我的iptables+tc配置
# Enabling IP Forwarding......echo "Enabling IP Forwarding........"
echo "1" > /proc/sys/net/ipv4/ip_forward
IPTABLES="/sbin/iptables"
# Protocols Configuration.
HTTP="80"
HTTPS="443"
FTP="21"
FTP_DATA="20"
SMTP="25"
POP3="110"
IMAP="143"
SSH="22"
TELNET="23"
PCAW_TCP="5631"
PCAW_UDP="5632"
WEBMIN="10000"
WAM="12000"
DNS="53"
# Internet Configuration.
INET_IF="ppp0"
#internet netcard
EXT_IF="eth0"
#intranet netcard
LAN_IF="eth1"
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
#TRUSTED_TCP_PORT="22 25 53 80 110 143 443 3128 6000 6001 6002 7100"
# Localhost Configuration.
LO_IF="lo"
LO_IP="127.0.0.1"
# Module loading.
echo "modprobe modules"
# Module loading.
# Needed to initially load modules
/sbin/depmod -a
#Required modules
#/sbin/modprobe ip_tables
#/sbin/modprobe ip_conntrack
#/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe iptable_nat
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_state
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_ftp
# Non-Required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_irc
#############################################################################
##########################TC begin##########################################
############################################################################
echo "Enabling uplink limit"
#uplink limit
##clear dev eth0 rule
tc qdisc del dev eth0 root 2>/dev/null
##define root and default rule
tc qdisc add dev eth0 root handle 10: htb default 70
##define uplink max rate
tc class add dev eth0 parent 10:classid 10:1 htb rate 64kbps ceil 64kbps
##define second leaf
#tc class add dev eth0 parent 10:1 classid 10:10 htb rate 2kbps ceil 4kbps prio 2
#tc class add dev eth0 parent 10:1 classid 10:20 htb rate 2kbps ceil 4kbps prio 2
#tc class add dev eth0 parent 10:1 classid 10:30 htb rate 32kbps ceil 40kbps prio 3
tc class add dev eth0 parent 10:1 classid 10:40 htb rate 3kbps ceil 13kbps prio 0
tc class add dev eth0 parent 10:1 classid 10:50 htb rate 1kbps ceil 11kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:60 htb rate 1kbps ceil 11kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:70 htb rate 2kbps ceil 5kbps prio 1
##define rule for second leaf
#tc qdisc add dev eth0 parent 10:10 handle 101: pfifo
#tc qdisc add dev eth0 parent 10:20 handle 102: pfifo
#tc qdisc add dev eth0 parent 10:30 handle 103: pfifo
#tc qdisc add dev eth0 parent 10:40 handle 104: pfifo
#tc qdisc add dev eth0 parent 10:50 handle 105: pfifo
#tc qdisc add dev eth0 parent 10:60 handle 106: pfifo
#tc qdisc add dev eth0 parent 10:70 handle 107: pfifo
##tc qdisc add dev eth0 parent 10:10 handle 101: sfq perturb 10
##tc qdisc add dev eth0 parent 10:20 handle 102: sfq perturb 10
##tc qdisc add dev eth0 parent 10:30 handle 103: sfq perturb 10
tc qdisc add dev eth0 parent 10:40 handle 104: sfq perturb 5
tc qdisc add dev eth0 parent 10:50 handle 105: sfq perturb 10
tc qdisc add dev eth0 parent 10:60 handle 106: sfq perturb 10
tc qdisc add dev eth0 parent 10:70 handle 107: sfq perturb 10
##define fw for ipfilter
#tc filter add dev eth0 parent 10: protocol ip prio 100 handle 10 fw classid 10:10
#tc filter add dev eth0 parent 10: protocol ip prio 100 handle 20 fw classid 10:20
#tc filter add dev eth0 parent 10: protocol ip prio 100 handle 30 fw classid 10:30
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 40 fw classid 10:40
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 50 fw classid 10:50
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 60 fw classid 10:60
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 70 fw classid 10:70
###################################################################################
echo "Enabling downlink limit"
#downlink limit
##clear dev eth1 rule
tc qdisc del dev eth1 root 2>/dev/null
##define root and default rule
tc qdisc add dev eth1 root handle 10: htb default 70
##define downlink max rate
tc class add dev eth1 parent 10:classid 10:1 htb rate 128kbps ceil 128kbps
##define second leaf
#tc class add dev eth1 parent 10:1 classid 10:10 htb rate 2kbps ceil 32kbps prio 2
#tc class add dev eth1 parent 10:1 classid 10:20 htb rate 2kbps ceil 32kbps prio 2
#tc class add dev eth1 parent 10:1 classid 10:30 htb rate 32kbps ceil 212kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:40 htb rate 5kbps ceil 20kbps prio 0
tc class add dev eth1 parent 10:1 classid 10:50 htb rate 2kbps ceil 17kbps prio 1
tc class add dev eth1 parent 10:1 classid 10:60 htb rate 2kbps ceil 17kbps prio 1
tc class add dev eth1 parent 10:1 classid 10:70 htb rate 3kbps ceil 5kbps prio 1
##define rule for second leaf
#tc qdisc add dev eth1 parent 10:10 handle 101: pfifo
#tc qdisc add dev eth1 parent 10:20 handle 102: pfifo
#tc qdisc add dev eth1 parent 10:30 handle 103: pfifo
#tc qdisc add dev eth1 parent 10:40 handle 104: pfifo
#tc qdisc add dev eth1 parent 10:50 handle 105: pfifo
#tc qdisc add dev eth1 parent 10:60 handle 106: pfifo
#tc qdisc add dev eth1 parent 10:70 handle 107: pfifo
##tc qdisc add dev eth1 parent 10:10 handle 101: sfq perturb 10
##tc qdisc add dev eth1 parent 10:20 handle 102: sfq perturb 10
##tc qdisc add dev eth1 parent 10:30 handle 103: sfq perturb 10
tc qdisc add dev eth1 parent 10:40 handle 104: sfq perturb 5
tc qdisc add dev eth1 parent 10:50 handle 105: sfq perturb 10
tc qdisc add dev eth1 parent 10:60 handle 106: sfq perturb 10
tc qdisc add dev eth1 parent 10:70 handle 107: sfq perturb 10
##define fw for ipfilter
#tc filter add dev eth1 parent 10: protocol ip prio 100 handle 10 fwclassid 10:10
#tc filter add dev eth1 parent 10: protocol ip prio 100 handle 20 fwclassid 10:20
#tc filter add dev eth1 parent 10: protocol ip prio 100 handle 30 fwclassid 10:30
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 40 fwclassid 10:40
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 50 fwclassid 10:50
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 60 fwclassid 10:60
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 70 fwclassid 10:70
#############################################################################
echo "Enabling iptables rules"
# Enabling iptables rules
# Reset the default policies in the tables
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Set policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
############################################################################
# allow ping localhost,ping 192.168.0.1/2
# Allow loopback access
iptables -A INPUT -p icmp -i lo -j ACCEPT
iptables -A OUTPUT -p icmp -o lo -j ACCEPT
# Allow ping LAN
iptables -A INPUT -p ALL -i $LAN_IF -s $LAN_IP_RANGE -j ACCEPT
iptables -A OUTPUT -p ALL -o $LAN_IF -d $LAN_IP_RANGE -j ACCEPT
# Allow ppp0
iptables -A INPUT -p ALL -i $INET_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ALL -o $INET_IF -j ACCEPT
# Creat userspecified chains
iptables -N allowed
iptables -N tcp_packets
iptables -N bad_tcp_packets
iptables -N icmp_packets
iptables -N limited_packets
# bad_tcp_packets rules chain
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# allowed rules chain
iptables -A allowed -p tcp --syn -j ACCEPT
iptables -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p tcp -j DROP
# ICMP rules chain
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
# limited_packets rules chain
#iptables -A limited_packets -p tcp ! --syn -m state --state NEW -j DROP
#iptables -A INPUT -i $INET_IF -s 192.168.0.0/16 -j DROP
#iptables -A INPUT -p udp -i $LAN_IF --dport 67 --sport 68 -j ACCEPT
#
######################################################################
# The first bad_tcp_packets filter of INPUT chain
iptables -A INPUT -p tcp -j bad_tcp_packets
# The second icmp_packets filter of INPUT chain
iptables -A INPUT -p icmp -i $INET_IF -j icmp_packets
# Open trusted ports
#echo "Open trusted ports....."
#iptables -N services
#for PORT in $TRUSTED_TCP_PORT; do
#iptables -A tcp_packets -s 0/0 -p tcp --dport $PORT -j allowed
#done
#for PORT in $TRUSTED_UDP_PORT; do
#iptables -A tcp_packets -s 0/0 -p udp --dport $PORT -j allowed
#done
# The trust port of INPUT chain
iptables -A INPUT -p tcp -i $INET_IF -j tcp_packets
# deny local cheat
iptables -A INPUT -i $INET_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $INET_IF -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $INET_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $INET_IF -s 127.0.0.0/8 -j DROP
# allow DHCP_packets from LAN
#iptables -A INPUT -p udp -i $LAN_IF --dport 67 --sport 68 -j ACCEPT
# deny attack of hack to input chain
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "IPT INPUT packets died:"
# FORWARD chain
# bad_tcp_packets filter
iptables -A FORWARD -p tcp -j bad_tcp_packets
# address of limited filter
iptables -A FORWARD -p tcp -j limited_packets
# allow the packets from LAN to WAN
iptables -A FORWARD -o $INET_IF -s $LAN_IP_RANGE -j ACCEPT
iptables -A FORWARD -i $LAN_IF -s $LAN_IP_RANGE -j ACCEPT
# allow the packets from wan to lan
iptables -A FORWARD -i $INET_IF -d $LAN_IP_RANGE -m state --state ESTABLISHED,RELATED -j ACCEPT
# deny attack of hack to forward chain
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packets died:"
# deny ping attack of hack
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
# deny DDOS attack
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# allow UDP
#iptables -A FORWARD -p udp -d $LAN_IP_RANGE -i $EXT_IF -j ACCEPT
# the servies of www to the port for Squid
#iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# the other servies use nat chain to masquerade
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
############mark for mangle filter############
echo "Enabling mangle "
# uploads
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto dns -j MARK --set-mark 10
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto smtp -j MARK --set-mark 20
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto http -j MARK --set-mark 30
#iptables -t mangle -A PREROUTING -s 192.168.0.52 -j MARK --set-mark 40
iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -j MARK --set-mark 70
#iptables -t mangle -A PREROUTING -s 192.168.0.3 -j MARK --set-mark 60
# downloads
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto dns -j MARK --set-mark 10
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto smtp -j MARK --set-mark 20
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto http -j MARK --set-mark 30
#iptables -t mangle -A POSTROUTING -d 192.168.0.52 -j MARK --set-mark 40
iptables -t mangle -A POSTROUTING -d 192.168.0.0/24 -j MARK --set-mark 70
#iptables -t mangle -A POSTROUTING -d 192.168.0.3 -j MARK --set-mark 60
################################### iptables END########################################
echo "iptables END"
#echo "Enabling Squid"
#/usr/local/squid/sbin/squid
echo "Enabling ADSL"
adsl-start
##########################################################
每个人的linux安装的不一样,netfilter模块加载的也不一样,在模块加载处估计各位要进行微调,将需要加载的模块前带#的去掉几个估计就可以了,tc处可根据自己的实际情况进行微调。
本配置已经实际运行了3年,没出现什么问题(配置上),但要是某个高手盯上你了,估计。。。。嘿嘿,技术就是这样,没有绝对的,反正我的配置(p3赛阳600,128mpc100,10g硬盘,810e主板)除了每两个月的正常清洁外没出现过什么异常(因为对内网是没有限制的,故清理内鬼是比较重要的),欢迎大家多多指教。学以致用,linux学习更应如此 感谢了,学习中
回复 #1 jackblan 的帖子
由于论坛设置了超过200分钟不能再编辑的功能,故没办法修改(加注释),有兴趣的朋友可以到 www.linuxsir.org去看看,那里有中文说明的版本。具体地址: http://www.linuxsir.org/bbs/showthread.php?t=256760 henhao 楼主威武值得我们好好学习下 直接用linux做路由的技术好像失传了:L
页:
[1]