|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?注册
×
QUOTE
/sbin/iptables -F/sbin/iptables -X/sbin/iptables -P INPUT DROP/sbin/iptables -P FORWARD DROP/sbin/iptables -P OUTPUT ACCEPT# IP blocker/sbin/iptables -N ipblock/sbin/iptables -A INPUT -i ppp0 -j ipblock/sbin/iptables -A INPUT -i ippp0 -j ipblockif [ "$RED_DEV" != "" ]; then/sbin/iptables -A INPUT -i $RED_DEV -j ipblockfi/sbin/iptables -A FORWARD -i ppp0 -j ipblock/sbin/iptables -A FORWARD -i ippp0 -j ipblockif [ "$RED_DEV" != "" ]; then/sbin/iptables -A FORWARD -i $RED_DEV -j ipblockfi# For IGMP and multicast/sbin/iptables -N advnet/sbin/iptables -A INPUT -i ppp0 -j advnet/sbin/iptables -A INPUT -i ippp0 -j advnetif [ "$RED_DEV" != "" ]; then/sbin/iptables -A INPUT -i $RED_DEV -j advnetfi# Spoof protection for RED (rp_filter does not work with FreeS/WAN)/sbin/iptables -N spoof/sbin/iptables -A spoof -s $GREEN_NETADDRESS/$GREEN_NETMASK -j DROPif [ "$ORANGE_DEV" != "" ]; then/sbin/iptables -A spoof -s $ORANGE_NETADDRESS/$ORANGE_NETMASK -j DROPfi/sbin/iptables -A INPUT -i ppp0 -j spoof/sbin/iptables -A INPUT -i ippp0 -j spoofif [ "$RED_DEV" != "" ]; then/sbin/iptables -A INPUT -i $RED_DEV -j spooffi# localhost and ethernet./sbin/iptables -A INPUT -i lo -j ACCEPT/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT# IPSEC/sbin/iptables -N secin/sbin/iptables -A secin -i ipsec0 -j ACCEPT/sbin/iptables -A INPUT -j secin/sbin/iptables -N secout/sbin/iptables -A secout -i ipsec0 -j ACCEPT/sbin/iptables -A FORWARD -j secout/sbin/iptables -N block# Let em through./sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT/sbin/iptables -A block -i $GREEN_DEV -j ACCEPT/sbin/iptables -N xtaccess/sbin/iptables -A block -j xtaccess# IPSEC/sbin/iptables -N ipsec/sbin/iptables -A ipsec -p udp --destination-port 500 -j ACCEPT/sbin/iptables -A ipsec -p 47 -j ACCEPT/sbin/iptables -A ipsec -p 50 -j ACCEPT/sbin/iptables -A block -i ppp0 -j ipsec/sbin/iptables -A block -i ippp0 -j ipsecif [ "$RED_DEV" != "" ]; then/sbin/iptables -A block -i $RED_DEV -j ipsecfi# last rule in INPUT chain is for logging./sbin/iptables -A INPUT -j LOG/sbin/iptables -A INPUT -j REJECT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o ppp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state NEW -o ppp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o ippp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ippp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state NEW -o ippp0 -j ACCEPTif [ "$RED_DEV" != "" ]; then/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o $RED_DEV -j ACCEPT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $RED_DEV -j ACCEPT/sbin/iptables -A FORWARD -m state --state NEW -o $RED_DEV -j ACCEPTfi# Port forwarding/sbin/iptables -N portfwf/sbin/iptables -A FORWARD -j portfwf/sbin/iptables -N dmzholes# Allow GREEN to talk to ORANGE.if [ "$ORANGE_DEV" != "" ]; then/sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -m state \--state ESTABLISHED,RELATED -j ACCEPT/sbin/iptables -A FORWARD -i $GREEN_DEV -o $ORANGE_DEV -m state \--state NEW,ESTABLISHED,RELATED -j ACCEPT# dmz pinhole chain. setdmzholes setuid prog adds rules here to allow# ORANGE to talk to GREEN./sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -j dmzholesfi# VPN/sbin/iptables -A FORWARD -i $GREEN_DEV -o ipsec0 -j ACCEPT/sbin/iptables -A FORWARD -i ipsec0 -o $GREEN_DEV -j ACCEPT/sbin/iptables -A FORWARD -j LOG/sbin/iptables -A FORWARD -j REJECT# NAT table/sbin/iptables -t nat -F/sbin/iptables -t nat -X# squid/sbin/iptables -t nat -N squid/sbin/iptables -t nat -N jmpsquid/sbin/iptables -t nat -A jmpsquid -d 10.0.0.0/8 -j RETURN/sbin/iptables -t nat -A jmpsquid -d 172.16.0.0/12 -j RETURN/sbin/iptables -t nat -A jmpsquid -d 192.168.0.0/16 -j RETURN/sbin/iptables -t nat -A jmpsquid -d 169.254.0.0/16 -j RETURN/sbin/iptables -t nat -A jmpsquid -j squid/sbin/iptables -t nat -A PREROUTING -i $GREEN_DEV -j jmpsquid# Masqurade/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE/sbin/iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADEif [ "$RED_DEV" != "" ]; then/sbin/iptables -t nat -A POSTROUTING -o $RED_DEV -j MASQUERADEfi# Port forwarding/sbin/iptables -t nat -N portfw/sbin/iptables -t nat -A PREROUTING -j portfw |
|