iptables+tc配置(轉)
##啟用netfilter中的forward鏈的轉發功能
# Enabling IP Forwarding......
echo "Enabling IP Forwarding........"
echo "1" > /proc/sys/net/ipv4/ip_forward
IPTABLES="/sbin/iptables"
##定義通訊埠,以便呼叫
# Protocols Configuration.
HTTP="80"
HTTPS="443"
FTP="21"
FTP_DATA="20"
SMTP="25"
POP3="110"
IMAP="143"
SSH="22"
TELNET="23"
PCAW_TCP="5631"
PCAW_UDP="5632"
WEBMIN="10000"
WAM="12000"
DNS="53"
##配置網路介面
# Internet Configuration.
INET_IF="ppp0"
#internet netcard
EXT_IF="eth0"
#intranet netcard
LAN_IF="eth1"
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
#TRUSTED_TCP_PORT="22 25 53 80 110 143 443 3128 6000 6001 6002 7100"
# Localhost Configuration.
LO_IF="lo"
LO_IP="127.0.0.1"
##掛載相應功能模組
# Module loading.
echo "modprobe modules"
# Module loading.
# Needed to initially load modules
/sbin/depmod -a
#Required modules
#/sbin/modprobe ip_tables
#/sbin/modprobe ip_conntrack
#/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe iptable_nat
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_state
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_ftp
# Non-Required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_irc
#############################################################################開始用tc控制網路流量
##########################TC begin##########################################
##########################################################################上傳埠配置
echo "Enabling uplink limit"
#uplink limit
##clear dev eth0 rule
tc qdisc del dev eth0 root 2>/dev/null
##定義上傳總頻寬(用tc語法,這裡用的是htb過濾器)
##define root and default rule
tc qdisc add dev eth0 root handle 10: htb default 70
##define uplink max rate
tc class add dev eth0 parent 10: classid 10:1 htb rate 64kbps ceil 64kbps
##對不同的業務進行分類,定義不同的資料流量
##define second leaf
#tc class add dev eth0 parent 10:1 classid 10:10 htb rate 2kbps ceil 4kbps prio 2
#tc class add dev eth0 parent 10:1 classid 10:20 htb rate 2kbps ceil 4kbps prio 2
#tc class add dev eth0 parent 10:1 classid 10:30 htb rate 32kbps ceil 40kbps prio 3
tc class add dev eth0 parent 10:1 classid 10:40 htb rate 3kbps ceil 13kbps prio 0
tc class add dev eth0 parent 10:1 classid 10:50 htb rate 1kbps ceil 11kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:60 htb rate 1kbps ceil 11kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:70 htb rate 2kbps ceil 5kbps prio 1
##定義不同資料傳輸業務的優先順序別和最佳化資料傳輸方法
##define rule for second leaf
#tc qdisc add dev eth0 parent 10:10 handle 101: pfifo
#tc qdisc add dev eth0 parent 10:20 handle 102: pfifo
#tc qdisc add dev eth0 parent 10:30 handle 103: pfifo
#tc qdisc add dev eth0 parent 10:40 handle 104: pfifo
#tc qdisc add dev eth0 parent 10:50 handle 105: pfifo
#tc qdisc add dev eth0 parent 10:60 handle 106: pfifo
#tc qdisc add dev eth0 parent 10:70 handle 107: pfifo
##tc qdisc add dev eth0 parent 10:10 handle 101: sfq perturb 10
##tc qdisc add dev eth0 parent 10:20 handle 102: sfq perturb 10
##tc qdisc add dev eth0 parent 10:30 handle 103: sfq perturb 10
tc qdisc add dev eth0 parent 10:40 handle 104: sfq perturb 5
tc qdisc add dev eth0 parent 10:50 handle 105: sfq perturb 10
tc qdisc add dev eth0 parent 10:60 handle 106: sfq perturb 10
tc qdisc add dev eth0 parent 10:70 handle 107: sfq perturb 10
##為netfilter鏈中的mangle鏈打標記做好準備(做控制程式碼標示)
##define fw for ipfilter
#tc filter add dev eth0 parent 10: protocol ip prio 100 handle 10 fw classid 10:10
#tc filter add dev eth0 parent 10: protocol ip prio 100 handle 20 fw classid 10:20
#tc filter add dev eth0 parent 10: protocol ip prio 100 handle 30 fw classid 10:30
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 40 fw classid 10:40
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 50 fw classid 10:50
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 60 fw classid 10:60
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 70 fw classid 10:70
###################################################################################
##下載埠配置(方法同上傳配置,只是在速率定義上有調整)
echo "Enabling downlink limit"
#downlink limit
##clear dev eth1 rule
tc qdisc del dev eth1 root 2>/dev/null
##define root and default rule
tc qdisc add dev eth1 root handle 10: htb default 70
##define downlink max rate
tc class add dev eth1 parent 10: classid 10:1 htb rate 128kbps ceil 128kbps
##define second leaf
#tc class add dev eth1 parent 10:1 classid 10:10 htb rate 2kbps ceil 32kbps prio 2
#tc class add dev eth1 parent 10:1 classid 10:20 htb rate 2kbps ceil 32kbps prio 2
#tc class add dev eth1 parent 10:1 classid 10:30 htb rate 32kbps ceil 212kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:40 htb rate 5kbps ceil 20kbps prio 0
tc class add dev eth1 parent 10:1 classid 10:50 htb rate 2kbps ceil 17kbps prio 1
tc class add dev eth1 parent 10:1 classid 10:60 htb rate 2kbps ceil 17kbps prio 1
tc class add dev eth1 parent 10:1 classid 10:70 htb rate 3kbps ceil 5kbps prio 1
##define rule for second leaf
#tc qdisc add dev eth1 parent 10:10 handle 101: pfifo
#tc qdisc add dev eth1 parent 10:20 handle 102: pfifo
#tc qdisc add dev eth1 parent 10:30 handle 103: pfifo
#tc qdisc add dev eth1 parent 10:40 handle 104: pfifo
#tc qdisc add dev eth1 parent 10:50 handle 105: pfifo
#tc qdisc add dev eth1 parent 10:60 handle 106: pfifo
#tc qdisc add dev eth1 parent 10:70 handle 107: pfifo
##tc qdisc add dev eth1 parent 10:10 handle 101: sfq perturb 10
##tc qdisc add dev eth1 parent 10:20 handle 102: sfq perturb 10
##tc qdisc add dev eth1 parent 10:30 handle 103: sfq perturb 10
tc qdisc add dev eth1 parent 10:40 handle 104: sfq perturb 5
tc qdisc add dev eth1 parent 10:50 handle 105: sfq perturb 10
tc qdisc add dev eth1 parent 10:60 handle 106: sfq perturb 10
tc qdisc add dev eth1 parent 10:70 handle 107: sfq perturb 10
##define fw for ipfilter
#tc filter add dev eth1 parent 10: protocol ip prio 100 handle 10 fw classid 10:10
#tc filter add dev eth1 parent 10: protocol ip prio 100 handle 20 fw classid 10:20
#tc filter add dev eth1 parent 10: protocol ip prio 100 handle 30 fw classid 10:30
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 40 fw classid 10:40
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 50 fw classid 10:50
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 60 fw classid 10:60
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 70 fw classid 10:70
#############################################################################
##定義iptables規則
echo "Enabling iptables rules"
# Enabling iptables rules
##清空各個鏈中原有的內容
# Reset the default policies in the tables
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
##定義預設鏈的政策(全部拒絕)採取需要時才開放策略
# Set policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
############################################################################
##允許本機做ping迴環測試
# allow ping localhost,ping 192.168.0.1/2
# Allow loopback access
iptables -A INPUT -p icmp -i lo -j ACCEPT
iptables -A OUTPUT -p icmp -o lo -j ACCEPT
##允許從本機ping區域網內的微機
# Allow ping LAN
iptables -A INPUT -p ALL -i $LAN_IF -s $LAN_IP_RANGE -j ACCEPT
iptables -A OUTPUT -p ALL -o $LAN_IF -d $LAN_IP_RANGE -j ACCEPT
##定義從ppp0埠出去的包和ppp0進來的並且是響應的包允許透過
# Allow ppp0
iptables -A INPUT -p ALL -i $INET_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ALL -o $INET_IF -j ACCEPT
##定義新的自定義鏈
# Creat userspecified chains
iptables -N allowed
iptables -N tcp_packets
iptables -N bad_tcp_packets
iptables -N icmp_packets
iptables -N limited_packets
##在bad_tcp_packets 鏈中定義壞包檢測機制
# bad_tcp_packets rules chain
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
##定義允許透過的包的檢測條件
# allowed rules chain
iptables -A allowed -p tcp --syn -j ACCEPT
iptables -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p tcp -j DROP
#定義icmp規則包,防止ping死攻擊
# ICMP rules chain
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
# limited_packets rules chain
#iptables -A limited_packets -p tcp ! --syn -m state --state NEW -j DROP
#iptables -A INPUT -i $INET_IF -s 192.168.0.0/16 -j DROP
#iptables -A INPUT -p udp -i $LAN_IF --dport 67 --sport 68 -j ACCEPT
#
######################################################################
##對input鏈做bad_tcp_packets過濾
# The first bad_tcp_packets filter of INPUT chain
iptables -A INPUT -p tcp -j bad_tcp_packets
##對input鏈做icmp_packets過濾
# The second icmp_packets filter of INPUT chain
iptables -A INPUT -p icmp -i $INET_IF -j icmp_packets
# Open trusted ports
#echo "Open trusted ports....."
#iptables -N services
#for PORT in $TRUSTED_TCP_PORT; do
#iptables -A tcp_packets -s 0/0 -p tcp --dport $PORT -j allowed
#done
#for PORT in $TRUSTED_UDP_PORT; do
#iptables -A tcp_packets -s 0/0 -p udp --dport $PORT -j allowed
#done
# The trust port of INPUT chain
#iptables -A INPUT -p tcp -i $INET_IF -j tcp_packets
##拒絕欺騙攻擊
# deny local cheat
iptables -A INPUT -i $INET_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $INET_IF -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $INET_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $INET_IF -s 127.0.0.0/8 -j DROP
# allow DHCP_packets from LAN
#iptables -A INPUT -p udp -i $LAN_IF --dport 67 --sport 68 -j ACCEPT
##拒絕burst攻擊
# deny attack of hack to input chain
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "IPT INPUT packets died:"
##定義forward鏈上的規則
# FORWARD chain
##bad_tcp_packets filter檢查
# bad_tcp_packets filter
iptables -A FORWARD -p tcp -j bad_tcp_packets
# address of limited filter
#iptables -A FORWARD -p tcp -j limited_packets
##從內網出去的包不做流量外的限制
# allow the packets from LAN to WAN
iptables -A FORWARD -o $INET_IF -s $LAN_IP_RANGE -j ACCEPT
iptables -A FORWARD -i $LAN_IF -s $LAN_IP_RANGE -j ACCEPT
##定義從ppp0進來的包透過foward鏈的規則
# allow the packets from wan to lan
iptables -A FORWARD -i $INET_IF -d $LAN_IP_RANGE -m state --state ESTABLISHED,RELATED -j ACCEPT
##對forward做burst檢測
# deny attack of hack to forward chain
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packets died:"
##對forward鏈做icmp(ping攻擊)檢測
# deny ping attack of hack
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
##對forward鏈做簡單的ddos防禦
# deny DDOS attack
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
##做偽裝(net轉換)
# allow UDP
#iptables -A FORWARD -p udp -d $LAN_IP_RANGE -i $EXT_IF -j ACCEPT
# the servies of www to the port for Squid
#iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# the other servies use nat chain to masquerade
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
############mark for mangle filter############
echo "Enabling mangle "
# uploads
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto dns -j MARK --set-mark 10
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto smtp -j MARK --set-mark 20
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto http -j MARK --set-mark 30
##為ip地址打標記以便進行流量控制--上傳
#iptables -t mangle -A PREROUTING -s 192.168.0.52 -j MARK --set-mark 40
#iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -j MARK --set-mark 70
#iptables -t mangle -A PREROUTING -s 192.168.0.3 -j MARK --set-mark 60
# downloads
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto dns -j MARK --set-mark 10
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto smtp -j MARK --set-mark 20
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto http -j MARK --set-mark 30
##為ip地址打標記以便進行流量控制--下載
#iptables -t mangle -A POSTROUTING -d 192.168.0.52 -j MARK --set-mark 40
#iptables -t mangle -A POSTROUTING -d 192.168.0.0/24 -j MARK --set-mark 70
#iptables -t mangle -A POSTROUTING -d 192.168.0.3 -j MARK --set-mark 60
################################### iptables END########################################
echo "iptables END"
#echo "Enabling Squid"
#/usr/local/squid/sbin/squid
echo "Enabling ADSL"
adsl-start
##########################################################
每個人的linux安裝的不一樣,netfilter模組載入的也不一樣,在模組載入處估計各位要進行微調,將需要載入的模組前帶#的去掉幾個估計就可以了,tc處可根據自己的實際情況進行微調。
本配置已經實際執行了3年,沒出現什麼問題(配置上),但要是某個高手盯上你了,估計。。。。嘿嘿,技術就是這樣,沒有絕對的,反正我的配置(p3賽陽600,128mpc100,10g硬碟,810e主機板,雙8139d百兆網路卡,debian woody 2.4.32核心)不關機除了每兩個月的正常清潔外沒出現過什麼異常(因為對內網是沒有限制的,故清理內鬼是比較重要的[@more@]
# Enabling IP Forwarding......
echo "Enabling IP Forwarding........"
echo "1" > /proc/sys/net/ipv4/ip_forward
IPTABLES="/sbin/iptables"
##定義通訊埠,以便呼叫
# Protocols Configuration.
HTTP="80"
HTTPS="443"
FTP="21"
FTP_DATA="20"
SMTP="25"
POP3="110"
IMAP="143"
SSH="22"
TELNET="23"
PCAW_TCP="5631"
PCAW_UDP="5632"
WEBMIN="10000"
WAM="12000"
DNS="53"
##配置網路介面
# Internet Configuration.
INET_IF="ppp0"
#internet netcard
EXT_IF="eth0"
#intranet netcard
LAN_IF="eth1"
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
#TRUSTED_TCP_PORT="22 25 53 80 110 143 443 3128 6000 6001 6002 7100"
# Localhost Configuration.
LO_IF="lo"
LO_IP="127.0.0.1"
##掛載相應功能模組
# Module loading.
echo "modprobe modules"
# Module loading.
# Needed to initially load modules
/sbin/depmod -a
#Required modules
#/sbin/modprobe ip_tables
#/sbin/modprobe ip_conntrack
#/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe iptable_nat
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_state
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_ftp
# Non-Required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_irc
#############################################################################開始用tc控制網路流量
##########################TC begin##########################################
##########################################################################上傳埠配置
echo "Enabling uplink limit"
#uplink limit
##clear dev eth0 rule
tc qdisc del dev eth0 root 2>/dev/null
##定義上傳總頻寬(用tc語法,這裡用的是htb過濾器)
##define root and default rule
tc qdisc add dev eth0 root handle 10: htb default 70
##define uplink max rate
tc class add dev eth0 parent 10: classid 10:1 htb rate 64kbps ceil 64kbps
##對不同的業務進行分類,定義不同的資料流量
##define second leaf
#tc class add dev eth0 parent 10:1 classid 10:10 htb rate 2kbps ceil 4kbps prio 2
#tc class add dev eth0 parent 10:1 classid 10:20 htb rate 2kbps ceil 4kbps prio 2
#tc class add dev eth0 parent 10:1 classid 10:30 htb rate 32kbps ceil 40kbps prio 3
tc class add dev eth0 parent 10:1 classid 10:40 htb rate 3kbps ceil 13kbps prio 0
tc class add dev eth0 parent 10:1 classid 10:50 htb rate 1kbps ceil 11kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:60 htb rate 1kbps ceil 11kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:70 htb rate 2kbps ceil 5kbps prio 1
##定義不同資料傳輸業務的優先順序別和最佳化資料傳輸方法
##define rule for second leaf
#tc qdisc add dev eth0 parent 10:10 handle 101: pfifo
#tc qdisc add dev eth0 parent 10:20 handle 102: pfifo
#tc qdisc add dev eth0 parent 10:30 handle 103: pfifo
#tc qdisc add dev eth0 parent 10:40 handle 104: pfifo
#tc qdisc add dev eth0 parent 10:50 handle 105: pfifo
#tc qdisc add dev eth0 parent 10:60 handle 106: pfifo
#tc qdisc add dev eth0 parent 10:70 handle 107: pfifo
##tc qdisc add dev eth0 parent 10:10 handle 101: sfq perturb 10
##tc qdisc add dev eth0 parent 10:20 handle 102: sfq perturb 10
##tc qdisc add dev eth0 parent 10:30 handle 103: sfq perturb 10
tc qdisc add dev eth0 parent 10:40 handle 104: sfq perturb 5
tc qdisc add dev eth0 parent 10:50 handle 105: sfq perturb 10
tc qdisc add dev eth0 parent 10:60 handle 106: sfq perturb 10
tc qdisc add dev eth0 parent 10:70 handle 107: sfq perturb 10
##為netfilter鏈中的mangle鏈打標記做好準備(做控制程式碼標示)
##define fw for ipfilter
#tc filter add dev eth0 parent 10: protocol ip prio 100 handle 10 fw classid 10:10
#tc filter add dev eth0 parent 10: protocol ip prio 100 handle 20 fw classid 10:20
#tc filter add dev eth0 parent 10: protocol ip prio 100 handle 30 fw classid 10:30
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 40 fw classid 10:40
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 50 fw classid 10:50
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 60 fw classid 10:60
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 70 fw classid 10:70
###################################################################################
##下載埠配置(方法同上傳配置,只是在速率定義上有調整)
echo "Enabling downlink limit"
#downlink limit
##clear dev eth1 rule
tc qdisc del dev eth1 root 2>/dev/null
##define root and default rule
tc qdisc add dev eth1 root handle 10: htb default 70
##define downlink max rate
tc class add dev eth1 parent 10: classid 10:1 htb rate 128kbps ceil 128kbps
##define second leaf
#tc class add dev eth1 parent 10:1 classid 10:10 htb rate 2kbps ceil 32kbps prio 2
#tc class add dev eth1 parent 10:1 classid 10:20 htb rate 2kbps ceil 32kbps prio 2
#tc class add dev eth1 parent 10:1 classid 10:30 htb rate 32kbps ceil 212kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:40 htb rate 5kbps ceil 20kbps prio 0
tc class add dev eth1 parent 10:1 classid 10:50 htb rate 2kbps ceil 17kbps prio 1
tc class add dev eth1 parent 10:1 classid 10:60 htb rate 2kbps ceil 17kbps prio 1
tc class add dev eth1 parent 10:1 classid 10:70 htb rate 3kbps ceil 5kbps prio 1
##define rule for second leaf
#tc qdisc add dev eth1 parent 10:10 handle 101: pfifo
#tc qdisc add dev eth1 parent 10:20 handle 102: pfifo
#tc qdisc add dev eth1 parent 10:30 handle 103: pfifo
#tc qdisc add dev eth1 parent 10:40 handle 104: pfifo
#tc qdisc add dev eth1 parent 10:50 handle 105: pfifo
#tc qdisc add dev eth1 parent 10:60 handle 106: pfifo
#tc qdisc add dev eth1 parent 10:70 handle 107: pfifo
##tc qdisc add dev eth1 parent 10:10 handle 101: sfq perturb 10
##tc qdisc add dev eth1 parent 10:20 handle 102: sfq perturb 10
##tc qdisc add dev eth1 parent 10:30 handle 103: sfq perturb 10
tc qdisc add dev eth1 parent 10:40 handle 104: sfq perturb 5
tc qdisc add dev eth1 parent 10:50 handle 105: sfq perturb 10
tc qdisc add dev eth1 parent 10:60 handle 106: sfq perturb 10
tc qdisc add dev eth1 parent 10:70 handle 107: sfq perturb 10
##define fw for ipfilter
#tc filter add dev eth1 parent 10: protocol ip prio 100 handle 10 fw classid 10:10
#tc filter add dev eth1 parent 10: protocol ip prio 100 handle 20 fw classid 10:20
#tc filter add dev eth1 parent 10: protocol ip prio 100 handle 30 fw classid 10:30
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 40 fw classid 10:40
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 50 fw classid 10:50
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 60 fw classid 10:60
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 70 fw classid 10:70
#############################################################################
##定義iptables規則
echo "Enabling iptables rules"
# Enabling iptables rules
##清空各個鏈中原有的內容
# Reset the default policies in the tables
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
##定義預設鏈的政策(全部拒絕)採取需要時才開放策略
# Set policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
############################################################################
##允許本機做ping迴環測試
# allow ping localhost,ping 192.168.0.1/2
# Allow loopback access
iptables -A INPUT -p icmp -i lo -j ACCEPT
iptables -A OUTPUT -p icmp -o lo -j ACCEPT
##允許從本機ping區域網內的微機
# Allow ping LAN
iptables -A INPUT -p ALL -i $LAN_IF -s $LAN_IP_RANGE -j ACCEPT
iptables -A OUTPUT -p ALL -o $LAN_IF -d $LAN_IP_RANGE -j ACCEPT
##定義從ppp0埠出去的包和ppp0進來的並且是響應的包允許透過
# Allow ppp0
iptables -A INPUT -p ALL -i $INET_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ALL -o $INET_IF -j ACCEPT
##定義新的自定義鏈
# Creat userspecified chains
iptables -N allowed
iptables -N tcp_packets
iptables -N bad_tcp_packets
iptables -N icmp_packets
iptables -N limited_packets
##在bad_tcp_packets 鏈中定義壞包檢測機制
# bad_tcp_packets rules chain
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
##定義允許透過的包的檢測條件
# allowed rules chain
iptables -A allowed -p tcp --syn -j ACCEPT
iptables -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p tcp -j DROP
#定義icmp規則包,防止ping死攻擊
# ICMP rules chain
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
# limited_packets rules chain
#iptables -A limited_packets -p tcp ! --syn -m state --state NEW -j DROP
#iptables -A INPUT -i $INET_IF -s 192.168.0.0/16 -j DROP
#iptables -A INPUT -p udp -i $LAN_IF --dport 67 --sport 68 -j ACCEPT
#
######################################################################
##對input鏈做bad_tcp_packets過濾
# The first bad_tcp_packets filter of INPUT chain
iptables -A INPUT -p tcp -j bad_tcp_packets
##對input鏈做icmp_packets過濾
# The second icmp_packets filter of INPUT chain
iptables -A INPUT -p icmp -i $INET_IF -j icmp_packets
# Open trusted ports
#echo "Open trusted ports....."
#iptables -N services
#for PORT in $TRUSTED_TCP_PORT; do
#iptables -A tcp_packets -s 0/0 -p tcp --dport $PORT -j allowed
#done
#for PORT in $TRUSTED_UDP_PORT; do
#iptables -A tcp_packets -s 0/0 -p udp --dport $PORT -j allowed
#done
# The trust port of INPUT chain
#iptables -A INPUT -p tcp -i $INET_IF -j tcp_packets
##拒絕欺騙攻擊
# deny local cheat
iptables -A INPUT -i $INET_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $INET_IF -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $INET_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $INET_IF -s 127.0.0.0/8 -j DROP
# allow DHCP_packets from LAN
#iptables -A INPUT -p udp -i $LAN_IF --dport 67 --sport 68 -j ACCEPT
##拒絕burst攻擊
# deny attack of hack to input chain
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "IPT INPUT packets died:"
##定義forward鏈上的規則
# FORWARD chain
##bad_tcp_packets filter檢查
# bad_tcp_packets filter
iptables -A FORWARD -p tcp -j bad_tcp_packets
# address of limited filter
#iptables -A FORWARD -p tcp -j limited_packets
##從內網出去的包不做流量外的限制
# allow the packets from LAN to WAN
iptables -A FORWARD -o $INET_IF -s $LAN_IP_RANGE -j ACCEPT
iptables -A FORWARD -i $LAN_IF -s $LAN_IP_RANGE -j ACCEPT
##定義從ppp0進來的包透過foward鏈的規則
# allow the packets from wan to lan
iptables -A FORWARD -i $INET_IF -d $LAN_IP_RANGE -m state --state ESTABLISHED,RELATED -j ACCEPT
##對forward做burst檢測
# deny attack of hack to forward chain
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packets died:"
##對forward鏈做icmp(ping攻擊)檢測
# deny ping attack of hack
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
##對forward鏈做簡單的ddos防禦
# deny DDOS attack
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
##做偽裝(net轉換)
# allow UDP
#iptables -A FORWARD -p udp -d $LAN_IP_RANGE -i $EXT_IF -j ACCEPT
# the servies of www to the port for Squid
#iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# the other servies use nat chain to masquerade
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
############mark for mangle filter############
echo "Enabling mangle "
# uploads
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto dns -j MARK --set-mark 10
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto smtp -j MARK --set-mark 20
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto http -j MARK --set-mark 30
##為ip地址打標記以便進行流量控制--上傳
#iptables -t mangle -A PREROUTING -s 192.168.0.52 -j MARK --set-mark 40
#iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -j MARK --set-mark 70
#iptables -t mangle -A PREROUTING -s 192.168.0.3 -j MARK --set-mark 60
# downloads
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto dns -j MARK --set-mark 10
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto smtp -j MARK --set-mark 20
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto http -j MARK --set-mark 30
##為ip地址打標記以便進行流量控制--下載
#iptables -t mangle -A POSTROUTING -d 192.168.0.52 -j MARK --set-mark 40
#iptables -t mangle -A POSTROUTING -d 192.168.0.0/24 -j MARK --set-mark 70
#iptables -t mangle -A POSTROUTING -d 192.168.0.3 -j MARK --set-mark 60
################################### iptables END########################################
echo "iptables END"
#echo "Enabling Squid"
#/usr/local/squid/sbin/squid
echo "Enabling ADSL"
adsl-start
##########################################################
每個人的linux安裝的不一樣,netfilter模組載入的也不一樣,在模組載入處估計各位要進行微調,將需要載入的模組前帶#的去掉幾個估計就可以了,tc處可根據自己的實際情況進行微調。
本配置已經實際執行了3年,沒出現什麼問題(配置上),但要是某個高手盯上你了,估計。。。。嘿嘿,技術就是這樣,沒有絕對的,反正我的配置(p3賽陽600,128mpc100,10g硬碟,810e主機板,雙8139d百兆網路卡,debian woody 2.4.32核心)不關機除了每兩個月的正常清潔外沒出現過什麼異常(因為對內網是沒有限制的,故清理內鬼是比較重要的[@more@]
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/7507082/viewspace-850788/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- apache 配置檔案的配置(轉)Apache
- nginx配置轉發Nginx
- DNS配置全文(轉)DNS
- IPTables配置Script(轉)
- PHP安全配置(轉)PHP
- KDE配置指南(轉)
- 配置ASM磁碟-轉載ASM
- (轉)centos 網路配置CentOS
- 配置FreeBSD核心(轉)
- ANT安裝、配置(轉)
- LILO配置指南(轉)
- ORACLE的配置方案(轉)Oracle
- GNOME的配置指南(轉)
- Windows + Apache + resin配置 (轉)WindowsApache
- Zend Optimizer 配置指南 (轉)
- MySQL叢集配置(轉)MySql
- webstorm配置scss/less轉wxss,小程式配置scss轉wxssWebORMCSS
- 《nginx 配置之——domain 轉 path》NginxAI
- iptables 配置埠及轉發
- Carsim轉向系統配置
- 【pl/sql】PLSQL常用配置【轉】SQL
- consul dns 轉發配置DNS
- (轉)Ubuntu網路卡基本配置Ubuntu
- [Linux]配置Xmanager[轉載]Linux
- dns配置高階篇(轉)DNS
- IPTABLES 配置方法介紹(轉)
- 安裝和配置OPENLDAP(轉)LDA
- RedHat AS3配置 OpenLDAP(轉)RedhatS3LDA
- Windows+Apache+resin配置(轉)WindowsApache
- TortoiseGit安裝與配置(轉)Git
- JSWDK配置詳解 (轉)JS
- REDHAT 7.1 sendmail配置FAQ (轉)RedhatAI
- 【轉】配置RAW Device磁碟組dev
- LINUX下配置 rsync(轉)Linux
- RedHat 系統配置命令(轉)Redhat
- Linux下mono配置(轉)LinuxMono
- 配置Apache Server + Tomcat (轉)ApacheServerTomcat
- VSFTPD的基本配置(轉)FTP