/sbin/iptables -F/sbin/iptables -X/sbin/iptables -P INPUT DROP/sbin/iptables -P FORWARD DROP/sbin/iptables -P OUTPUT ACCEPT# IP blocker/sbin/iptables -N ipblock/sbin/iptables -A INPUT -i ppp0 -j ipblock/sbin/iptables -A INPUT -i ippp0 -j ipblockif [ "$RED_DEV" != "" ]; then/sbin/iptables -A INPUT -i $RED_DEV -j ipblockfi/sbin/iptables -A FORWARD -i ppp0 -j ipblock/sbin/iptables -A FORWARD -i ippp0 -j ipblockif [ "$RED_DEV" != "" ]; then/sbin/iptables -A FORWARD -i $RED_DEV -j ipblockfi# For IGMP and multicast/sbin/iptables -N advnet/sbin/iptables -A INPUT -i ppp0 -j advnet/sbin/iptables -A INPUT -i ippp0 -j advnetif [ "$RED_DEV" != "" ]; then/sbin/iptables -A INPUT -i $RED_DEV -j advnetfi# Spoof protection for RED (rp_filter does not work with FreeS/WAN)/sbin/iptables -N spoof/sbin/iptables -A spoof -s $GREEN_NETADDRESS/$GREEN_NETMASK -j DROPif [ "$ORANGE_DEV" != "" ]; then/sbin/iptables -A spoof -s $ORANGE_NETADDRESS/$ORANGE_NETMASK -j DROPfi/sbin/iptables -A INPUT -i ppp0 -j spoof/sbin/iptables -A INPUT -i ippp0 -j spoofif [ "$RED_DEV" != "" ]; then/sbin/iptables -A INPUT -i $RED_DEV -j spooffi# localhost and ethernet./sbin/iptables -A INPUT -i lo -j ACCEPT/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT# IPSEC/sbin/iptables -N secin/sbin/iptables -A secin -i ipsec0 -j ACCEPT/sbin/iptables -A INPUT -j secin/sbin/iptables -N secout/sbin/iptables -A secout -i ipsec0 -j ACCEPT/sbin/iptables -A FORWARD -j secout/sbin/iptables -N block# Let em through./sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT/sbin/iptables -A block -i $GREEN_DEV -j ACCEPT/sbin/iptables -N xtaccess/sbin/iptables -A block -j xtaccess# IPSEC/sbin/iptables -N ipsec/sbin/iptables -A ipsec -p udp --destination-port 500 -j ACCEPT/sbin/iptables -A ipsec -p 47 -j ACCEPT/sbin/iptables -A ipsec -p 50 -j ACCEPT/sbin/iptables -A block -i ppp0 -j ipsec/sbin/iptables -A block -i ippp0 -j ipsecif [ "$RED_DEV" != "" ]; then/sbin/iptables -A block -i $RED_DEV -j ipsecfi# last rule in INPUT chain is for logging./sbin/iptables -A INPUT -j LOG/sbin/iptables -A INPUT -j REJECT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o ppp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state NEW -o ppp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o ippp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ippp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state NEW -o ippp0 -j ACCEPTif [ "$RED_DEV" != "" ]; then/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o $RED_DEV -j ACCEPT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $RED_DEV -j ACCEPT/sbin/iptables -A FORWARD -m state --state NEW -o $RED_DEV -j ACCEPTfi# Port forwarding/sbin/iptables -N portfwf/sbin/iptables -A FORWARD -j portfwf/sbin/iptables -N dmzholes# Allow GREEN to talk to ORANGE.if [ "$ORANGE_DEV" != "" ]; then/sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -m state \--state ESTABLISHED,RELATED -j ACCEPT/sbin/iptables -A FORWARD -i $GREEN_DEV -o $ORANGE_DEV -m state \--state NEW,ESTABLISHED,RELATED -j ACCEPT# dmz pinhole chain. setdmzholes setuid prog adds rules here to allow# ORANGE to talk to GREEN./sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -j dmzholesfi# VPN/sbin/iptables -A FORWARD -i $GREEN_DEV -o ipsec0 -j ACCEPT/sbin/iptables -A FORWARD -i ipsec0 -o $GREEN_DEV -j ACCEPT/sbin/iptables -A FORWARD -j LOG/sbin/iptables -A FORWARD -j REJECT# NAT table/sbin/iptables -t nat -F/sbin/iptables -t nat -X# squid/sbin/iptables -t nat -N squid/sbin/iptables -t nat -N jmpsquid/sbin/iptables -t nat -A jmpsquid -d 10.0.0.0/8 -j RETURN/sbin/iptables -t nat -A jmpsquid -d 172.16.0.0/12 -j RETURN/sbin/iptables -t nat -A jmpsquid -d 192.168.0.0/16 -j RETURN/sbin/iptables -t nat -A jmpsquid -d 169.254.0.0/16 -j RETURN/sbin/iptables -t nat -A jmpsquid -j squid/sbin/iptables -t nat -A PREROUTING -i $GREEN_DEV -j jmpsquid# Masqurade/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE/sbin/iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADEif [ "$RED_DEV" != "" ]; then/sbin/iptables -t nat -A POSTROUTING -o $RED_DEV -j MASQUERADEfi# Port forwarding/sbin/iptables -t nat -N portfw/sbin/iptables -t nat -A PREROUTING -j portfw ippp0是什么东东?脚本里面看不了,也没有见过。。 QUOTE (fuleru @ Apr 10 2005, 01:37 AM)
ippp0是什么东东?脚本里面看不了,也没有见过。。
不是 ippp0 是 ppp0。 哈啤猫,你转的这个脚本小弟有些地方不懂啊,给加人注释啥的吧! 你先看看 IPTABLES的 资料,然后再看这个哦。此外少了些东西。。。。能理解结构就可以了,只是个参考。太长了,我就转了防火墙这部分,这个站点用SQUID做的反向代理。 呵呵,希望把整个防火墙都发出来看看,用文件传上来 对强烈建议!!!..... ppp0 应该是自定义的接口名称吧 $RED_DEV$ORANGE_DEV$GREEN_DEV
这几个变量的值是什么? 才发现这是个老贴.... 呵呵~ 喜欢老贴。 linux下IPTABALES的
ROS不合适用的
页:
[1]