心想事成 发表于 2003-11-11 14:27:21

DMZ部分尚不完善,其中难免有疏漏,希望大家跟我一块改进,使他功能越来越强大,使用时请将firewall-dev copy 到/etc/rc.d/init.d将firewall.conf copy /etc/下,你只需修改firewall.conf文件就可以了。可以用firewall-dev start|stop起动和关闭防火墙,功能增加中,如你有任何改动请发一份给我,arlenecc@263.net

本着GPL的原则希望有志之士跟我一块完善它,如有改动请通知我!!!!


firewall-dev

#!/bin/bash
#          This is a firewall script with the function ofstateful and
#          ip filter,you can change it to meet you need,in a words:
#          uplink means the output interface ,router means if you neet it
#          to be a router or not,nat means if you are useing a dynamic ip
#          address
#          if you do ,then you can change it to "dynamic",interfaces means
#          all the interface in you server ,services means all the services
#          you server providing ,enjoy it !!!   ----- write by arlenecc
#
##############################################################################
#                                                                            #
#    Copyright ?2002 arlenecc          arlenecc@netease.com               #
#    All rights reserved                                                   #
#                                                                            #
##############################################################################
#
#          now begins the firewall

   
UPLINK=`less /root/firewall.conf | grep "UPLINK" | cut -d = -f 2 `

UPIP=`less /root/firewall.conf | grep "UPIP" | cut -d = -f 2`
   
ROUTER=`less /root/firewall.conf | grep "ROUTER" | cut -d = -f 2`

NAT=`less /root/firewall.conf | grep "NAT" | cut -d = -f 2`
   
INTERFACES=`less /root/firewall.conf | grep "INTERFACES" | cut -d = -f 2`
   
SERVICES=`less /root/firewall.conf | grep "SERVICES" | cut -d = -f 2`
   
DENYPORTS=`less /root/firewall.conf | grep "DENYPORTS" | cut -d = -f 2`
   
DENYUDPPORT=`less /root/firewall.conf | grep "DENYUDPPORT" | cut -d = -f 2`

LAN_IF=`less /root/firewall.conf | grep "LAN_IF" | cut -d = -f 2`
   
LAN_NET=`less /root/firewall.conf | grep "LAN_NET" | cut -d = -f 2`
   
DMZ_NET=`less /root/firewall.conf | grep "DMZ_NET" | cut -d = -f 2`

DMZ_IF=`less /root/firewall.conf | grep "DMZ_IF" | cut -d = -f 2`

   DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d = -f 2`
   
   DMZ_UDP_PORT=`less /root/firewall.conf | grep "DMZ_UDP_PORT" | cut -d = -f 2`
   
   WEB_IP=`less /root/firewall.conf | grep "WEB_IP" | cut -d = -f 2`
   
   FTP_IP=`less /root/firewall.conf | grep "FTP_IP" | cut -d = -f 2`
   
   H323_PORT=`less /root/firewall.conf | grep "H323_PORT" | cut -d = -f 2`

   H323=`less /root/firewall.conf | grep "H323" | cut -d = -f 2`

   
   


    if [ "$1" = "start" ]
    then
         echo "Starting firewall......"

echo "NOW prepareing kernel for use,please wait....."

   # if [ -e /proc/sys/net/ipv4/ip_forward ]
   #
   #    then
   #       echo 1 >/proc/sys/net/ipv4/ip_forward
   #    fi
   if [ "$NAT" = " dynamic " ]
       then
         echo "Enable dynamic ip support...."
         echo 1 > /proc/sys/net/ipv4/ip_dynaddr
          echo "    OK !!!!"
   fi
   if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
       then
             echo "Enable the syn cook flood protection"
             echo 1 > /proc/sys/net/ipv4/tcp_syncookies
             echo "   OK !!!!"
   fi
   if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]
      then
          echo "Setting the maximum number of connections to track.... "
          echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
          echo "          OK !!!!"
   fi

   if [ -e /proc/sys/net/ipv4/ip_local_port_range ]
         then
         echo " Setting local port range for TCP/UDP connection...."   
         echo -e "32768t61000" > /proc/sys/net/ipv4/ip_local_port_range
         echo "            OK !!!!"
   fi
   
   if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
      then
         echo "Enable bad error message protection......."
         echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
         echo "    OK !!!! "
   fi
   if [ -e /proc/sys/net/ipv4/tcp_ecn ]
      then
          echo "Disabling tcp_ecn,please wait..."
          echo 0 >/proc/sys/net/ipv4/tcp_ecn
          echo "   OK!!!!"
      fi

    for x in ${INTERFACES}
      do
         echo " Enabling rp_filter on ${x} ,please wait...."
         echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
         echo "${x}OK!!!!"
      done
   
    if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]
            
            then
            
            echo "Disabing ICMP redirects,please wait...."   
            echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
            echo "    OK!!!!   "
    fi   
   
    if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]

      then
         echo "Disabling source routing of packets,please wait...."
         for i in /proc/sys/net/ipv4/conf/*/accept_source_route
            
                do
                   echo 0 > $i
                   echo "   $i    OK !!!!       "
                  
             done
            
    fi                  
   if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
      then
          echo "Ignore any broadcast icmp echo requests......"
          echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
          echo "      OK !!!!    "
   fi
   
# if [ -e /proc/sys/net/ipv4/config/all/log_martians ]
#
#      then
#         echo "LOG packets with impossible addresses to kernel log...."
#         echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#         echo "    OK!!!!   "
# fi   
#echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
#modprobe ip_tables
depmod -a


iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
iptables -F -t mangle
iptables -Z
iptables -X
iptables -N CHECK_FLAGS
iptables -F CHECK_FLAGS
iptables -N tcpHandler
iptables -F tcpHandler
iptables -N udpHandler
iptables -F udpHandler
iptables -N icmpHandler
iptables -F icmpHandler
iptables -N DROP-AND-LOG
iptables -F DROP-AND-LOG



echo "OK,the kernel is now prepared to use for building a firewall!!!"
echo "Waitting ........................"
echo "Creating a drop chain....."
iptables -A DROP-AND-LOG -j LOG --log-level 5
iptables -A DROP-AND-LOG -j DROP
echo "   OK !!!!"
echo "Now starting the check_flag rules,please wait...."
   
   iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN "
   iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
   iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "
   iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
   iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "
   iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
   iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "
   iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP
   iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 "
   iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP
   iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"
   iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
   iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"
   iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
   iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN"
   iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP

echo "OK !!!! Finished check_flags rules...."


echo "Now starting the input rules,please wait......."
    for x in ${DENYPORTS}


         do
         iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} TCP IN:"   
         iptables -A INPUT -i ${UPLINK} -p tcp--dport ${x} -m state --state NEW -j DROP
         iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} SYN IN:"
         iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j DROP
         done

    for x in ${DENYUDPPORT}

          do
            iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"
            iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j DROP
            iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT:${x} UDP IN:"
            iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP
         done


#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT



    forx in ${SERVICES}
         
         do   
                iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
                iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
         done

    iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG
    iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOG
    iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG
    iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG
    iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG
   

#iptables -A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i ${UPLINK} -j LOG --log-prefix " INVALID INPUT "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i ${LAN_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ${DMZ_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j REJECT
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM DMZ:"
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD UDP FROM DMZ:"
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD ICMP FROM DMZ:"
iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j DROP
iptables -A INPUT -p icmp -i ${UPLINK} -j LOG --log-prefix "INVAILD ICMP IN:"
iptables -A INPUT -p icmp -i ${UPLINK} -j REJECT --reject-with icmp-net-unreachable
iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"
iptables -A INPUT-i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"
iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j LOG --log-prefix "NEW,INVALID state:"
iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j DROP
iptables -A INPUT -i ${UPLINK} -f -j LOG --log-prefix "INVAILD FRAGMENTS ${UPLINK}:"
iptables -A INPUT -i ${UPLINK} -f -j DROP
iptables -A INPUT -i ${LAN_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${LAN_IF}:"
iptables -A INPUT -i ${LAN_IF} -f -j DROP
iptables -A INPUT -i ${DMZ_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${DMZ_IF}:"
iptables -A INPUT -i ${DMZ_IF} -f -j DROP
iptables -A INPUT -i ${UPLINK} -j DROP
echo "OK !!!! The input rules has been successful applied ,continure......"

echo " Now starting FORWARD rules ,please wait ....."

iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD-p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD-p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD-i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${UPLINK}-p tcp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN TCP: "
iptables -A FORWARD -i ${UPLINK}-p tcp -m state --state NEW -j tcpHandler
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN UDP:"
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICMP: "
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler
iptables -A tcpHandler -p tcp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "
iptables -A tcpHandler -p tcp -j DROP
iptables -A udpHandler -p udp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"
iptables -A udpHandler -p udp -j DROP
iptables -A icmpHandler -p icmp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"
iptables -A icmpHandler -p icmp -j DROP

iptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -j ACCEPT
iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT
#iptables -A FORWARD -o ${UPLINK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j REJECT --reject-with tcp-reset
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j LOG --log-prefix "INVAILD UDP FORWARD FROM DMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j DROP
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j DROP
iptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -s ${LAN_NET} -d ${DMZ_NET} -i ${LAN_IF} -j ACCEPT
iptables -A FORWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i ${DMZ_IF} ! --syn -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT


iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA"
iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG--log-prefix "INVAILD UDP FORWARD DATA"
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVALID ICMP FORWARD DATA"
iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -j DROP

echo "   OK !!!! The forward rules has been successful applied,conniture......"
echo " Now applying output rules,please wait ...."
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${LAN_NET}-o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${DMZ_NET}-o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${LAN_NET}-o ${DMZ_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j LOG --log-prefix "INVAILD TCP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET}-o ${LAN_IF} -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j LOG --log-prefix "INVAILD UDP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET}-o ${LAN_IF} -p udp -j DROP
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET}-o ${LAN_IF} -p icmp -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"
iptables -A OUTPUT-p icmp -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW,INVALID STATE:"
iptables -A OUTPUT -m state --state NEW,INVALID -j DROP

iptables -A OUTPUT -j DROP

echo "    OK !!!! The OUTPUT rules has been successful applied,conniture......."

echo " Now applying nat rules ,please wait ...."
#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
#iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 23 -j REDIRECT --to-port 14867
iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK}-j DROP
iptables -t nat -A PREROUTING -d ${DMZ_NET} -i ${UPLINK} -j DROP




if [ " $ROUTER " = " yes " ]

      then
         echo " enabing ip_forward,please wait..."
         echo 1 >/proc/sys/net/ipv4/ip_forward
         echo "OK"
            if [ " $NAT " = " dynamic " ]
                  
                  then
                     echo "Enableing MASQUERADING (dynamic ip ..."
                     echo "Dynamic PPP connection,Now getting the dynamic ip address"
                     IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`
                     echo " Now you IP ADDRESS is : ${IP_ADDR} "
                     iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
                     iptables -t nat -A POSTROUTING -o ${UPLINK}-s ${DMZ_NET} -j SNAT --to ${IP_ADDR}
                     iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 80 -j DNAT --to ${WEB_IP}:80
                     iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21
                     iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20
            if [ " $H323 " = " yes " ]
                  then
                     echo "Startting H323 NAT setting......"
                     for port in ${H323_PORT}
                        do
                        
                        iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
                         iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
                         done
             fi   
                     echo "      OK,NAT setting start succecc.."
            elif [ " $NAT " != " " ]
                  
                   then
                     echo "Enableing SNAT (static ip)..."
                        
            # iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
            iptables -t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
            iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
            iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80
            iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 20 -j DNAT --to ${FTP_IP}:20
            iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --to ${FTP_IP}:21
            if [ "$H323 " = " yes " ]
                  then
                     echo "Startting H323 NAT setting........"   
                     for port in ${H323_PORT}
         
                        do
                           iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
                           iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
                     done
             fi
                     echo "    OK !!!!"

                  fi
            fi
if [ " $SELF_SET " = " yes " ]
   then
      echo "Starting the rules you set yourself......"
   # firewall
      echo "   OK !!!!"

echo " All rules has been successful applied,enjoy it...."



      elif [ "$1" = "stop" ]

      then
            echo "Stoping Firewall...."
            iptables -F INPUT
            iptables -P INPUT ACCEPT
            iptables -P OUTPUT ACCEPT
            iptables -P FORWARD ACCEPT
            iptables -F FORWARD
            iptables -F OUTPUT
            iptables -t nat -F POSTROUTING
            iptables -F tcpHandler
            iptables -F udpHandler
            iptables -F icmpHandler
            iptables -F CHECK_FLAGS
            iptables -F DROP-AND-LOG
            iptables -X tcpHandler
            iptables -X udpHandler
            iptables -X icmpHandler
            iptables -X CHECK_FLAGS
            iptables -X DROP-AND-LOG
            echo "The firewall has successful shuted down,be careful!!!"
      fi



firewall.conf

   UPLINK=eth1
   UPIP=192.168.2.188
   ROUTER=yes
   NAT=192.168.2.188
   INTERFACES=lo eth0 eth1 eth2
   SERVICES=http ftp
   DENYPORTS=1 7 9 15 107 135 137 138 139 369 389 445 515 752 873 8080 3128 2049 5432 5999 6063 9740 20034 12345 12346 27665 27444 31335 313378000 14333389 7007 2223 25 110 79
DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369

   LAN_IF=eth0
   LAN_NET=192.168.1.0/24
   DMZ_NET=192.168.3.0/24
   DMZ_IF=eth2
   DMZ_TCP_PORT=20 21 25 53 80 110
   DMZ_UDP_PORT=53
   WEB_IP=192.168.3.1
   FTP_IP=192.168.3.2
   H323_PORT=
   H323=no

#here you can add the block rules yourself ,but be sure you do all these setting otherwise ,it will not work at all !!!!
SELF_SET=
BLOCK_TYPE=
PROTO=
INTE_IF=
SRC=
DST=
DPORT=
ACTION=
ACTION_TYPE=
#here you can add the icmp block rules yourself,Be sure you do all these setting otherwise ,it will not work at all !!!!
ICMP_IF=
ICMP_SRC=
ICMP_DST=
ICMP_ACTION=
ICMP_TYPE=

心想事成 发表于 2003-11-11 14:27:57

就是一个基于iptables的基于状态检测的包过滤防火墙,对客户机和服务器同样适用,用本脚本可以直接启动和关闭防火墙,防火墙开始先对系统内核做一些适用于防火墙的改进,然后针对一些常见的扫描方式进行探测如有扫描发生就阻止并记入日志,然后是非法外部SYN连接请求阻止并记入日志,外部ip碎片攻击检查阻止并记录,用户自行设定的开放的端口和禁止的端口,当然是基于状态检测的,还有半连接的阻止,SYN连接请求的限速,防止各种洪水攻击,IP欺骗功击的防范,还有DMZ功能,和针对拨号的动态ip地址的获取和双向的地址映射,还有基于固定ip的专线方式的双向地址映射,在设定文件里面都可以设定的,如果是动态ip它会帮你获的拨号后的动态ip,可选路由和和伪装两种方式。。。等等了,也说不了那么明白,大家自己看吧,不过有一点,如果有什么建议或改动请一定告诉我,我会不断完善的  arlenecc@263.net
页: [1]
查看完整版本: [转贴]防火墙脚本