CODE
#!/bin/bash echo -e " tt 33 33 then echo -e "nt OK ! you are root,continue....n" echo -e "a" else echo -e " Sorry,you are not root and not permitted to do this option...n" echo -e "a" FAILURE="you cann`t run this command ,you must be root to do this" exit_failure fi if ((`iptables -V 2>&1 | grep -c "Command not found"` )); then FAILURE="cann`t find iptables command ,you must install iptables" exit_failure fi #now reading the configure file FW_LOCATE=/etc/firewall if [ ! -e "$FW_LOCATE" ] then mkdir $FW_LOCATE fi if [ ! -f /etc/firewall/firewall.conf ] then echo "can not find firewall.conf,creating one with default setting..." echo -e " UPLINK=eth2 n UPIP=211.167.105.15 n ROUTER=yes n NAT=211.167.105.15 n INTERFACES=lo eth0 eth1 eth2 n LOAD_MODULES=no n SERVICES= n QUOTA=2097152 n OPEN_TCP_QUOTA=80 21 20 25 110 n OPEN_UDP_QUOTA= n LOG_ILLEGAL_FLAGS=yes n DENYIP=10.0.0.1 10.0.0.255 n DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369 n TCP_PORT_LOG=135 137 138 139 443 1433 3306 8080 8000 515 513 n OPEN_TCP= n OPEN_UDP= n LAN_IF=eth0 n LAN_NET=192.168.1.0/24 n DMZ_NET=172.16.3.0/24 n DMZ_IF=eth1 n DMZ_TCP_PORT=20 21 25 53 80 110 n DMZ_UDP_PORT=53 n WEB_IP=172.16.3.1 n FTP_IP=172.16.3.8 n DNS_IP=172.16.3.3 n MAIL_IP=172.16.3.10 n H323_PORT= n H323=no n H323HOST=172.16.3.18 n MALFORMED_PACKET_LOG=no n TUNNEL=yes n TUNNEL_TYPE=gre n TUNNEL_NAME=netx n LOCAL=61.129.112.46 n LOCAL_LANIP=10.0.2.1 n REMOTE_LANIP=192.168.1.199 n GATEWAY=211.167.105.15 n REMOTE_SUBNET=192.168.1.0/24 n MANAGE_IP=192.168.1.188 n " > /etc/firewall/firewall.conf fi echo -e "ttt Loading the firewall configuration.......n" UPLINK=`grep "UPLINK" /etc/firewall/firewall.conf | cut -d = -f 2 ` UPIP=`grep "UPIP" /etc/firewall/firewall.conf | cut -d = -f 2` ROUTER=`grep "ROUTER" /etc/firewall/firewall.conf | cut -d = -f 2` NAT=`grep "NAT" /etc/firewall/firewall.conf | cut -d = -f 2` INTERFACES=`grep "INTERFACES" /etc/firewall/firewall.conf | cut -d = -f 2` LOAD_MODULES=`grep "LOAD_MODULES" /etc/firewall/firewall.conf | cut -d = -f 2` LOG_ILLEGAL_FLAGS=`grep "LOG_ILLEGAL_FLAGS" /etc/firewall/firewall.conf | cut -d = -f 2` OPEN_TCP=`grep "OPEN_TCP" /etc/firewall/firewall.conf | cut -d = -f 2` OPEN_UDP=`grep "OPEN_UDP" /etc/firewall/firewall.conf | cut -d = -f 2` TCP_PORT_LOG=`grep "TCP_PORT_LOG" /etc/firewall/firewall.conf | cut -d = -f 2` DENYIP=`grep "DENYIP" /etc/firewall/firewall.conf | cut -d = -f 2` DENYUDPPORT=`grep "DENYUDPPORT" /etc/firewall/firewall.conf | cut -d = -f 2` LAN_IF=`grep "LAN_IF" /etc/firewall/firewall.conf | cut -d = -f 2` LAN_NET=`grep "LAN_NET" /etc/firewall/firewall.conf | cut -d = -f 2` DMZ_NET=`grep "DMZ_NET" /etc/firewall/firewall.conf | cut -d = -f 2` DMZ_IF=`grep " DMZ_IF" /etc/firewall/firewall.conf | cut -d = -f 2` DMZ_TCP_PORT=`grep "DMZ_TCP_PORT" /etc/firewall/firewall.conf | cut -d = -f 2` DMZ_UDP_PORT=` grep "DMZ_UDP_PORT" /etc/firewall/firewall.conf | cut -d = -f 2` WEB_IP=` grep "WEB_IP" /etc/firewall/firewall.conf | cut -d = -f 2` FTP_IP=` grep "FTP_IP" /etc/firewall/firewall.conf | cut -d = -f 2` SSH_IP=`grep "SSH_IP" /etc/firewall/firewall.conf | cut -d = -f 2` TELNET_IP=`grep "TELNET_IP" /etc/firewall/firewall.conf | cut -d = -f 2` WEB_M_IP=`grep "WEB_M_IP" /etc/firewall/firewall.conf | cut -d = -f 2` H323_PORT=` grep "H323_PORT" /etc/firewall/firewall.conf | cut -d = -f 2` H323=` grep "H323" /etc/firewall/firewall.conf | cut -d = -f 2` DNS_IP=` grep "DNS_IP" /etc/firewall/firewall.conf | cut -d = -f 2` H323HOST=` grep "H323HOST" /etc/firewall/firewall.conf | cut -d = -f 2` MALFORMED_PACKET_LOG=` grep "MALFORED_PACKET_LOG" /etc/firewall/firewall.conf | cut -d = -f 2 ` QUOTA=` grep "QUOTA" /etc/firewall/firewall.conf | cut -d = -f 2 ` OPEN_TCP_QUOTA=` grep "OPEN_TCP_QUOTA" /etc/firewall/firewall.conf | cut -d = -f 2 ` OPEN_UDP_QUOTA=`grep "OPEN_UDP_QUOTA" /etc/firewall/firewall.conf | cut -d = -f 2 ` MANAGE_IP=` grep "MANAGE_IP" /etc/firewall/firewall.conf | cut -d = -f 2 ` MAIL_IP=` grep "MAIL_IP" /etc/firewall/firewall.conf | cut -d = -f 2 ` if [ "$NAT" == "DHCP" ]; then if [ -z "$UPIP" ]; then echo " [ WAIT ]" echo -n "-> $UPLINK has no IP address. Waiting for DHCP" for COUNT in 1 2 3 4 5 6 7 8 9 10; do sleep 1 echo -n "*#" UPIP=`ifconfig ${UPLINK} | grep inet | cut -d : -f 2 | cut -d " " -f 1` if [ -n "$UPIP" ]; then echo " [ FOUND ]" break else if [ "$COUNT" == "10" ]; then echo " [ MISSING ]" echo "-> WARNING: IP address for $UPLINK not found. " fi fi done fi fi if !(( `which modprobe 2>&1 | grep -c "which: no modprobe in"` )) && ( [ -a /proc/modules ] || ! [ -a /proc/version ] ); then if (( `lsmod | grep -c "ipchains"` )); then rmmod ipchains > /dev/null 2>&1 fi fi #define the iptables function iptables() { /sbin/iptables "$@" } if [ "$1" = "start" ] then echo "Starting firewall......" echo -e "Now prepareing the kernel to use for a firewall ,please wait....." if [ -e /proc/sys/net/ipv4/ip_forward ] then echo -e "enable ip_forward.please wait...." echo 1 >/proc/sys/net/ipv4/ip_forward echo -e "tttt 33 33 then echo -e "ntEnable dynamic ip support...." echo 1 > /proc/sys/net/ipv4/ip_dynaddr echo -e "tttt33 33 then echo -e "ntEnable the syncookies flood protection" echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo -e "tttt 33 33 then echo -e "ntSetting the maximum number of connections to track.... " echo "16384" > /proc/sys/net/ipv4/ip_conntrack_max echo -e "tttt 33 33 then echo -e " ntSetting local port range for TCP/UDP connection...." echo -e "32768t61000" > /proc/sys/net/ipv4/ip_local_port_range echo -e "tttt 33 33 then echo -e "ntEnable bad error message protection......." echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo -e "tttt 33 33 then echo -e "ntDisabling tcp_ecn,please wait..." echo 0 >/proc/sys/net/ipv4/tcp_ecn echo -e "tttt 33 33 33 then echo -e "ntDisabing ICMP redirects,please wait...." echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo -e "tttt 33 33 then echo -e "ntDisabling source routing of packets,please wait...." for i in /proc/sys/net/ipv4/conf/*/accept_source_route do echo 0 > $i done echo -e "tttt 33 33 then echo -e "ntIgnore any broadcast icmp echo requests......" echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo -e "tttt 33 33 then echo -e "modify icmp_destunreach_rate and icmp_echoreply_rate.." echo 5 > /proc/sys/net/ipv4/icmp_destunreach_rate echo 5 > /proc/sys/net/ipv4/icmp_echoreply_rate echo -e "tttt 33 33 then echo -e "ntDisable the tcp_timestamps......" echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo -e "tttt 33 33 then echo -e "ntSetting up tcp_fin_timeout...." echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo -e "tttt 33 33 then echo -e "ntSetting up the tcp_keepalive_time...." echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo -e "tttt 33 33 then echo -e "ntDisabling tcp_window_scaling...." echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo -e "tttt 33 33 then echo -e "ntDisabling tcp_sack...." echo 0 > /proc/sys/net/ipv4/tcp_sack echo -e "tttt 33 33 then echo -e "ntSetting up the ipfrag_time...." echo 20 > /proc/sys/net/ipv4/ipfrag_time echo -e "tttt 33 33 then echo -e "ntSetting up the tcp_max_syn_backlog...." echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo -e "tttt 33 33 then echo -e "nt Enabling tcp_abort_on_overflow" echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow echo -e "tttt 33 33 then echo -e "ntLOG packets with impossible addresses to kernel log...." echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 0 > /proc/sys/net/ipv4/conf/$LAN_IF/log_martians echo 0 > /proc/sys/net/ipv4/conf/$DMZ_IF/log_martians echo -e "tttt 33 33 then echo -e "ntenable secure_redirects...." echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects echo -e "tttt 33 33 then if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ] then echo -e "ntLoading iptables modules please wait...." mp ip_tables mp ipt_LOG mp ipt_owner mp ipt_MASQURADE mp ipt_REJECT mp ipt_conntrack_ftp mp ipt_conntrack_irc mp iptable_filter mp iptable_nat mp iptable_mangle mp ip_conntrack mp ipt_limit mp ipt_state mp ipt_unclean mp ipt_TCPMSS mp ipt_TOS mp ipt_TTL mp ipt_quota mp ipt_iplimit mp ipt_pkttype mp ipt_ipv4options mp ipt_MARK echo -e "tttt 33 33 33 33 then echo -e "tNow logging malformed packages" iptables -A INPUT -i ${UPLINK} -m unclean -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP malformed packet:" # iptables -A INPUT -i ${UPLINK} -m unclean -j DROP echo -e "tttt 33 33 then iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ALL FIN :" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,FIN FIN :" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,PSH PSH:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,URG URG:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN " --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " SYN/RST SCAN" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN " --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 " --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 " --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "XMAS-PSH:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "NULL_SCAN" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID SCAN:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP else iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP echo -e "tttt 33 33 33 33 33 33 then echo -e "t enabing ip_forward,please wait..." echo 1 >/proc/sys/net/ipv4/ip_forward echo -e "tttt 33 33 then echo -e "tEnableing MASQUERADING (dynamic ip )..." echo -e "tDynamic PPP connection,Now getting the dynamic ip address" IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1` echo -e "t Now you IP ADDRESS is : ${IP_ADDR} " iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE iptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR} iptables -t nat -A POSTROUTING -o ${UPLINK} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} -p tcp --dport 80 -j DNAT --to ${WEB_IP}:80 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 22 -j DNAT --to ${SSH_IP}:22 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 14867 -j DNAT --to ${TELNET_IP}:14867 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 4867 -j DNAT --to ${WEBMAIL_IP}:4867 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 25 -j DNAT --to ${MAIL_IP}:25 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 110 -j DNAT --to ${MAIL_IP}:110 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 53 -j DNAT --to ${DNS_IP}:53 iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport 53 -j DNAT --to ${DNS_IP}:53 if [ " $H323 " = " yes " ] then echo -e "tStartting H323 NAT setting......" for port in ${H323_PORT} do iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port} iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port} done fi echo -e "t OK,NAT setting start succecc.." elif [ " $NAT " != " " ] then echo -e "tEnableing SNAT (static ip)..." # iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP} iptables -t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP} iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP} iptables -t nat -A POSTROUTING -o ${UPLINK} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 20 -j DNAT --to ${FTP_IP}:20 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --to ${FTP_IP}:21 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 22 -j DNAT --to ${SSH_IP}:22 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 14867 -j DNAT --to ${TELNET_IP}:14867 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 4867 -j DNAT --to ${WEBMAIL_IP}:4867 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 25 -j DNAT --to ${MAIL_IP}:25 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 110 -j DNAT --to ${MAIL_IP}:110 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 53 -j DNAT --to ${DNS_IP}:53 iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport 53 -j DNAT --to ${DNS_IP}:53 if [ "$H323 " = " yes " ] then echo -e "tStartting H323 NAT setting........" for port in ${H323_PORT} do iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port} iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port} done fi echo -e "tttt 33 33 then echo -e "ntStarting the rules you set yourself......" # selfset echo -e "tttt 33 33 33 || [ "$1" = "flush" ] || [ "$1" = "clear" ] then echo -e "tStoping Firewall...." iptables -F INPUT > /dev/null 2>&1 iptables -P INPUT ACCEPT > /dev/null 2>&1 iptables -P OUTPUT ACCEPT > /dev/null 2>&1 iptables -P FORWARD ACCEPT > /dev/null 2>&1 iptables -F FORWARD > /dev/null 2>&1 iptables -F OUTPUT > /dev/null 2>&1 iptables -t nat -F POSTROUTING > /dev/null 2>&1 iptables -F tcpHandler > /dev/null 2>&1 iptables -F udpHandler > /dev/null 2>&1 iptables -F icmpHandler > /dev/null 2>&1 iptables -F CHECK_FLAGS > /dev/null 2>&1 iptables -F DROP-AND-LOG > /dev/null 2>&1 iptables -F syn-flood > /dev/null 2>&1 iptables -F lan-input > /dev/null 2>&1 iptables -F dmz-input > /dev/null 2>&1 iptables -X tcpHandler > /dev/null 2>&1 iptables -X udpHandler > /dev/null 2>&1 iptables -X icmpHandler > /dev/null 2>&1 iptables -X CHECK_FLAGS > /dev/null 2>&1 iptables -X DROP-AND-LOG > /dev/null 2>&1 iptables -X syn-flood > /dev/null 2>&1 iptables -X lan-input > /dev/null 2>&1 iptables -X dmz-input > /dev/null 2>&1 echo -e "a" echo -e "tttt 33 33 UPIP=211.167.105.15 # means if you want to use this firewall as a router ROUTER=yes #If you use adsl set this to "dynamic",if you use DDN or any kinds of fixed IP you set it to " " and set upip ,if you use DHCP,you just set it to "DHCP" NAT=211.167.105.15 # means the interface you have INTERFACES=lo eth0 eth1 eth2 #means if you want to load all modules needed for this program LOAD_MODULES=no # means what kind of services you want to provide SERVICES= # Open ports/services to the WWW, with a quota limit of incoming "n"Megs, when the quota is reached, the rule doesnt match anymore. Ex; 1Meg=1048576, 2Megs=echo $, etc... QUOTA=2097152 OPEN_TCP_QUOTA=80 21 20 25 110 OPEN_UDP_QUOTA= #means if you want to log the illegal tcp flags LOG_ILLEGAL_FLAGS=yes # means the IP address you want to DENY DENYIP=10.0.0.1 10.0.0.255 # means the UDP port you want to filter DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369 #means the tcp port you want to log if some one try to come in TCP_PORT_LOG=135 137 138 139 443 1433 3306 8080 8000 515 513 #means tcp ports you want to open,please only use this if you are provide services on firewall,dangerous OPEN_TCP= #means udp ports you want to open,please only use this if you are provide services on firewall,dangerous OPEN_UDP= # # means the interface you connected to LAN LAN_IF=eth0 # means the LAN net LAN_NET=192.168.1.0/24 # means the DMZ net DMZ_NET=172.16.3.0/24 # means the DMZ interfaces DMZ_IF=eth1 # means the tcp port you want to provide in DMZ DMZ_TCP_PORT= 21 25 53 80 110 # means the udp port you want to open in DMZ DMZ_UDP_PORT=53 #means the ipaddress of telnet server in DMZ net TELNET_IP=172.16.3.8 TELNET_PORT=14867 #means the ipaddress of ssh server in DMZ net SSH_IP=172.16.3.18 SSH_PORT=22 WEB_M_IP=172.16.3.20 WEB_M_PORT=4867 #means the ipaddress of www server in DMZ net WEB_IP=172.16.3.8 WEB_PORT=80 # means the ip address of ftp server in DMZ net FTP_IP=172.16.3.8 FTP_PORT=21 FTP_DATA=20 # means the ip address of DNS server in DMZ net DNS_IP=172.16.3.3 DNS_PORT=53 #means the ip address of mail server in DMZ net MAIL_IP=172.16.3.20 SMTP_PORT=25 POP_PORT=110 # means the H323 port you want to open if you use video device in DMZ H323_PORT= # if you use video device in DMZ you can set it to yes H323=no # means the h323 services you used in DMZ H323HOST=172.16.3.18 #means if you will log malformed packets MALFORMED_PACKET_LOG=no #The bellow is the setting of a ipi tunnel or GRE tunnel #means if you will bulid a tunnel with somewhere else TUNNEL=yes # Type of tunnel (gre or ipip) TUNNEL_TYPE=gre # Name of the tunnel TUNNEL_NAME=netx # Address of your External Interface (only required for gre tunnels) LOCAL=61.129.112.46 # Address of the local system -- this is the address of one of your # local interfaces (or for a mobile host, the address that this system has # when attached to the local network). # LOCAL_LANIP=10.0.2.1 # Address of the Remote system -- this is the address of one of the # remote systems local interfaces (or if the remote system is a mobile host, # the address that it uses when attached to the local network). REMOTE_LANIP=192.168.1.199 # Internet address of the Remote system # GATEWAY=211.167.105.15 # Remote sub-network -- if the remote system is a gateway for a # private subnetwork that you wish to # access, enter it here. If the remote # system is a stand-alone/mobile host, leave this # empty REMOTE_SUBNET=192.168.1.0/24 #means the ipaddress you want to manage the firewall MANAGE_IP=192.168.1.188 #here you can add the block rules yourself ,but be sure you do all these setting# otherwise ,it will not work at all !!!! SELF_SET= BLOCK_TYPE= PROTO= INTE_IF= SRC= DST= DPORT= ACTION= ACTION_TYPE= #here you can add the icmp block rules yourself,Be sure you do all these setting otherwise ,it will not work at all !!!! ICMP_IF= ICMP_SRC= ICMP_DST= ICMP_ACTION= ICMP_TYPE= -------------------------------------------------------------------------------------------- #!/bin/sh RCDLINKS="2,S45 3,S45 6,K45" ################################################################################ # Script to create a gre or GRE/ipip tunnel -- RainLow Firewall # # Modified - arlenecc # Incorporated init {start|stop} syntax and iproute2 usage # # This program is under GPL # # # # Modify the following variables to match your configuration # # chkconfig: 2345 26 89 # description: GRE/IP Tunnel # ################################################################################ TUNNEL=`grep "TUNNEL" /etc/firewall/firewall.conf | cut -d = -f 2` TUNNEL_TYPE=`grep "TUNNEL_TYPE" /etc/firewall/firewall.conf | cut -d = -f 2` TUNNEL_NAME=`grep "TUNNEL_NAME" /etc/firewall/firewall.conf | cut -d = -f 2` LOCAL=`grep "LOCAL" /etc/firewall/firewall.conf | cut -d = -f 2` LOCAL_LANIP=`grep "LOCAL_LANIP" /etc/firewall/firewall.conf | cut -d = -f 2` REMOTE_LANIP=`grep "REMOTE_LANIP" /etc/firewall/firewall.conf | cut -d = -f 2` GATEWAY=`grep "GATEWAY" /etc/firewall/firewall.conf | cut -d = -f 2` REMOTE_SUBNET=`grep "REMOTE_SUBNET" /etc/firewall/firewall.conf | cut -d = -f 2` PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin load_modules () { case $TUNNEL_TYPE in ipip) echo "Loading IP-ENCAP Module" modprobe ipip ;; gre) echo "Loading GRE Module" modprobe ip_gre ;; esac } do_stop() { if [ -n "`ip link show $TUNNEL_NAME 2>/dev/null`" ]; then echo "Stopping $TUNNEL_NAME" ip link set dev $TUNNELNAME down fi if [ -n "`ip addr show $TUNNEL_NAME 2>/dev/null`" ]; then echo "Deleting $TUNNEL_NAME" ip tunnel del $TUNNEL_NAME fi } do_start() { #NOTE: Comment out the next line if you have built gre/ipip into your kernel load_modules if [ -n "`ip link show $TUNNEL_NAME 2>/dev/null`" ]; then do_stop fi echo "Adding $TUNNEL_NAME" case $TUNNEL_TYPE in gre) ip tunnel add $TUNNEL_NAME mode gre remote $GATEWAY local $LOCAL ttl 255 ;; *) ip tunnel add $TUNNEL_NAME mode ipip remote $GATEWAY ;; esac echo "Starting $TUNNEL_NAME" ip link set dev $TUNNEL_NAME up case $TUNNEL_TYPE in gre) ip addr add $LOCAL_LANIP dev $TUNNEL_NAME ;; *) ip addr add $LOCAL_LANIP peer $REMOTE_LANIP dev $TUNNEL_NAME ;; esac # # As with all interfaces, the 2.4 kernels will add the obvious host # route for this point-to-point interface # if [ -n "$REMOTE_SUBNET" ]; then echo "Adding Routes" case $TUNNEL_TYPE in gre) ip route add $REMOTE_SUBNET dev $TUNNEL_NAME ;; ipip) ip route add $REMOTE_SUBNET via $GATEWAY dev $TUNNEL_NAME onlink ;; esac fi } case "$1" in start) do_start ;; stop) do_stop ;; restart) do_stop sleep 1 do_start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 esac exit 0 太复杂了,看不懂:(要有人 解说还差不多。
俺自己找了个简单的,然后自己写了个用在网吧。虽然不怎么的,也够用。 是比较复杂 QUOTE
太复杂了,看不懂:(要有人 解说还差不多。
俺自己找了个简单的,然后自己写了个用在网吧。虽然不怎么的,也够用。
可不可以拿出来给大家分享一下,我也是在网吧做了个coyote的软路由,正好要一些防火墙!自己不会写。。 楼主转的脚本很复杂,看起来也很费劲,估计作者写起来也很费劲。 :) :) :) :) :) 内容被屏蔽了:o ddddddddddddddddddddddd 顶。。。。。。。。。。。。。 看看..!
页:
[1]