ -e /proc/sys/net/ipv4/tcp_syncookies ]

then

echo "Enable the syn cook flood protection"

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo " OK !!!!"

fi

if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]

then

echo "Setting the maximum number of connections to track.... "

echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max

echo " OK !!!!"

fi

if [ -e /proc/sys/net/ipv4/ip_local_port_range ]

then

echo " Setting local port range for TCP/UDP connection...."

echo -e "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

echo " OK !!!!"

fi

if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]

then

echo "Enable bad error message protection......."

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo " OK !!!! "

fi

if [ -e /proc/sys/net/ipv4/tcp_ecn ]

then

echo "Disabling tcp_ecn,please wait..."

echo 0 >/proc/sys/net/ipv4/tcp_ecn

echo " OK !!!! "

fi

for x in ${INTERFACES}

do

echo " Enabling rp_filter on ${x} ,please wait...."

echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter

echo " ${x} OK !!!! "

done

if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]

then

echo "Disabing ICMP redirects,please wait...."

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo " OK !!!! "

fi

if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]

then

echo "Disabling source routing of packets,please wait...."

for i in /proc/sys/net/ipv4/conf/*/accept_source_route

do

echo 0 > $i

echo " $i OK !!!! "

done

fi

if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]

then

echo "Ignore any broadcast icmp echo requests......"

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo " OK !!!! "

fi

# if [ -e /proc/sys/net/ipv4/config/all/log_martians ]

#

# then

# echo "LOG packets with impossible addresses to kernel log...."

# echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# echo " OK !!!! "

# fi

#echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

#modprobe ip_tables

depmod -a

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

iptables -F INPUT

iptables -F FORWARD

iptables -F OUTPUT

iptables -F -t nat

iptables -F -t mangle

iptables -Z

iptables -X

iptables -N CHECK_FLAGS

iptables -F CHECK_FLAGS

iptables -N tcpHandler

iptables -F tcpHandler

iptables -N udpHandler

iptables -F udpHandler

iptables -N icmpHandler

iptables -F icmpHandler

iptables -N DROP-AND-LOG

iptables -F DROP-AND-LOG

echo "OK,the kernel is now prepared to use for building a firewall!!!"

echo "Waitting ........................"

echo "Creating a drop chain....."

iptables -A DROP-AND-LOG -j LOG --log-level 5

iptables -A DROP-AND-LOG -j DROP

echo " OK !!!!"

echo "Now starting the check_flag rules,please wait...."

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN "

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "

iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "

iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "

iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 "

iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN"

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP

echo " OK !!!! Finished check_flags rules...."

echo "Now starting the input rules,please wait......."

for x in ${DENYPORTS}

do

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} TCP IN:"

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP

iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} SYN IN:"

iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j DROP

done

for x in ${DENYUDPPORT}

do

iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"

iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j DROP

iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT:${x} UDP IN:"

iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP

done

#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT

for x in ${SERVICES}

do

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

done

iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG

iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG

#iptables -A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -i ${UPLINK} -j LOG --log-prefix " INVALID INPUT "

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -A INPUT -i ${LAN_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i ${DMZ_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j REJECT

iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM DMZ:"

iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJECT --reject-with tcp-reset

iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD UDP FROM DMZ:"

iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP

iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD ICMP FROM DMZ:"

iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP

iptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"

iptables -A INPUT -p tcp -i ${UPLINK} --syn -j DROP

iptables -A INPUT -p icmp -i ${UPLINK} -j LOG --log-prefix "INVAILD ICMP IN:"

iptables -A INPUT -p icmp -i ${UPLINK} -j REJECT --reject-with icmp-net-unreachable

iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"

iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable

iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"

iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset

iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j LOG --log-prefix "NEW,INVALID state:"

iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j DROP

iptables -A INPUT -i ${UPLINK} -f -j LOG --log-prefix "INVAILD FRAGMENTS ${UPLINK}:"

iptables -A INPUT -i ${UPLINK} -f -j DROP

iptables -A INPUT -i ${LAN_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${LAN_IF}:"

iptables -A INPUT -i ${LAN_IF} -f -j DROP

iptables -A INPUT -i ${DMZ_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${DMZ_IF}:"

iptables -A INPUT -i ${DMZ_IF} -f -j DROP

iptables -A INPUT -i ${UPLINK} -j DROP

echo " OK !!!! The input rules has been successful applied ,continure......"

echo " Now starting FORWARD rules ,please wait ....."

iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT

iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN TCP: "

iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler

iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN UDP:"

iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler

iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICMP: "

iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler

iptables -A tcpHandler -p tcp -m limit --limit 5/minute --limit-burst 10 -j RETURN

iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "

iptables -A tcpHandler -p tcp -j DROP

iptables -A udpHandler -p udp -m limit --limit 5/minute --limit-burst 10 -j RETURN

iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"

iptables -A udpHandler -p udp -j DROP

iptables -A icmpHandler -p icmp -m limit --limit 5/minute --limit-burst 10 -j RETURN

iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"

iptables -A icmpHandler -p icmp -j DROP

iptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -j ACCEPT

iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT

#iptables -A FORWARD -o ${UPLINK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:"

iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j REJECT --reject-with tcp-reset

iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j LOG --log-prefix "INVAILD UDP FORWARD FROM DMZ:"

iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j DROP

iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:"

iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j DROP

iptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT

iptables -A FORWARD -s ${LAN_NET} -d ${DMZ_NET} -i ${LAN_IF} -j ACCEPT

iptables -A FORWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i ${DMZ_IF} ! --syn -j ACCEPT

iptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT

iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA"

iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j DROP

iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD UDP FORWARD DATA"

iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j DROP

iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVALID ICMP FORWARD DATA"

iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROP

iptables -A FORWARD -m state --state NEW,INVALID -j DROP

iptables -A FORWARD -j DROP

echo " OK !!!! The forward rules has been successful applied,conniture......"

echo " Now applying output rules,please wait ...."

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -s ${LAN_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -s ${DMZ_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -s ${LAN_NET} -o ${DMZ_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j LOG --log-prefix "INVAILD TCP OUTPUT FROM DMZ:"

iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j REJECT --reject-with tcp-reset

iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j LOG --log-prefix "INVAILD UDP OUTPUT FROM DMZ:"

iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j DROP

iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP OUTPUT FROM DMZ:"

iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j DROP

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"

iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW,INVALID STATE:"

iptables -A OUTPUT -m state --state NEW,INVALID -j DROP

iptables -A OUTPUT -j DROP

echo " OK !!!! The OUTPUT rules has been successful applied,conniture......."

echo " Now applying nat rules ,please wait ...."

#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE

#iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 23 -j REDIRECT --to-port 14867

iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK} -j DROP

iptables -t nat -A PREROUTING -d ${DMZ_NET} -i ${UPLINK} -j DROP

if [ " $ROUTER " = " yes " ]

then

echo " enabing ip_forward,please wait..."

echo 1 >/proc/sys/net/ipv4/ip_forward

echo "OK"

if [ " $NAT " = " dynamic " ]

then

echo "Enableing MASQUERADING (dynamic ip )..."

echo "Dynamic PPP connection,Now getting the dynamic ip address"

IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`

echo " Now you IP ADDRESS is : ${IP_ADDR} "

iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE

iptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR}

iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 80 -j DNAT --to ${WEB_IP}:80

iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21

iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20

if [ " $H323 " = " yes " ]

then

echo "Startting H323 NAT setting......"

for port in ${H323_PORT}

do

iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}

iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}

done

fi

echo " OK,NAT setting start succecc.."

elif [ " $NAT " != " " ]

then

echo "Enableing SNAT (static ip)..."

# iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}

iptables -t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP}

iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}

iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80

iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 20 -j DNAT --to ${FTP_IP}:20

iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --to ${FTP_IP}:21

if [ "$H323 " = " yes " ]

then

echo "Startting H323 NAT setting........"

for port in ${H323_PORT}

do

iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}

iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}

done

fi

echo " OK !!!!"

fi

fi

if [ " $SELF_SET " = " yes " ]

then

echo "Starting the rules you set yourself......"

# firewall

echo " OK !!!!"

echo " All rules has been successful applied,enjoy it...."

elif [ "$1" = "stop" ]

then

echo "Stoping Firewall...."

iptables -F INPUT

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -F FORWARD

iptables -F OUTPUT

iptables -t nat -F POSTROUTING

iptables -F tcpHandler

iptables -F udpHandler

iptables -F icmpHandler

iptables -F CHECK_FLAGS

iptables -F DROP-AND-LOG

iptables -X tcpHandler

iptables -X udpHandler

iptables -X icmpHandler

iptables -X CHECK_FLAGS

iptables -X DROP-AND-LOG

echo "The firewall has successful shuted down,be careful !!!"

fi

firewall.conf

UPLINK=eth1

UPIP=192.168.2.188

ROUTER=yes

NAT=192.168.2.188

INTERFACES=lo eth0 eth1 eth2

SERVICES=http ftp

DENYPORTS=1 7 9 15 107 135 137 138 139 369 389 445 515 752 873 8080 3128 2049 5432 5999 6063 9740 20034 12345 12346 27665 27444 31335 31337 8000 1433 3389 7007 22 23 25 110 79

DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369

LAN_IF=eth0

LAN_NET=192.168.1.0/24

DMZ_NET=192.168.3.0/24

DMZ_IF=eth2

DMZ_TCP_PORT=20 21 25 53 80 110

DMZ_UDP_PORT=53

WEB_IP=192.168.3.1

FTP_IP=192.168.3.2

H323_PORT=

H323=no

#here you can add the block rules yourself ,but be sure you do all these setting otherwise ,it will not work at all !!!!

SELF_SET=

BLOCK_TYPE=

PROTO=

INTE_IF=

SRC=

DST=

DPORT=

ACTION=

ACTION_TYPE=

#here you can add the icmp block rules yourself,Be sure you do all these setting otherwise ,it will not work at all !!!!

ICMP_IF=

ICMP_SRC=

ICMP_DST=

ICMP_ACTION=

ICMP_TYPE=

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/8225414/viewspace-940681/,如需轉載,請註明出處,否則將追究法律責任。

相關文章