全都是外國人寫的防火牆指令碼,我也來寫一個,希望大家跟我一塊做好(轉)
全都是外國人寫的防火牆指令碼,我也來寫一個,希望大家跟我一塊做好(轉)[@more@]DMZ部分尚不完善,其中難免有疏漏,希望大家跟我一塊改進,使他功能越來越強大,使用時請將firewall-dev copy 到/etc/rc.d/init.d將 firewall.conf copy /etc/下,你只需修改firewall.conf檔案就可以了。可以用firewall-dev start|stop起動和關閉防火牆,功能增加中,如你有任何改動請發一份給我,arlenecc@263.net本著GPL的原則希望有志之士跟我一塊完善它,如有改動請通知我!!!!firewall-dev#!/bin/bash# This is a firewall script with the function of stateful and# ip filter, you can change it to meet you need,in a words:# uplink means the output interface ,router means if you neet it# to be a router or not,nat means if you are useing a dynamic ip# address# if you do ,then you can change it to "dynamic",interfaces means# all the interface in you server ,services means all the services# you server providing ,enjoy it !!! ----- write by arlenecc################################################################################ ## Copyright (c) 2002 arlenecc arlenecc@netease.com ## All rights reserved ## ################################################################################# now begins the firewallUPLINK=`less /root/firewall.conf | grep "UPLINK" | cut -d = -f 2 `UPIP=`less /root/firewall.conf | grep "UPIP" | cut -d = -f 2`ROUTER=`less /root/firewall.conf | grep "ROUTER" | cut -d = -f 2`NAT=`less /root/firewall.conf | grep "NAT" | cut -d = -f 2`INTERFACES=`less /root/firewall.conf | grep "INTERFACES" | cut -d = -f 2`SERVICES=`less /root/firewall.conf | grep "SERVICES" | cut -d = -f 2`DENYPORTS=`less /root/firewall.conf | grep "DENYPORTS" | cut -d = -f 2`DENYUDPPORT=`less /root/firewall.conf | grep "DENYUDPPORT" | cut -d = -f 2`LAN_IF=`less /root/firewall.conf | grep "LAN_IF" | cut -d = -f 2`LAN_NET=`less /root/firewall.conf | grep "LAN_NET" | cut -d = -f 2`DMZ_NET=`less /root/firewall.conf | grep "DMZ_NET" | cut -d = -f 2`DMZ_IF=`less /root/firewall.conf | grep "DMZ_IF" | cut -d = -f 2`DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d = -f 2`DMZ_UDP_PORT=`less /root/firewall.conf | grep "DMZ_UDP_PORT" | cut -d = -f 2`WEB_IP=`less /root/firewall.conf | grep "WEB_IP" | cut -d = -f 2`FTP_IP=`less /root/firewall.conf | grep "FTP_IP" | cut -d = -f 2`H323_PORT=`less /root/firewall.conf | grep "H323_PORT" | cut -d = -f 2`H323=`less /root/firewall.conf | grep "H323" | cut -d = -f 2`if [ "$1" = "start" ]thenecho "Starting firewall......"echo "NOW prepareing kernel for use,please wait....."# if [ -e /proc/sys/net/ipv4/ip_forward ]## then# echo 1 >/proc/sys/net/ipv4/ip_forward# fiif [ "$NAT" = " dynamic " ]thenecho "Enable dynamic ip support...."echo 1 > /proc/sys/net/ipv4/ip_dynaddrecho " OK !!!!"fiif [ -e /proc/sys/net/ipv4/tcp_syncookies ]thenecho "Enable the syn cook flood protection"echo 1 > /proc/sys/net/ipv4/tcp_syncookiesecho " OK !!!!"fiif [ -e /proc/sys/net/ipv4/ip_conntrack_max ]thenecho "Setting the maximum number of connections to track.... "echo "4096" > /proc/sys/net/ipv4/ip_conntrack_maxecho " OK !!!!"fiif [ -e /proc/sys/net/ipv4/ip_local_port_range ]thenecho " Setting local port range for TCP/UDP connection...." echo -e "32768 61000" > /proc/sys/net/ipv4/ip_local_port_rangeecho " OK !!!!"fiif [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]thenecho "Enable bad error message protection......."echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responsesecho " OK !!!! "fiif [ -e /proc/sys/net/ipv4/tcp_ecn ]thenecho "Disabling tcp_ecn,please wait..."echo 0 >/proc/sys/net/ipv4/tcp_ecnecho " OK !!!! "fifor x in ${INTERFACES}doecho " Enabling rp_filter on ${x} ,please wait...."echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filterecho " ${x} OK !!!! "doneif [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]thenecho "Disabing ICMP redirects,please wait...." echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirectsecho " OK !!!! "fi if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]thenecho "Disabling source routing of packets,please wait...."for i in /proc/sys/net/ipv4/conf/*/accept_source_route doecho 0 > $iecho " $i OK !!!! "donefi if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]thenecho "Ignore any broadcast icmp echo requests......"echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcastsecho " OK !!!! "fi# if [ -e /proc/sys/net/ipv4/config/all/log_martians ]## then# echo "LOG packets with impossible addresses to kernel log...."# echo 1 > /proc/sys/net/ipv4/conf/all/log_martians# echo " OK !!!! "# fi #echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all#modprobe ip_tablesdepmod -aiptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROPiptables -F INPUTiptables -F FORWARDiptables -F OUTPUTiptables -F -t natiptables -F -t mangleiptables -Ziptables -X iptables -N CHECK_FLAGSiptables -F CHECK_FLAGSiptables -N tcpHandleriptables -F tcpHandleriptables -N udpHandleriptables -F udpHandleriptables -N icmpHandleriptables -F icmpHandleriptables -N DROP-AND-LOGiptables -F DROP-AND-LOGecho "OK,the kernel is now prepared to use for building a firewall!!!"echo "Waitting ........................"echo "Creating a drop chain....."iptables -A DROP-AND-LOG -j LOG --log-level 5iptables -A DROP-AND-LOG -j DROPecho " OK !!!!"echo "Now starting the check_flag rules,please wait...."iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN "iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROPiptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROPiptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROPiptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROPiptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 "iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROPiptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROPiptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROPiptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN"iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROPecho " OK !!!! Finished check_flags rules...."echo "Now starting the input rules,please wait......."for x in ${DENYPORTS}doiptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} TCP IN:" iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROPiptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} SYN IN:"iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j DROPdonefor x in ${DENYUDPPORT}doiptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j DROPiptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT:${x} UDP IN:"iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROPdone#iptables -A INPUT -i ! ${UPLINK} -j ACCEPTfor x in ${SERVICES}do iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTdoneiptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOGiptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOGiptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOGiptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOGiptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG#iptables -A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT#iptables -A INPUT -i ${UPLINK} -j LOG --log-prefix " INVALID INPUT "iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROPiptables -A INPUT -i ${LAN_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -i ${DMZ_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j REJECTiptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM DMZ:"iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJECT --reject-with tcp-resetiptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD UDP FROM DMZ:"iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROPiptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD ICMP FROM DMZ:"iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROPiptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"iptables -A INPUT -p tcp -i ${UPLINK} --syn -j DROPiptables -A INPUT -p icmp -i ${UPLINK} -j LOG --log-prefix "INVAILD ICMP IN:"iptables -A INPUT -p icmp -i ${UPLINK} -j REJECT --reject-with icmp-net-unreachableiptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachableiptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-resetiptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j LOG --log-prefix "NEW,INVALID state:"iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j DROPiptables -A INPUT -i ${UPLINK} -f -j LOG --log-prefix "INVAILD FRAGMENTS ${UPLINK}:"iptables -A INPUT -i ${UPLINK} -f -j DROPiptables -A INPUT -i ${LAN_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${LAN_IF}:"iptables -A INPUT -i ${LAN_IF} -f -j DROPiptables -A INPUT -i ${DMZ_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${DMZ_IF}:"iptables -A INPUT -i ${DMZ_IF} -f -j DROPiptables -A INPUT -i ${UPLINK} -j DROPecho " OK !!!! The input rules has been successful applied ,continure......"echo " Now starting FORWARD rules ,please wait ....."iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPTiptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPTiptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPTiptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROPiptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROPiptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROPiptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROPiptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROPiptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROPiptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPTiptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPTiptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN TCP: "iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandleriptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN UDP:"iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandleriptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICMP: "iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandleriptables -A tcpHandler -p tcp -m limit --limit 5/minute --limit-burst 10 -j RETURNiptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "iptables -A tcpHandler -p tcp -j DROPiptables -A udpHandler -p udp -m limit --limit 5/minute --limit-burst 10 -j RETURNiptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"iptables -A udpHandler -p udp -j DROPiptables -A icmpHandler -p icmp -m limit --limit 5/minute --limit-burst 10 -j RETURNiptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"iptables -A icmpHandler -p icmp -j DROPiptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -j ACCEPTiptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT#iptables -A FORWARD -o ${UPLINK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT#iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:"iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j REJECT --reject-with tcp-resetiptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j LOG --log-prefix "INVAILD UDP FORWARD FROM DMZ:"iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j DROPiptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:"iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j DROPiptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPTiptables -A FORWARD -s ${LAN_NET} -d ${DMZ_NET} -i ${LAN_IF} -j ACCEPTiptables -A FORWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i ${DMZ_IF} ! --syn -j ACCEPTiptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPTiptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA"iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j DROPiptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD UDP FORWARD DATA"iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j DROPiptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVALID ICMP FORWARD DATA"iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROPiptables -A FORWARD -m state --state NEW,INVALID -j DROPiptables -A FORWARD -j DROPecho " OK !!!! The forward rules has been successful applied,conniture......"echo " Now applying output rules,please wait ...."iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A OUTPUT -s ${LAN_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A OUTPUT -s ${DMZ_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A OUTPUT -s ${LAN_NET} -o ${DMZ_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j LOG --log-prefix "INVAILD TCP OUTPUT FROM DMZ:"iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j REJECT --reject-with tcp-resetiptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j LOG --log-prefix "INVAILD UDP OUTPUT FROM DMZ:"iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j DROPiptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP OUTPUT FROM DMZ:"iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j DROPiptables -A OUTPUT -o lo -j ACCEPTiptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"iptables -A OUTPUT -p icmp -m state --state INVALID -j DROPiptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW,INVALID STATE:"iptables -A OUTPUT -m state --state NEW,INVALID -j DROPiptables -A OUTPUT -j DROPecho " OK !!!! The OUTPUT rules has been successful applied,conniture......."echo " Now applying nat rules ,please wait ...."#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE#iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 23 -j REDIRECT --to-port 14867iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK} -j DROPiptables -t nat -A PREROUTING -d ${DMZ_NET} -i ${UPLINK} -j DROPif [ " $ROUTER " = " yes " ]thenecho " enabing ip_forward,please wait..."echo 1 >/proc/sys/net/ipv4/ip_forwardecho "OK"if [ " $NAT " = " dynamic " ]thenecho "Enableing MASQUERADING (dynamic ip )..."echo "Dynamic PPP connection,Now getting the dynamic ip address"IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`echo " Now you IP ADDRESS is : ${IP_ADDR} "iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADEiptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR}iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 80 -j DNAT --to ${WEB_IP}:80iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20if [ " $H323 " = " yes " ]thenecho "Startting H323 NAT setting......"for port in ${H323_PORT}doiptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port} done fi echo " OK,NAT setting start succecc.."elif [ " $NAT " != " " ]thenecho "Enableing SNAT (static ip)..."# iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}iptables -t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP}iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 20 -j DNAT --to ${FTP_IP}:20iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --to ${FTP_IP}:21if [ "$H323 " = " yes " ]thenecho "Startting H323 NAT setting........" for port in ${H323_PORT}doiptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}donefiecho " OK !!!!"fifiif [ " $SELF_SET " = " yes " ]thenecho "Starting the rules you set yourself......"# firewallecho " OK !!!!"echo " All rules has been successful applied,enjoy it...."elif [ "$1" = "stop" ]thenecho "Stoping Firewall...."iptables -F INPUTiptables -P INPUT ACCEPTiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPTiptables -F FORWARDiptables -F OUTPUTiptables -t nat -F POSTROUTINGiptables -F tcpHandleriptables -F udpHandleriptables -F icmpHandleriptables -F CHECK_FLAGSiptables -F DROP-AND-LOGiptables -X tcpHandleriptables -X udpHandleriptables -X icmpHandleriptables -X CHECK_FLAGSiptables -X DROP-AND-LOGecho "The firewall has successful shuted down,be careful !!!"fifirewall.confUPLINK=eth1UPIP=192.168.2.188ROUTER=yesNAT=192.168.2.188INTERFACES=lo eth0 eth1 eth2SERVICES=http ftpDENYPORTS=1 7 9 15 107 135 137 138 139 369 389 445 515 752 873 8080 3128 2049 5432 5999 6063 9740 20034 12345 12346 27665 27444 31335 31337 8000 1433 3389 7007 22 23 25 110 79DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369LAN_IF=eth0LAN_NET=192.168.1.0/24DMZ_NET=192.168.3.0/24DMZ_IF=eth2DMZ_TCP_PORT=20 21 25 53 80 110DMZ_UDP_PORT=53WEB_IP=192.168.3.1FTP_IP=192.168.3.2H323_PORT=H323=no#here you can add the block rules yourself ,but be sure you do all these setting otherwise ,it will not work at all !!!!SELF_SET=BLOCK_TYPE=PROTO=INTE_IF=SRC=DST=DPORT=ACTION=ACTION_TYPE=#here you can add the icmp block rules yourself,Be sure you do all these setting otherwise ,it will not work at all !!!!ICMP_IF=ICMP_SRC=ICMP_DST=ICMP_ACTION=ICMP_TYPE=
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/8225414/viewspace-940681/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- 一個javascript指令碼寫的俄羅斯方塊 (轉)JavaScript指令碼
- 一個高效、安全、通用的防火牆共享上網指令碼(轉)防火牆指令碼
- 跟我一起寫shell補全指令碼(Bash篇)指令碼
- 跟我一起寫shell補全指令碼(Zsh篇)指令碼
- 讓我們來用php編寫一個搶購商品指令碼PHP指令碼
- 看別人寫的檔案分割工具挺好用,也學著寫了一個,附原始碼。 (轉)原始碼
- 大家快來嚐嚐鮮 轉<用 curl 和 scsh 編寫 web 指令碼>(轉)Web指令碼
- 如何用原生js來寫一個swiper滑塊外掛(上)原理JS
- 我也用Node寫個每天給她自動發微信的指令碼指令碼
- 教練我想寫一個 HelloWorld Babel 外掛Babel
- 也談如何寫一個Webserver(-)WebServer
- iOS——寫一個快速定位問題的指令碼iOS指令碼
- 我寫了一個從DATASOURCE取得CONNECTION的工具類,大家看看
- 擼一個 webpack 外掛,希望對大家有所幫助Web
- 不用寫程式碼,也能做好介面測試
- 編寫一個小指令碼來啟動和關閉sybase ASE指令碼
- 分享一個Python寫的windows環境系統服務來自動化管理防火牆規則PythonWindows防火牆
- 如何寫一個Vue的外掛Vue
- Shell:如何寫一個多選選單的指令碼指令碼
- 介紹一個自己寫的crs_stat指令碼指令碼
- 也談如何寫一個Webserver(三)WebServer
- 我寫了一個指令碼,可在“任意”伺服器上執行命令!指令碼伺服器
- [轉]寫好shell指令碼的13個技巧指令碼
- 向大家分享一個shell指令碼的坑指令碼
- 自己寫一個Babel外掛Babel
- 我也來扔一個Promise吧……Promise
- 從0到1編寫一個指令碼引擎指令碼
- 手寫指令碼程式碼太累!搞一個生成工具吧指令碼
- 用 JavaScript 寫一個區塊鏈JavaScript區塊鏈
- GO 的鏈式呼叫寫一個轉碼庫Go
- 【老師見打系列】:我只是寫了一個自動回覆討論的指令碼~指令碼
- 從0到1編寫一個JS指令碼引擎JS指令碼
- 我讓chatGPT用PHP寫一個MVC框架,不僅寫出來,還能跑!ChatGPTPHPMVC框架
- 如何編寫一個Jquery外掛jQuery
- 招一個寫程式碼的女生:國外女程式設計師是什麼樣的程式設計師
- jdk 原始碼的一個BUG,大家來看看JDK原始碼
- 大家好,我是網際網路的一個小菜鳥,希望大家以後多多關照
- 用Jmeter編寫一個較複雜的測試指令碼JMeter指令碼