某个网站的防火墙设置，嘿嘿

DreamCat · 发表于 2005-4-8 15:44:48

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

您需要登录才可以下载或查看，没有账号？注册

×

QUOTE
/sbin/iptables -F/sbin/iptables -X/sbin/iptables -P INPUT DROP/sbin/iptables -P FORWARD DROP/sbin/iptables -P OUTPUT ACCEPT# IP blocker/sbin/iptables -N ipblock/sbin/iptables -A INPUT -i ppp0 -j ipblock/sbin/iptables -A INPUT -i ippp0 -j ipblockif [ "$RED_DEV" != "" ]; then/sbin/iptables -A INPUT -i $RED_DEV -j ipblockfi/sbin/iptables -A FORWARD -i ppp0 -j ipblock/sbin/iptables -A FORWARD -i ippp0 -j ipblockif [ "$RED_DEV" != "" ]; then/sbin/iptables -A FORWARD -i $RED_DEV -j ipblockfi# For IGMP and multicast/sbin/iptables -N advnet/sbin/iptables -A INPUT -i ppp0 -j advnet/sbin/iptables -A INPUT -i ippp0 -j advnetif [ "$RED_DEV" != "" ]; then/sbin/iptables -A INPUT -i $RED_DEV -j advnetfi# Spoof protection for RED (rp_filter does not work with FreeS/WAN)/sbin/iptables -N spoof/sbin/iptables -A spoof -s $GREEN_NETADDRESS/$GREEN_NETMASK -j DROPif [ "$ORANGE_DEV" != "" ]; then/sbin/iptables -A spoof -s $ORANGE_NETADDRESS/$ORANGE_NETMASK -j DROPfi/sbin/iptables -A INPUT -i ppp0 -j spoof/sbin/iptables -A INPUT -i ippp0 -j spoofif [ "$RED_DEV" != "" ]; then/sbin/iptables -A INPUT -i $RED_DEV -j spooffi# localhost and ethernet./sbin/iptables -A INPUT -i lo -j ACCEPT/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT# IPSEC/sbin/iptables -N secin/sbin/iptables -A secin -i ipsec0 -j ACCEPT/sbin/iptables -A INPUT -j secin/sbin/iptables -N secout/sbin/iptables -A secout -i ipsec0 -j ACCEPT/sbin/iptables -A FORWARD -j secout/sbin/iptables -N block# Let em through./sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT/sbin/iptables -A block -i $GREEN_DEV -j ACCEPT/sbin/iptables -N xtaccess/sbin/iptables -A block -j xtaccess# IPSEC/sbin/iptables -N ipsec/sbin/iptables -A ipsec -p udp --destination-port 500 -j ACCEPT/sbin/iptables -A ipsec -p 47 -j ACCEPT/sbin/iptables -A ipsec -p 50 -j ACCEPT/sbin/iptables -A block -i ppp0 -j ipsec/sbin/iptables -A block -i ippp0 -j ipsecif [ "$RED_DEV" != "" ]; then/sbin/iptables -A block -i $RED_DEV -j ipsecfi# last rule in INPUT chain is for logging./sbin/iptables -A INPUT -j LOG/sbin/iptables -A INPUT -j REJECT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o ppp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state NEW -o ppp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o ippp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ippp0 -j ACCEPT/sbin/iptables -A FORWARD -m state --state NEW -o ippp0 -j ACCEPTif [ "$RED_DEV" != "" ]; then/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o $RED_DEV -j ACCEPT/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $RED_DEV -j ACCEPT/sbin/iptables -A FORWARD -m state --state NEW -o $RED_DEV -j ACCEPTfi# Port forwarding/sbin/iptables -N portfwf/sbin/iptables -A FORWARD -j portfwf/sbin/iptables -N dmzholes# Allow GREEN to talk to ORANGE.if [ "$ORANGE_DEV" != "" ]; then/sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -m state \--state ESTABLISHED,RELATED -j ACCEPT/sbin/iptables -A FORWARD -i $GREEN_DEV -o $ORANGE_DEV -m state \--state NEW,ESTABLISHED,RELATED -j ACCEPT# dmz pinhole chain. setdmzholes setuid prog adds rules here to allow# ORANGE to talk to GREEN./sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -j dmzholesfi# VPN/sbin/iptables -A FORWARD -i $GREEN_DEV -o ipsec0 -j ACCEPT/sbin/iptables -A FORWARD -i ipsec0 -o $GREEN_DEV -j ACCEPT/sbin/iptables -A FORWARD -j LOG/sbin/iptables -A FORWARD -j REJECT# NAT table/sbin/iptables -t nat -F/sbin/iptables -t nat -X# squid/sbin/iptables -t nat -N squid/sbin/iptables -t nat -N jmpsquid/sbin/iptables -t nat -A jmpsquid -d 10.0.0.0/8 -j RETURN/sbin/iptables -t nat -A jmpsquid -d 172.16.0.0/12 -j RETURN/sbin/iptables -t nat -A jmpsquid -d 192.168.0.0/16 -j RETURN/sbin/iptables -t nat -A jmpsquid -d 169.254.0.0/16 -j RETURN/sbin/iptables -t nat -A jmpsquid -j squid/sbin/iptables -t nat -A PREROUTING -i $GREEN_DEV -j jmpsquid# Masqurade/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE/sbin/iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADEif [ "$RED_DEV" != "" ]; then/sbin/iptables -t nat -A POSTROUTING -o $RED_DEV -j MASQUERADEfi# Port forwarding/sbin/iptables -t nat -N portfw/sbin/iptables -t nat -A PREROUTING -j portfw

fuleru · 发表于 2005-4-10 01:37:11

ippp0是什么东东？脚本里面看不了，也没有见过。。

DreamCat · 发表于 2005-4-11 22:48:04

QUOTE (fuleru @ Apr 10 2005, 01:37 AM)
ippp0是什么东东？脚本里面看不了，也没有见过。。
不是 ippp0 是 ppp0。

gsling2003 · 发表于 2005-4-27 09:30:00

哈啤猫，你转的这个脚本小弟有些地方不懂啊，给加人注释啥的吧！

DreamCat · 发表于 2005-4-27 09:41:19

你先看看 IPTABLES的资料，然后再看这个哦。此外少了些东西。。。。能理解结构就可以了，只是个参考。太长了，我就转了防火墙这部分，这个站点用SQUID做的反向代理。

zhangweizj · 发表于 2006-1-15 11:43:16

呵呵,希望把整个防火墙都发出来看看,用文件传上来

火凌幻影 · 发表于 2006-7-29 18:02:33

对强烈建议!!!.....

火凌幻影 · 发表于 2006-7-29 18:03:14

ppp0 应该是自定义的接口名称吧

superg · 发表于 2006-8-10 15:03:07

$RED_DEV $ORANGE_DEV $GREEN_DEV

这几个变量的值是什么?

superg · 发表于 2006-8-10 15:04:58

才发现这是个老贴....

qd_router · 发表于 2006-8-21 19:20:06

呵呵~ 喜欢老贴。

george_young · 发表于 2006-9-12 14:27:12

linux下IPTABALES的
ROS不合适用的

账号		自动登录	找回密码
密码			注册