NAT iptables防火牆(script)(轉)
NAT iptables防火牆(script)(轉)[@more@]#!/bin/sh# make me executable (chmod a+x rc.firewall ) and run me on boot## djweis@sjdjweis.com# iptables firewall script# this script is meant to be run once per boot# the rules will be double added if you try to run it twice# if you need to add another rule during runtime, change the# -A to a -I to add it to the top of the list of rules# if you use -A it will go at the end after the reject rule :-(## interface definitionsBAD_IFACE=eth0DMZ_IFACE=eth1DMZ_ADDR=x.x.x.96/28GOOD_IFACE=eth2GOOD_ADDR=192.168.1.0/24MASQ_SERVER=x.x.x.98FTP_SERVER=x.x.x.100MAIL_SERVER=x.x.x.99MAIL_SERVER_INTERNAL=192.168.1.3# testing#set -xip route del x.x.x.96/28 dev $BAD_IFACEip route del x.x.x.96/28 dev $DMZ_IFACEip route add x.x.x.97 dev $BAD_IFACEip route add x.x.x.96/28 dev $DMZ_IFACE# we need proxy arp for the dmz networkecho 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arpecho 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp# turn on ip forwardingecho 1 > /proc/sys/net/ipv4/ip_forward# turn on antispoofing protectionfor f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done# flush all rules in the filter table#iptables -F# flush built in rulesiptables -F INPUTiptables -F OUTPUTiptables -F FORWARD# deny everything for nowiptables -A INPUT -j DROPiptables -A FORWARD -j DROPiptables -A OUTPUT -j DROP# make the chains to define packet directions# bad is the internet, dmz is our dmz, good is our masqed networkiptables -N good-dmziptables -N bad-dmziptables -N good-badiptables -N dmz-goodiptables -N dmz-badiptables -N bad-goodiptables -N icmp-acc# accept related packetsiptables -A FORWARD -m state --state INVALID -j DROPiptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT# internal client masqingiptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER# mail server masqingiptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443# to allow the above to work you need something like# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT# set which addresses jump to which chainsiptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmziptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-badiptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-badiptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-goodiptables -A FORWARD -o $DMZ_IFACE -j bad-dmziptables -A FORWARD -o $GOOD_IFACE -j bad-good# drop anything that doesn't fit theseiptables -A FORWARD -j LOG --log-prefix "chain-jump "iptables -A FORWARD -j DROP# icmp acceptanceiptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPTiptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPTiptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPTiptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPTiptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "iptables -A icmp-acc -j DROP# from internal to dmziptables -A good-dmz -p tcp --dport smtp -j ACCEPTiptables -A good-dmz -p tcp --dport pop3 -j ACCEPTiptables -A good-dmz -p udp --dport domain -j ACCEPTiptables -A good-dmz -p tcp --dport domain -j ACCEPTiptables -A good-dmz -p tcp --dport www -j ACCEPTiptables -A good-dmz -p tcp --dport https -j ACCEPTiptables -A good-dmz -p tcp --dport ssh -j ACCEPTiptables -A good-dmz -p tcp --dport telnet -j ACCEPTiptables -A good-dmz -p tcp --dport auth -j ACCEPTiptables -A good-dmz -p tcp --dport ftp -j ACCEPTiptables -A good-dmz -p tcp --dport 1521 -j ACCEPTiptables -A good-dmz -p icmp -j icmp-acciptables -A good-dmz -j LOG --log-prefix "good-dmz "iptables -A good-dmz -j DROP# from external to dmziptables -A bad-dmz -p tcp --dport smtp -j ACCEPTiptables -A bad-dmz -p udp --dport domain -j ACCEPTiptables -A bad-dmz -p tcp --dport domain -j ACCEPTiptables -A bad-dmz -p udp --sport domain -j ACCEPTiptables -A bad-dmz -p tcp --sport domain -j ACCEPTiptables -A bad-dmz -p tcp --dport www -j ACCEPTiptables -A bad-dmz -p tcp --dport https -j ACCEPTiptables -A bad-dmz -p tcp --dport ssh -j ACCEPTiptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPTiptables -A bad-dmz -p icmp -j icmp-acciptables -A bad-dmz -j LOG --log-prefix "bad-dmz "iptables -A bad-dmz -j DROP# from internal to externaliptables -A good-bad -j ACCEPT# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER#iptables -A good-bad -p tcp -j MASQ#iptables -A good-bad -p udp -j MASQ#iptables -A good-bad -p icmp -j MASQ#ipchains -A good-bad -p tcp --dport www -j MASQ#ipchains -A good-bad -p tcp --dport ssh -j MASQ#ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ#ipchains -A good-bad -p tcp --dport ftp -j MASQ#ipchains -A good-bad -p icmp --icmp-type ping -j MASQ#ipchains -A good-bad -j REJECT -l# from dmz to internal# iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPTiptables -A dmz-good -p tcp --dport smtp -j ACCEPTiptables -A dmz-good -p tcp --sport smtp -j ACCEPTiptables -A dmz-good -p udp --sport domain -j ACCEPTiptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPTiptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPTiptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPTiptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPTiptables -A dmz-good -p icmp -j icmp-acciptables -A dmz-good -j LOG --log-prefix "dmz-good "iptables -A dmz-good -j DROP# from dmz to externaliptables -A dmz-bad -p tcp --dport smtp -j ACCEPTiptables -A dmz-bad -p tcp --sport smtp -j ACCEPTiptables -A dmz-bad -p udp --dport domain -j ACCEPTiptables -A dmz-bad -p tcp --dport domain -j ACCEPTiptables -A dmz-bad -p tcp --dport www -j ACCEPTiptables -A dmz-bad -p tcp --dport https -j ACCEPTiptables -A dmz-bad -p tcp --dport ssh -j ACCEPTiptables -A dmz-bad -p tcp --dport ftp -j ACCEPTiptables -A dmz-bad -p tcp --dport whois -j ACCEPTiptables -A dmz-bad -p tcp --dport telnet -j ACCEPTiptables -A dmz-bad -p udp --dport ntp -j ACCEPT# ipchains -A good-bad -p udp --dport 33434:33500 -j MASQiptables -A dmz-bad -p icmp -j icmp-acciptables -A dmz-bad -j LOG --log-prefix "dmz-bad "iptables -A dmz-bad -j DROP# from external to internaliptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPTiptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPTiptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPTiptables -A bad-good -j LOG --log-prefix "bad-good "iptables -A bad-good -j REJECT# rules for this machine itselfiptables -N bad-ifiptables -N dmz-ifiptables -N good-if# set up the jumps to each chainiptables -A INPUT -i $BAD_IFACE -j bad-ifiptables -A INPUT -i $DMZ_IFACE -j dmz-ifiptables -A INPUT -i $GOOD_IFACE -j good-if# external ifaceiptables -A bad-if -p icmp -j icmp-acciptables -A bad-if -j ACCEPT#ipchains -A bad-if -i ! ppp0 -j DENY -l#ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT#ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT#ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT#ipchains -A bad-if -j icmp-acc#ipchains -A bad-if -j DENY# dmz ifaceiptables -A bad-if -p icmp -j icmp-acciptables -A dmz-if -j ACCEPT# internal ifaceiptables -A good-if -p tcp --dport ssh -j ACCEPTiptables -A good-if -p ICMP --icmp-type ping -j ACCEPTiptables -A good-if -p ICMP --icmp-type pong -j ACCEPTiptables -A good-if -j icmp-acciptables -A good-if -j DROP# remove the complete blocksiptables -D INPUT 1iptables -D FORWARD 1iptables -D OUTPUT
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/8225414/viewspace-940621/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- 動態 iptables 防火牆(轉)防火牆
- 防火牆IPTABLES防火牆
- iptables防火牆防火牆
- 動態iptables防火牆dynfw(轉)防火牆
- Iptables防火牆應用防火牆
- iptables防火牆規則防火牆
- linux防火牆iptablesLinux防火牆
- 防火牆iptables 設定防火牆
- 動態iptables 防火牆防火牆
- 使用netfilter/iptables配置防火牆(轉)Filter防火牆
- 使用IPtables搭建防火牆的規則(轉)防火牆
- 使用iptables建置Linux 防火牆(2)(轉)Linux防火牆
- 使用iptables建置Linux 防火牆(3)(轉)Linux防火牆
- 基於iptables防火牆堵漏防火牆
- Centos iptables防火牆設定CentOS防火牆
- iptables 配置LINUX防火牆Linux防火牆
- Linux防火牆之IPtables概念與用法(轉)Linux防火牆
- 防火牆NAT轉換的一次診斷防火牆
- IPTables配置Script(轉)
- Linux設定防火牆iptablesLinux防火牆
- Iptables防火牆規則使用梳理防火牆
- Linux 防火牆 學習 iptablesLinux防火牆
- 防火牆軟體Netfilter之NAT技術(轉)防火牆Filter
- Linux基礎命令---iptables防火牆Linux防火牆
- iptables防火牆如何記錄日誌防火牆
- 20條IPTables防火牆規則用法!防火牆
- 阿里雲Centos配置iptables防火牆阿里CentOS防火牆
- 建立iptables NAT規則(轉)
- 用iptables實現NAT(轉)
- iptables.sh 初始化防火牆配置防火牆
- Linux防火牆iptables實用設定Linux防火牆
- Linux 防火牆開放特定埠 (iptables)Linux防火牆
- Linux 自帶防火牆 Iptables 基本配置Linux防火牆
- 超級實用的 iptables 防火牆指令碼防火牆指令碼
- iptables配置-Linux系統安全防火牆Linux防火牆
- Linux IPTables:如何新增防火牆規則Linux防火牆
- 安全的Web主機iptables防火牆指令碼Web防火牆指令碼
- Linux中iptables防火牆的簡單配置Linux防火牆