很一个很不错的防火墙脚本

snowtty

#!/bin/bash
########################
#   name: firewall.sh
# author: folkert
#   date: dec2k3
#######################################
#
# sets up the netfilter facility for use with the hotspot authorization
# scheme and offers a frontend for other scripts to authorize/deauthorize
# access for hosts with a given IP/MAC combination.
#
###############################################################################

IPTABLES=/share/hotspot/sbin/iptables
WIFI_SELF="10.11.12.13"
WIFI_NET="10.11.12.0/24"
WIFI_DEV="wlan0"
INET_SELF="172.23.5.12"
INET_NET="172.23.5.0/27"
INET_DEV="eth0"
NS1="213.148.129.10"
NS2="213.148.130.10"

usage()
{
echo "usage:"
echo "$0 reset"
echo "$0 show"
echo "$0 show auth"
echo "$0 addClient IP MAC"
echo "$0 delClient IP MAC"
echo "$0 addServer IP"
echo "$0 delServer IP"
exit 1;
}
fferror()
{
echo "^_^'"
echo "error setting netfilter: $1"
exit $1
}
case "$1" in
reset)
  #flush and zero all tables
  for TABLE in filter nat mangle; do
   for SWITCH in F X Z; do
    $IPTABLES -t $TABLE -$SWITCH
   done
  done  
   
  #create filter chain for accepting authenticated clients
  $IPTABLES -t filter -N FCLIENT
  #create filter chain for accepting allowed destination websites
  $IPTABLES -t filter -N FSERVER
  #create filter chain for not rerouting authenticated clients
  $IPTABLES -t nat -N DCLIENT
  #create filter chain for not rerouting allowed servers
  $IPTABLES -t nat -N DSERVER
  #create filter chain for routing from authenticated clients
  $IPTABLES -t nat -N SCLIENT
  #create filter chain for routing to allowed servers
  $IPTABLES -t nat -N SSERVER
  
  
  #default filter policy is DROP
  $IPTABLES -t filter -P INPUT DROP
  $IPTABLES -t filter -P OUTPUT DROP
  $IPTABLES -t filter -P FORWARD DROP


  #allow all local traffic
  $IPTABLES -t filter -A  INPUT -i lo0 -j ACCEPT
  $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT


  #allow all icmp traffic selfwifi
  $IPTABLES -t filter -A  INPUT -i $WIFI_DEV -s $WIFI_NET -d $WIFI_SELF -p icmp -j ACCEPT
  $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p icmp -j ACCEPT
  #allow dhcp traffic selfwifi
  $IPTABLES -t filter -A  INPUT -i $WIFI_DEV -s 0.0.0.0/0 -d 255.255.255.255 -p udp --dport 67:68 -j ACCEPT
  $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p udp --sport 67:68 -j ACCEPT
  #allow all web traffic selfwifi
  for PORT in 80 443; do
   $IPTABLES -t filter -A  INPUT -i $WIFI_DEV -s $WIFI_NET -d $WIFI_SELF -p tcp --dport $PORT -j ACCEPT
   $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p tcp --sport $PORT -j ACCEPT
  done

### ENABLE IF USING OWN DNS FSERVER ###
#
#  #allow dns traffic selfwifi
#  $IPTABLES -t filter -A  INPUT -i $WIFI_DEV -s $WIFI_NET -d $WIFI_SELF -p udp --dport 53 -j ACCEPT
#  $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p udp --sport 53 -j ACCEPT
#  #allow dns traffic selfdns
#  for NS in $NS1 $NS2; do
#   $IPTABLES -t filter -A OUTPUT -o $INET_DEV -s $INET_SELF -d $NS -p udp --dport 53 -j ACCEPT
#   $IPTABLES -t filter -A  INPUT -i $INET_DEV -s $NS -d $INET_SELF -p udp --sport 53 -j ACCEPT
#  done;
#
### /ENABLE ###########################

### DISABLE IF USING OWN DNS FSERVER ###
#
  for NS in $NS1 $NS2; do
   #allow wifi->dns
   $IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -d $NS -p udp --dport 53 -j ACCEPT
   $IPTABLES -t filter -A FORWARD -i $INET_DEV -o $WIFI_DEV -s $NS -d $WIFI_NET -p udp --sport 53 -j ACCEPT
   #enable source network address translation for dns
   $IPTABLES -t nat -A POSTROUTING  -s $WIFI_NET -p udp --dport 53 -d $NS -o $INET_DEV -j SNAT --to $INET_SELF
  done
#
### /DISABLE ##########################  
  
### DISABLE THE FOLLOWING BEFORE DEPLOYING THE UNIT IN THE FIELD ###
#
  #allow all telnet and smb traffic to/from self
  for PORT in 23 139; do
   $IPTABLES -t filter -A  INPUT -p tcp --dport $PORT -j ACCEPT
   $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT
  done
#
### /DISABLE #######################################################

  

  
  #check for wifi->allowed servers
  $IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -j FSERVER
  #check for allowed clients -> inet
  $IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -j FCLIENT
  #reject all other clients
  $IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -j REJECT --reject-with icmp-net-prohibited
  #allow established connections wifiinet
  $IPTABLES -t filter -A FORWARD -i $INET_DEV -o $WIFI_DEV -d $WIFI_NET -m state --state ESTABLISHED -j ACCEPT
  
  #snat traffic from authenticated clients
  $IPTABLES -t nat -A POSTROUTING -s $WIFI_NET -d ! $WIFI_NET -j SCLIENT
  #snat traffic to allowed servers
  $IPTABLES -t nat -A POSTROUTING -s $WIFI_NET -d ! $WIFI_NET -j SSERVER
  
  
  
  
  #do not dnat traffic from authenticated clients
  $IPTABLES -t nat -A PREROUTING -i $WIFI_DEV -d ! $WIFI_SELF -j DCLIENT
  #do not dnat web traffic allowed servers   
  $IPTABLES -t nat -A PREROUTING -i $WIFI_DEV -d ! $WIFI_SELF -j DSERVER
  #enable dnat to self for all web traffic
  for PORT in 80 443; do
   $IPTABLES -t nat -A PREROUTING -i $WIFI_DEV -d ! $WIFI_SELF -p tcp --dport $PORT -j DNAT --to $WIFI_SELF
  done
  
  
  
### DISABLE THE FOLLOWING BEFORE DEPLOYING THE UNIT IN THE FIELD ###
#  
  #log all other packets
  #$IPTABLES -t filter -A INPUT -j LOG --log-level warning   --log-prefix "  >>INPUT> "
  #$IPTABLES -t filter -A FORWARD -j LOG --log-level warning --log-prefix ">>FORWARD>> "
#
### /DISABLE #######################################################
  
  
  
  #add default REJECT rule (just more polite than DROP)
  for CHAIN in INPUT OUTPUT FORWARD; do
   $IPTABLES -t filter -A $CHAIN -j REJECT;
  done
  
  
  ;;
  
  
   
addClient)
  [ "ff"$2 != "ff" ] || usage; [ "ff"$3 != "ff" ] || usage;
  #allow client
  $IPTABLES -t filter -A FCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $?
  $IPTABLES -t nat -A DCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $?
  $IPTABLES -t nat -A SCLIENT -s $2 -d ! $WIFI_NET -j SNAT --to $INET_SELF || fferror $?
  echo "added Client: IP $2 MAC $3";
  ;;  
   
delClient)
  [ "ff"$2 != "ff" ] || usage;  [ "ff"$3 != "ff" ] || usage;  
  $IPTABLES -t filter -D FCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $?
  $IPTABLES -t nat -D DCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $?
  $IPTABLES -t nat -D SCLIENT -s $2 -d ! $WIFI_NET -j SNAT --to $INET_SELF || fferror $?
  echo "removed Client: IP $2 MAC $3";
  ;;  
   
   
  
addServer)
  [ "ff"$2 != "ff" ] || usage;
  $IPTABLES -t filter -A FSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $?
  $IPTABLES -t nat -A DSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $?
  $IPTABLES -t nat -A SSERVER -s $WIFI_NET -d $2 -j SNAT --to $INET_SELF || fferror $?
  echo "added Server: IP $2";
  ;;
  
  
delServer)
  [ "ff"$2 != "ff" ] || usage;
  $IPTABLES -t filter -D FSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $?
  $IPTABLES -t nat -D DSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $?
  $IPTABLES -t nat -D SSERVER -s $WIFI_NET -d $2 -j SNAT --to $INET_SELF || fferror $?
  echo "removed Server: IP $2";
  ;;
  
  
  
  
show)
  case "$2" in
   mangle)
    echo "___mangle_______________________________________"
    $IPTABLES -t mangle --list -n
    echo; echo;
    ;;
   nat)
    echo "___nat__________________________________________"
    $IPTABLES -t nat --list -n
    echo; echo;
    ;;
   filter)
    echo "___filter_______________________________________"
    $IPTABLES -t filter --list -n
    echo; echo;
    ;;
   auth)
    echo "___clients______________________________________"
    $IPTABLES -t filter --list FCLIENT -n
    $IPTABLES -t nat --list DCLIENT -n
    $IPTABLES -t nat --list SCLIENT -n
    echo "___servers______________________________________"
    $IPTABLES -t filter --list FSERVER -n
    $IPTABLES -t nat --list DSERVER -n
    $IPTABLES -t nat --list SSERVER -n
    ;;
   *)
    echo "___mangle_______________________________________"
    $IPTABLES -t mangle --list -n
    echo; echo;
    echo "___nat__________________________________________"
    $IPTABLES  -t nat --list -n
    echo; echo;
    echo "___filter_______________________________________"
    $IPTABLES -t filter --list -n
    echo; echo;
  esac  
  ;;
*)
  usage;
  ;;  
esac
exit



本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/5591/showart_227690.html