找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 10861|回复: 9

[iptables] [转贴]iptables防火墙脚本

[复制链接]
发表于 2003-11-21 16:42:34 | 显示全部楼层
iptables防火墙脚本

CODE
#!/bin/bash echo -e " tt 33[1;31m RainLow firewall 33[m version 1.0rc1 -- 24/11/2002 n" echo -e "############################################################" echo -e " This software may be used and distributed according to " echo -e "the terms of the GNU General Public License (GPL) provided" echo -e "credit is given to the original author. " echo -e "ttt 33[1;31m Copyright ?2002 rainlow 33[m n" echo -e "tttt All rights reserved nnn" echo -e "############################################################" # now begins the firewall echo -e "nttt Welcome to 33[3;31m Rainlow Firewall 33[0m nn" echo -e " tttt 33[1;32m http://www.rainlow.com 33[m n" exit_failure() { echo " t 33[3;031m [ FAILED ] 33[0m n" echo "-> FATAL: $FAILURE" echo "-> Firewall configuration ** ABORTED **." exit 1 } #check if you are root ROOT_ID=0 echo "Now check if you are root...." if [ "$UID" = "$ROOT_ID" ] then echo -e "nt OK ! you are root,continue....n" echo -e "a" else echo -e " Sorry,you are not root and not permitted to do this option...n" echo -e "a" FAILURE="you cann`t run this command ,you must be root to do this" exit_failure fi if ((`iptables -V 2>&1 | grep -c "Command not found"` )); then FAILURE="cann`t find iptables command ,you must install iptables" exit_failure fi #now reading the configure file FW_LOCATE=/etc/firewall if [ ! -e "$FW_LOCATE" ] then mkdir $FW_LOCATE fi if [ ! -f /etc/firewall/firewall.conf ] then echo "can not find firewall.conf,creating one with default setting..." echo -e " UPLINK=eth2 n UPIP=211.167.105.15 n ROUTER=yes n NAT=211.167.105.15 n INTERFACES=lo eth0 eth1 eth2 n LOAD_MODULES=no n SERVICES= n QUOTA=2097152 n OPEN_TCP_QUOTA=80 21 20 25 110 n OPEN_UDP_QUOTA= n LOG_ILLEGAL_FLAGS=yes n DENYIP=10.0.0.1 10.0.0.255 n DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369 n TCP_PORT_LOG=135 137 138 139 443 1433 3306 8080 8000 515 513 n OPEN_TCP= n OPEN_UDP= n LAN_IF=eth0 n LAN_NET=192.168.1.0/24 n DMZ_NET=172.16.3.0/24 n DMZ_IF=eth1 n DMZ_TCP_PORT=20 21 25 53 80 110 n DMZ_UDP_PORT=53 n WEB_IP=172.16.3.1 n FTP_IP=172.16.3.8 n DNS_IP=172.16.3.3 n MAIL_IP=172.16.3.10 n H323_PORT= n H323=no n H323HOST=172.16.3.18 n MALFORMED_PACKET_LOG=no n TUNNEL=yes n TUNNEL_TYPE=gre n TUNNEL_NAME=netx n LOCAL=61.129.112.46 n LOCAL_LANIP=10.0.2.1 n REMOTE_LANIP=192.168.1.199 n GATEWAY=211.167.105.15 n REMOTE_SUBNET=192.168.1.0/24 n MANAGE_IP=192.168.1.188 n " > /etc/firewall/firewall.conf fi echo -e "ttt Loading the firewall configuration.......n" UPLINK=`grep "UPLINK" /etc/firewall/firewall.conf | cut -d = -f 2 ` UPIP=`grep "UPIP" /etc/firewall/firewall.conf | cut -d = -f 2` ROUTER=`grep "ROUTER" /etc/firewall/firewall.conf | cut -d = -f 2` NAT=`grep "NAT" /etc/firewall/firewall.conf | cut -d = -f 2` INTERFACES=`grep "INTERFACES" /etc/firewall/firewall.conf | cut -d = -f 2` LOAD_MODULES=`grep "LOAD_MODULES" /etc/firewall/firewall.conf | cut -d = -f 2` LOG_ILLEGAL_FLAGS=`grep "LOG_ILLEGAL_FLAGS" /etc/firewall/firewall.conf | cut -d = -f 2` OPEN_TCP=`grep "OPEN_TCP" /etc/firewall/firewall.conf | cut -d = -f 2` OPEN_UDP=`grep "OPEN_UDP" /etc/firewall/firewall.conf | cut -d = -f 2` TCP_PORT_LOG=`grep "TCP_PORT_LOG" /etc/firewall/firewall.conf | cut -d = -f 2` DENYIP=`grep "DENYIP" /etc/firewall/firewall.conf | cut -d = -f 2` DENYUDPPORT=`grep "DENYUDPPORT" /etc/firewall/firewall.conf | cut -d = -f 2` LAN_IF=`grep "LAN_IF" /etc/firewall/firewall.conf | cut -d = -f 2` LAN_NET=`grep "LAN_NET" /etc/firewall/firewall.conf | cut -d = -f 2` DMZ_NET=`grep "DMZ_NET" /etc/firewall/firewall.conf | cut -d = -f 2` DMZ_IF=`grep " DMZ_IF" /etc/firewall/firewall.conf | cut -d = -f 2` DMZ_TCP_PORT=`grep "DMZ_TCP_PORT" /etc/firewall/firewall.conf | cut -d = -f 2` DMZ_UDP_PORT=` grep "DMZ_UDP_PORT" /etc/firewall/firewall.conf | cut -d = -f 2` WEB_IP=` grep "WEB_IP" /etc/firewall/firewall.conf | cut -d = -f 2` FTP_IP=` grep "FTP_IP" /etc/firewall/firewall.conf | cut -d = -f 2` SSH_IP=`grep "SSH_IP" /etc/firewall/firewall.conf | cut -d = -f 2` TELNET_IP=`grep "TELNET_IP" /etc/firewall/firewall.conf | cut -d = -f 2` WEB_M_IP=`grep "WEB_M_IP" /etc/firewall/firewall.conf | cut -d = -f 2` H323_PORT=` grep "H323_PORT" /etc/firewall/firewall.conf | cut -d = -f 2` H323=` grep "H323" /etc/firewall/firewall.conf | cut -d = -f 2` DNS_IP=` grep "DNS_IP" /etc/firewall/firewall.conf | cut -d = -f 2` H323HOST=` grep "H323HOST" /etc/firewall/firewall.conf | cut -d = -f 2` MALFORMED_PACKET_LOG=` grep "MALFORED_PACKET_LOG" /etc/firewall/firewall.conf | cut -d = -f 2 ` QUOTA=` grep "QUOTA" /etc/firewall/firewall.conf | cut -d = -f 2 ` OPEN_TCP_QUOTA=` grep "OPEN_TCP_QUOTA" /etc/firewall/firewall.conf | cut -d = -f 2 ` OPEN_UDP_QUOTA=`grep "OPEN_UDP_QUOTA" /etc/firewall/firewall.conf | cut -d = -f 2 ` MANAGE_IP=` grep "MANAGE_IP" /etc/firewall/firewall.conf | cut -d = -f 2 ` MAIL_IP=` grep "MAIL_IP" /etc/firewall/firewall.conf | cut -d = -f 2 ` if [ "$NAT" == "DHCP" ]; then if [ -z "$UPIP" ]; then echo " [ WAIT ]" echo -n "-> $UPLINK has no IP address. Waiting for DHCP" for COUNT in 1 2 3 4 5 6 7 8 9 10; do sleep 1 echo -n "*#" UPIP=`ifconfig ${UPLINK} | grep inet | cut -d : -f 2 | cut -d " " -f 1` if [ -n "$UPIP" ]; then echo " [ FOUND ]" break else if [ "$COUNT" == "10" ]; then echo " [ MISSING ]" echo "-> WARNING: IP address for $UPLINK not found. " fi fi done fi fi if !(( `which modprobe 2>&1 | grep -c "which: no modprobe in"` )) && ( [ -a /proc/modules ] || ! [ -a /proc/version ] ); then if (( `lsmod | grep -c "ipchains"` )); then rmmod ipchains > /dev/null 2>&1 fi fi #define the iptables function iptables() { /sbin/iptables "$@" } if [ "$1" = "start" ] then echo "Starting firewall......" echo -e "Now prepareing the kernel to use for a firewall ,please wait....." if [ -e /proc/sys/net/ipv4/ip_forward ] then echo -e "enable ip_forward.please wait...." echo 1 >/proc/sys/net/ipv4/ip_forward echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ "$NAT" = " dynamic " ] then echo -e "ntEnable dynamic ip support...." echo 1 > /proc/sys/net/ipv4/ip_dynaddr echo -e "tttt33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/tcp_syncookies ] then echo -e "ntEnable the syncookies flood protection" echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/ip_conntrack_max ] then echo -e "ntSetting the maximum number of connections to track.... " echo "16384" > /proc/sys/net/ipv4/ip_conntrack_max echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/ip_local_port_range ] then echo -e " ntSetting local port range for TCP/UDP connection...." echo -e "32768t61000" > /proc/sys/net/ipv4/ip_local_port_range echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] then echo -e "ntEnable bad error message protection......." echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/tcp_ecn ] then echo -e "ntDisabling tcp_ecn,please wait..." echo 0 >/proc/sys/net/ipv4/tcp_ecn echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi for x in ${INTERFACES} do echo -e " ntEnabling rp_filter on ${x} ,please wait...." echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter echo -e "tttt 33[3;032m [ OK ] 33[0mn" done if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ] then echo -e "ntDisabing ICMP redirects,please wait...." echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] then echo -e "ntDisabling source routing of packets,please wait...." for i in /proc/sys/net/ipv4/conf/*/accept_source_route do echo 0 > $i done echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] then echo -e "ntIgnore any broadcast icmp echo requests......" echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/icmp_destunreach_rate ] then echo -e "modify icmp_destunreach_rate and icmp_echoreply_rate.." echo 5 > /proc/sys/net/ipv4/icmp_destunreach_rate echo 5 > /proc/sys/net/ipv4/icmp_echoreply_rate echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi #echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay if [ -e /proc/sys/net/ipv4/tcp_timestamps ] then echo -e "ntDisable the tcp_timestamps......" echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ] then echo -e "ntSetting up tcp_fin_timeout...." echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ] then echo -e "ntSetting up the tcp_keepalive_time...." echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/tcp_window_scaling ] then echo -e "ntDisabling tcp_window_scaling...." echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/tcp_sack ] then echo -e "ntDisabling tcp_sack...." echo 0 > /proc/sys/net/ipv4/tcp_sack echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/ipfrag_time ] then echo -e "ntSetting up the ipfrag_time...." echo 20 > /proc/sys/net/ipv4/ipfrag_time echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/tcp_max_syn_backlog ] then echo -e "ntSetting up the tcp_max_syn_backlog...." echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/tcp_abort_on_overflowe ] then echo -e "nt Enabling tcp_abort_on_overflow" echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/config/all/log_martians ] then echo -e "ntLOG packets with impossible addresses to kernel log...." echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 0 > /proc/sys/net/ipv4/conf/$LAN_IF/log_martians echo 0 > /proc/sys/net/ipv4/conf/$DMZ_IF/log_martians echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ] then echo -e "ntenable secure_redirects...." echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi #echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all #including all needed modules #depmod -a #define the load modules function mp() { /sbin/modprobe "$@" } if [ "$LOAD_MODULES" = "yes" ] then if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ] then echo -e "ntLoading iptables modules please wait...." mp ip_tables mp ipt_LOG mp ipt_owner mp ipt_MASQURADE mp ipt_REJECT mp ipt_conntrack_ftp mp ipt_conntrack_irc mp iptable_filter mp iptable_nat mp iptable_mangle mp ip_conntrack mp ipt_limit mp ipt_state mp ipt_unclean mp ipt_TCPMSS mp ipt_TOS mp ipt_TTL mp ipt_quota mp ipt_iplimit mp ipt_pkttype mp ipt_ipv4options mp ipt_MARK echo -e "tttt 33[3;032m [ OK ] 33[0mn" else echo -e "tSorry,no iptables modules found !!" fi fi #prepare the firewall tables for use iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT iptables -F -t nat iptables -F -t mangle iptables -Z iptables -X iptables -N CHECK_FLAGS iptables -F CHECK_FLAGS iptables -N tcpHandler iptables -F tcpHandler iptables -N udpHandler iptables -F udpHandler iptables -N icmpHandler iptables -F icmpHandler iptables -N DROP-AND-LOG iptables -F DROP-AND-LOG iptables -N syn-flood iptables -F syn-flood iptables -N lan-input iptables -F lan-input iptables -N dmz-input iptables -F dmz-input echo -e "tOK,the kernel is now prepared to use for building a firewall!!!" echo -e "nt starting firewall ,Waitting ........................" echo -e "ntCreating a drop and log chain....." iptables -A DROP-AND-LOG -j LOG --log-level 6 iptables -A DROP-AND-LOG -j DROP echo -e "tttt 33[3;032m [ OK ] 33[0mn" #design a chain for syn-flood protect #echo -e "t define a chain for syn-flood pretect.." #iptables -A INPUT -i ${UPLINK} -p tcp --syn -j syn-flood #iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN #iptables -A syn-flood -j DROP #echo -e "tttt 33[3;032m [ OK ] 33[0mn" #define a chain for log malformed packages if [ "$MALFORMED_PACKET_LOG" = "yes" ] then echo -e "tNow logging malformed packages" iptables -A INPUT -i ${UPLINK} -m unclean -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP malformed packet:" # iptables -A INPUT -i ${UPLINK} -m unclean -j DROP echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi # drop malformed packages iptables -A INPUT -i ${UPLINK} -m unclean -j DROP echo -e "tNow starting the check_flag rules,please wait...." echo -e "tLogging illegal TCP flags...." if [ " $LOG_ILLEGAL_FLAGS " = " yes " ] then iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ALL FIN :" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,FIN FIN :" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,PSH PSH:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,URG URG:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN " --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " SYN/RST SCAN" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN " --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 " --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 " --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "XMAS-PSH:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "NULL_SCAN" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID SCAN:" --log-tcp-options --log-ip-options iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP else iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 128 -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -j DROP iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP echo -e "tttt 33[3;032m [ OK ] 33[0m" fi echo -e "tttt 33[3;032m [ OK ] 33[0m ntFinished check_flags rules...." echo -e "tNow starting the input rules,please wait......." #for i in $OPEN_TCP_QUOTA; do # printf " firewall ->port $i tcp open with quota $QUOTA..." #iptables -A INPUT -i $UPLINK -p tcp --syn -m state --state NEW -m limit --limit 2/s --dport $i -m quota --quota $QUOTA -j ACCEPT #iptables -A INPUT -i $UPLINK -p tcp --dport $i -j DROP #done #for i in $OPEN_UDP_QUOTA; do # echo " firewall ->port $i udp open with quota $QUOTA..." #iptables -A INPUT -i $UPLINK -p udp -m state --state NEW -m limit --limit 2/s --dport $i -m quota --quota $QUOTA -j ACCEPT #iptables -A INPUT -i $UPLINK -p udp --dport $i -j DROP #done #build a chain for deny ip or ip range for x in ${DENYIP} do iptables -A INPUT -i ${UPLINK} -p tcp -s ${x} -m state --state NEW -j LOG --log-prefix "INVAILD:${x} TCP IN:" iptables -A INPUT -i ${UPLINK} -p tcp -s ${x} -m state --state NEW -j DROP # iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP iptables -A INPUT -i ${UPLINK} -p tcp --syn -s ${x} -j LOG --log-prefix "INVAILD:${x} SYN IN:" iptables -A INPUT -i ${UPLINK} -p tcp --syn -s ${x} -j DROP iptables -A INPUT -i ${UPLINK} -p ALL -s ${x} -m limit --limit 6/m -j LOG --log-level 6 --log-prefix "DENYED IP ${x} IN:" iptables -A INPUT -i ${UPLINK} -p ALL -s ${x} -j DROP done #build a chain for the tcp port or port range you want to log for x in ${TCP_PORT_LOG} do iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j LOG --log-prefix "INVALID:${x} SYN IN:" iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j DROP iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD${x}PORT IN:" iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "PORT:${x} attempt:" --log-tcp-options --log-ip-options --log-tcp-sequence iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -j DROP done #bulid a chain for the udp port or port range you want to deny for x in ${DENYUDPPORT} do iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m limit --limit 3/m -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:" iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP done #iptables -A INPUT -i ! ${UPLINK} -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i ${LAN} -s ${MANAGE_IP} -j ACCEPT #build a chain for the tcp port or port range you want to open on this firewll for x in ${OPEN_TCP} do iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j ACCEPT iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT done #build a chain for the udp port or port range you want to open on this firewall for x in ${OPEN_UDP} do iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT done #build a chain to drop and log IGMP iptables -A INPUT -i ${UPLINK} -p igmp -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP IGMP packages:" iptables -A INPUT -i ${UPLINK} -p igmp -j DROP #drop and log invalid ip range iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 169.254.0.0/16 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 192.0.2.0/24 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -p ! udp -d 224.0.0.0/4 DROP iptables -A INPUT -i ${UPLINK} -p udp -d 224.0.0.0/4 ACCEPT iptables -A INPUT -i ${UPLINK} -d 127.0.0.1 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 127.0.0.1 -j DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 0.0.0.0 DROP-AND-LOG iptables -A INPUT -i ${UPLINK} -s 255.255.255.255 -j DROP-AND-LOG #drop and log invalid manage ip in #iptables -A lan-input -p tcp --dport 23 -i ${LAN_IF} -s ! ${MANAGE_IP} -j LOG --log-level 6 --log-prefix " INVALID MANAGE_IP IN:" #iptables -A lan-input -p tcp --dport 23 -i ${LAN_IF} -s ! ${MANGLE_IP} -j DROP #build a chain for ipsec vpn iptables -A INPUT -p udp -i ${UPLINK} --sport 500 --dport 500 -j ACCEPT iptables -A INPUT -p 50 -i ${UPLINK} -j ACCEPT iptables -A INPUT -p 51 -i ${UPLINK} -j ACCEPT iptables -A INPUT -p 47 -i ${UPLINK} -j ACCEPT iptables -A INPUT -i ${UPLINK} -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -m limit --limit 3/m -j LOG --log-prefix "INVALID NEW packages" iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j DROP iptables -A INPUT -i ${UPLINK} -p tcp ! --syn -m state --state NEW -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "DROP NEW NOT SYN:" iptables -A INPUT -i ${UPLINK} -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix "INVALID SYN REQUIRE:" iptables -A INPUT -p tcp -i ${UPLINK} --syn -j DROP echo -e "t Logging INVALID ICMP packages:" iptables -A INPUT -i ${UPLINL} -p icmp ! --icmp-type echo-reply -m limit --limit 20/m -j LOG --log-level 6 --log-prefix "INVAILD ICMP IN:" iptables -A INPUT -i ${UPLINL} -f -p icmp -j LOG --log-prefix "Fragmented incoming ICMP: " iptables -A INPUT -i ${UPLINL} -f -p icmp -j DROP iptables -A INPUT -p icmp --icmp-type source-quench -d $UPIP -j ACCEPT iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -i ${UPLINK} -p icmp -j REJECT --reject-with icmp-net-unreachable iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:" iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:" iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -i ${UPLINK} -s 0/0 -f -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "INVAILD FRAGMENTS ${UPLINK}:" iptables -A INPUT -i ${UPLINK} -s 0/0 -f -j DROP iptables -A INPUT -i ${UPLINK} -j DROP echo -e "tttt 33[3;032m [ OK ] 33[0m ntThe input rules has been successful applied ,continure..." echo -e "t Now starting FORWARD rules ,please wait ....." iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT iptables -A FORWARD --fragment -p icmp -j LOG --log-prefix "Fragmented forwarded ICMP: " iptables -A FORWARD --fragment -p icmp -j DROP iptables -A FORWARD -o ${UPLINK} -p icmp --icmp-type echo-request -s $LAN_NET -m state --state NEW -j ACCEPT iptables -A FORWARD -o ${UPLINK} -p icmp --icmp-type echo-request -s $DMZ_NET -m state --state NEW -j ACCEPT iptables -A FORWARD -o $LAN_IF -p icmp --icmp-type time-exceeded -d $LAN_NET -j ACCEPT iptables -A FORWARD -o $DMZ_IF -p icmp --icmp-type time-exceeded -d $DMZ_NET -j ACCEPT iptables -A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID forward: " iptables -A FORWARD -m state --state INVALID -j DROP iptables -A FORWARD -i lo -j ACCEPT iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN TCP: " iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN UDP:" iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICMP: " iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler iptables -A tcpHandler -p tcp -m limit --limit 5/minute --limit-burst 10 -j RETURN iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections " iptables -A tcpHandler -p tcp -j DROP iptables -A udpHandler -p udp -m limit --limit 5/minute --limit-burst 10 -j RETURN iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections" iptables -A udpHandler -p udp -j DROP iptables -A icmpHandler -p icmp -m limit --limit 5/minute --limit-burst 10 -j RETURN iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections" iptables -A icmpHandler -p icmp -j DROP iptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -d ${LAN_NET} -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -d ${DMZ_NET} -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -j ACCEPT iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT #iptables -A FORWARD -o ${UPLINK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -d ${LAN_NET} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:" iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -d ${LAN_NET} -p tcp -j REJECT --reject-with tcp-reset iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -d ${LAN_NET} -p udp -j LOG --log-prefix "INVAILD UDP FORWARD FROM DMZ:" iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -d ${LAN_NET} -p udp -j DROP iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -d ${LAN_NET} -p icmp -j LOG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:" iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -d ${LAN_NET} -p icmp -j DROP iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -i ${DMZ_IF} --sport 53 -j ACCEPT #iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} ! --syn -i ${DMZ_IF} -j ACCEPT iptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT iptables -A FORWARD -s ${LAN_NET} -d ${DMZ_NET} -i ${LAN_IF} -j ACCEPT iptables -A FORWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i ${DMZ_IF} ! --syn -j ACCEPT iptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA" iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j DROP iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD UDP FORWARD DATA" iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j DROP iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVALID ICMP FORWARD DATA" iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROP iptables -A FORWARD -m state --state NEW,INVALID -j DROP iptables -A FORWARD -j DROP echo -e "tttt 33[3;032m [ OK ] 33[0m ntThe forward rules has been successful applied,conniture..." echo -e "tNow applying output rules,please wait ...." for i in ${DENY_USER} do echo -e "tNo world wide visit for user:${i} " iptables -A OUTPUT -m owner --uid-owner ${i} -j LOG --log-prefix "DROP packet from ${i}:" iptables -A OUTPUT -m owner --uid-owner ${i} -j DROP done iptables -A OUTPUT -p udp -o ${UPLINK} --sport 500 --dport 500 -j ACCEPT iptables -A OUTPUT -p 50 -o ${UPLINK} -j ACCEPT iptables -A OUTPUT -p 51 -o ${UPLINK} -j ACCEPT iptables -A OUTPUT -p 47 -o ${UPLINK} -j ACCEPT iptables -A OUTPUT --fragment -p icmp -j LOG --log-prefix "Fragmented outgoing ICMP: " iptables -A OUTPUT --fragment -p icmp -j DROP iptables -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID output: " iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT -p udp -o ${UPLINK} --sport 500 --dport 500 -j ACCEPT iptables -A OUTPUT -p 50 -o ${UPLINK} -j ACCEPT iptables -A OUTPUT -p 51 -o ${UPLINK} -j ACCEPT iptables -A OUTPUT -p 47 -o ${UPLINK} -j ACCEPT iptables -A OUTPUT -p icmp -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -s ${DMZ_NET} -d ! ${LAN_NET} -o ${DMZ_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -s ${DMZ_NET} -o ${DMZ_IF} -d ${LAN_NET} -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -s ${DMZ_NET} -o ${DMZ_IF} -d ${LAN_NET} -m state --state NEW -j DROP iptables -A OUTPUT -s ${LAN_NET} -d ${DMZ_NET} -o ${LAN_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -s ${DMZ_NET} -d ${LAN_NET} -p tcp -j LOG --log-prefix "INVAILD TCP OUTPUT FROM DMZ:" iptables -A OUTPUT -s ${DMZ_NET} -d ${LAN_NET} -p tcp -j REJECT --reject-with tcp-reset iptables -A OUTPUT -s ${DMZ_NET} -d ${LAN_NET} -p udp -j LOG --log-prefix "INVAILD UDP OUTPUT FROM DMZ:" iptables -A OUTPUT -s ${DMZ_NET} -d ${LAN_NET} -p udp -j DROP iptables -A OUTPUT -s ${DMZ_NET} -d ${LAN_NET} -p icmp -j LOG --log-prefix "INVAILD ICMP OUTPUT FROM DMZ:" iptables -A OUTPUT -s ${DMZ_NET} -d ${LAN_NET} -p icmp -j DROP iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:" iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW:" iptables -A OUTPUT -m state --state NEW,INVALID -j DROP iptables -A OUTPUT -j DROP echo -e "tttt 33[3;032m [ OK ] 33[0m nt The OUTPUT rules has been successful applied,conniture..." echo -e "t Now applying nat rules ,please wait ...." #iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK} -j DROP iptables -t nat -A PREROUTING -d ${DMZ_NET} -i ${UPLINK} -j DROP if [ " $ROUTER " = " yes " ] then echo -e "t enabing ip_forward,please wait..." echo 1 >/proc/sys/net/ipv4/ip_forward echo -e "tttt 33[3;032m [ OK ] 33[0mn" if [ " $NAT " = " dynamic " ] then echo -e "tEnableing MASQUERADING (dynamic ip )..." echo -e "tDynamic PPP connection,Now getting the dynamic ip address" IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1` echo -e "t Now you IP ADDRESS is : ${IP_ADDR} " iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE iptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR} iptables -t nat -A POSTROUTING -o ${UPLINK} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} -p tcp --dport 80 -j DNAT --to ${WEB_IP}:80 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 22 -j DNAT --to ${SSH_IP}:22 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 14867 -j DNAT --to ${TELNET_IP}:14867 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 4867 -j DNAT --to ${WEBMAIL_IP}:4867 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 25 -j DNAT --to ${MAIL_IP}:25 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 110 -j DNAT --to ${MAIL_IP}:110 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 53 -j DNAT --to ${DNS_IP}:53 iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport 53 -j DNAT --to ${DNS_IP}:53 if [ " $H323 " = " yes " ] then echo -e "tStartting H323 NAT setting......" for port in ${H323_PORT} do iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port} iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port} done fi echo -e "t OK,NAT setting start succecc.." elif [ " $NAT " != " " ] then echo -e "tEnableing SNAT (static ip)..." # iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP} iptables -t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP} iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP} iptables -t nat -A POSTROUTING -o ${UPLINK} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 20 -j DNAT --to ${FTP_IP}:20 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --to ${FTP_IP}:21 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 22 -j DNAT --to ${SSH_IP}:22 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 14867 -j DNAT --to ${TELNET_IP}:14867 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 4867 -j DNAT --to ${WEBMAIL_IP}:4867 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 25 -j DNAT --to ${MAIL_IP}:25 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 110 -j DNAT --to ${MAIL_IP}:110 iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 53 -j DNAT --to ${DNS_IP}:53 iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport 53 -j DNAT --to ${DNS_IP}:53 if [ "$H323 " = " yes " ] then echo -e "tStartting H323 NAT setting........" for port in ${H323_PORT} do iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port} iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port} done fi echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi fi if [ " $SELF_SET " = " yes " ] then echo -e "ntStarting the rules you set yourself......" # selfset echo -e "tttt 33[3;032m [ OK ] 33[0mn" fi echo -e "a" echo -e "tttt 33[3;032m [ OK ] 33[0mn" echo -e "tAll rules has been successful applied,enjoy it...." elif [ "$1" = "stop" ] || [ "$1" = "flush" ] || [ "$1" = "clear" ] then echo -e "tStoping Firewall...." iptables -F INPUT > /dev/null 2>&1 iptables -P INPUT ACCEPT > /dev/null 2>&1 iptables -P OUTPUT ACCEPT > /dev/null 2>&1 iptables -P FORWARD ACCEPT > /dev/null 2>&1 iptables -F FORWARD > /dev/null 2>&1 iptables -F OUTPUT > /dev/null 2>&1 iptables -t nat -F POSTROUTING > /dev/null 2>&1 iptables -F tcpHandler > /dev/null 2>&1 iptables -F udpHandler > /dev/null 2>&1 iptables -F icmpHandler > /dev/null 2>&1 iptables -F CHECK_FLAGS > /dev/null 2>&1 iptables -F DROP-AND-LOG > /dev/null 2>&1 iptables -F syn-flood > /dev/null 2>&1 iptables -F lan-input > /dev/null 2>&1 iptables -F dmz-input > /dev/null 2>&1 iptables -X tcpHandler > /dev/null 2>&1 iptables -X udpHandler > /dev/null 2>&1 iptables -X icmpHandler > /dev/null 2>&1 iptables -X CHECK_FLAGS > /dev/null 2>&1 iptables -X DROP-AND-LOG > /dev/null 2>&1 iptables -X syn-flood > /dev/null 2>&1 iptables -X lan-input > /dev/null 2>&1 iptables -X dmz-input > /dev/null 2>&1 echo -e "a" echo -e "tttt 33[3;032m [ OK ] 33[0mn" echo -e "ttThe firewall has successful shuted down,be careful !" fi ---------------------------------------------------------------------------------------- # RainLow firewall version 1.0rc1 -- 24/11/2002 # This software may be used and distributed according to #the terms of the GNU General Public License (GPL) provided #credit is given to the original author. # Copyright ?2002 rainlow # All rights reserved ############################################################ echo -e "nttt Welcome to 33[3;031m RainLow Security Group 33[0mnn" echo -e " tttt 33[1;32m http://www.rainlow.com 33[m n" # means the interface you connected to internet,if you use ADSL you should set # it to ppp0 UPLINK=eth2 # means if you use fixed IP address you can set here] UPIP=211.167.105.15 # means if you want to use this firewall as a router ROUTER=yes #If you use adsl set this to "dynamic",if you use DDN or any kinds of fixed IP you set it to " " and set upip ,if you use DHCP,you just set it to "DHCP" NAT=211.167.105.15 # means the interface you have INTERFACES=lo eth0 eth1 eth2 #means if you want to load all modules needed for this program LOAD_MODULES=no # means what kind of services you want to provide SERVICES= # Open ports/services to the WWW, with a quota limit of incoming "n"Megs, when the quota is reached, the rule doesnt match anymore. Ex; 1Meg=1048576, 2Megs=echo $[1048576 * 2], etc... QUOTA=2097152 OPEN_TCP_QUOTA=80 21 20 25 110 OPEN_UDP_QUOTA= #means if you want to log the illegal tcp flags LOG_ILLEGAL_FLAGS=yes # means the IP address you want to DENY DENYIP=10.0.0.1 10.0.0.255 # means the UDP port you want to filter DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369 #means the tcp port you want to log if some one try to come in TCP_PORT_LOG=135 137 138 139 443 1433 3306 8080 8000 515 513 #means tcp ports you want to open,please only use this if you are provide services on firewall,dangerous OPEN_TCP= #means udp ports you want to open,please only use this if you are provide services on firewall,dangerous OPEN_UDP= # # means the interface you connected to LAN LAN_IF=eth0 # means the LAN net LAN_NET=192.168.1.0/24 # means the DMZ net DMZ_NET=172.16.3.0/24 # means the DMZ interfaces DMZ_IF=eth1 # means the tcp port you want to provide in DMZ DMZ_TCP_PORT= 21 25 53 80 110 # means the udp port you want to open in DMZ DMZ_UDP_PORT=53 #means the ipaddress of telnet server in DMZ net TELNET_IP=172.16.3.8 TELNET_PORT=14867 #means the ipaddress of ssh server in DMZ net SSH_IP=172.16.3.18 SSH_PORT=22 WEB_M_IP=172.16.3.20 WEB_M_PORT=4867 #means the ipaddress of www server in DMZ net WEB_IP=172.16.3.8 WEB_PORT=80 # means the ip address of ftp server in DMZ net FTP_IP=172.16.3.8 FTP_PORT=21 FTP_DATA=20 # means the ip address of DNS server in DMZ net DNS_IP=172.16.3.3 DNS_PORT=53 #means the ip address of mail server in DMZ net MAIL_IP=172.16.3.20 SMTP_PORT=25 POP_PORT=110 # means the H323 port you want to open if you use video device in DMZ H323_PORT= # if you use video device in DMZ you can set it to yes H323=no # means the h323 services you used in DMZ H323HOST=172.16.3.18 #means if you will log malformed packets MALFORMED_PACKET_LOG=no #The bellow is the setting of a ipi tunnel or GRE tunnel #means if you will bulid a tunnel with somewhere else TUNNEL=yes # Type of tunnel (gre or ipip) TUNNEL_TYPE=gre # Name of the tunnel TUNNEL_NAME=netx # Address of your External Interface (only required for gre tunnels) LOCAL=61.129.112.46 # Address of the local system -- this is the address of one of your # local interfaces (or for a mobile host, the address that this system has # when attached to the local network). # LOCAL_LANIP=10.0.2.1 # Address of the Remote system -- this is the address of one of the # remote systems local interfaces (or if the remote system is a mobile host, # the address that it uses when attached to the local network). REMOTE_LANIP=192.168.1.199 # Internet address of the Remote system # GATEWAY=211.167.105.15 # Remote sub-network -- if the remote system is a gateway for a # private subnetwork that you wish to # access, enter it here. If the remote # system is a stand-alone/mobile host, leave this # empty REMOTE_SUBNET=192.168.1.0/24 #means the ipaddress you want to manage the firewall MANAGE_IP=192.168.1.188 #here you can add the block rules yourself ,but be sure you do all these setting# otherwise ,it will not work at all !!!! SELF_SET= BLOCK_TYPE= PROTO= INTE_IF= SRC= DST= DPORT= ACTION= ACTION_TYPE= #here you can add the icmp block rules yourself,Be sure you do all these setting otherwise ,it will not work at all !!!! ICMP_IF= ICMP_SRC= ICMP_DST= ICMP_ACTION= ICMP_TYPE= -------------------------------------------------------------------------------------------- #!/bin/sh RCDLINKS="2,S45 3,S45 6,K45" ################################################################################ # Script to create a gre or GRE/ipip tunnel -- RainLow Firewall # # Modified - arlenecc # Incorporated init {start|stop} syntax and iproute2 usage # # This program is under GPL # # # # Modify the following variables to match your configuration # # chkconfig: 2345 26 89 # description: GRE/IP Tunnel # ################################################################################ TUNNEL=`grep "TUNNEL" /etc/firewall/firewall.conf | cut -d = -f 2` TUNNEL_TYPE=`grep "TUNNEL_TYPE" /etc/firewall/firewall.conf | cut -d = -f 2` TUNNEL_NAME=`grep "TUNNEL_NAME" /etc/firewall/firewall.conf | cut -d = -f 2` LOCAL=`grep "LOCAL" /etc/firewall/firewall.conf | cut -d = -f 2` LOCAL_LANIP=`grep "LOCAL_LANIP" /etc/firewall/firewall.conf | cut -d = -f 2` REMOTE_LANIP=`grep "REMOTE_LANIP" /etc/firewall/firewall.conf | cut -d = -f 2` GATEWAY=`grep "GATEWAY" /etc/firewall/firewall.conf | cut -d = -f 2` REMOTE_SUBNET=`grep "REMOTE_SUBNET" /etc/firewall/firewall.conf | cut -d = -f 2` PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin load_modules () { case $TUNNEL_TYPE in ipip) echo "Loading IP-ENCAP Module" modprobe ipip ;; gre) echo "Loading GRE Module" modprobe ip_gre ;; esac } do_stop() { if [ -n "`ip link show $TUNNEL_NAME 2>/dev/null`" ]; then echo "Stopping $TUNNEL_NAME" ip link set dev $TUNNELNAME down fi if [ -n "`ip addr show $TUNNEL_NAME 2>/dev/null`" ]; then echo "Deleting $TUNNEL_NAME" ip tunnel del $TUNNEL_NAME fi } do_start() { #NOTE: Comment out the next line if you have built gre/ipip into your kernel load_modules if [ -n "`ip link show $TUNNEL_NAME 2>/dev/null`" ]; then do_stop fi echo "Adding $TUNNEL_NAME" case $TUNNEL_TYPE in gre) ip tunnel add $TUNNEL_NAME mode gre remote $GATEWAY local $LOCAL ttl 255 ;; *) ip tunnel add $TUNNEL_NAME mode ipip remote $GATEWAY ;; esac echo "Starting $TUNNEL_NAME" ip link set dev $TUNNEL_NAME up case $TUNNEL_TYPE in gre) ip addr add $LOCAL_LANIP dev $TUNNEL_NAME ;; *) ip addr add $LOCAL_LANIP peer $REMOTE_LANIP dev $TUNNEL_NAME ;; esac # # As with all interfaces, the 2.4 kernels will add the obvious host # route for this point-to-point interface # if [ -n "$REMOTE_SUBNET" ]; then echo "Adding Routes" case $TUNNEL_TYPE in gre) ip route add $REMOTE_SUBNET dev $TUNNEL_NAME ;; ipip) ip route add $REMOTE_SUBNET via $GATEWAY dev $TUNNEL_NAME onlink ;; esac fi } case "$1" in start) do_start ;; stop) do_stop ;; restart) do_stop sleep 1 do_start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 esac exit 0
routeros
回复

使用道具 举报

发表于 2003-11-21 17:15:17 | 显示全部楼层
太复杂了,看不懂:(要有人 解说还差不多。
俺自己找了个简单的,然后自己写了个用在网吧。虽然不怎么的,也够用。
routeros
回复

使用道具 举报

发表于 2003-11-21 17:20:26 | 显示全部楼层
是比较复杂
routeros
回复

使用道具 举报

发表于 2003-11-21 20:06:27 | 显示全部楼层
QUOTE
太复杂了,看不懂:(要有人 解说还差不多。
俺自己找了个简单的,然后自己写了个用在网吧。虽然不怎么的,也够用。
可不可以拿出来给大家分享一下,我也是在网吧做了个coyote的软路由,正好要一些防火墙!自己不会写。。
routeros
回复

使用道具 举报

发表于 2005-4-7 18:26:00 | 显示全部楼层
楼主转的脚本很复杂,看起来也很费劲,估计作者写起来也很费劲。
routeros
回复

使用道具 举报

发表于 2007-12-16 14:55:30 | 显示全部楼层
:) :)
routeros
回复

使用道具 举报

发表于 2008-1-12 15:45:43 | 显示全部楼层
内容被屏蔽了
routeros
回复

使用道具 举报

发表于 2008-2-11 23:15:17 | 显示全部楼层
ddddddddddddddddddddddd
routeros
回复

使用道具 举报

发表于 2008-8-18 14:02:50 | 显示全部楼层
顶。。。。。。。。。。。。。
routeros
回复

使用道具 举报

发表于 2008-8-23 12:44:44 | 显示全部楼层
看看..!
routeros
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )

GMT+8, 2024-12-23 12:42 , Processed in 0.061272 second(s), 7 queries , Gzip On, Redis On.

Powered by Discuz! X3.5 Licensed

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表