- 论坛徽章:
- 0
|
LINUX#vi /etc/init.d/iptablesvc
#!/bin/bash
# 基于伪装(相当于端口转换吧PAT)的仿火墙Do iptables based masquerading
and firewalling.
#modified by atom 12/31/2003
# Set default PATH
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
# Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
# Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
#the other mod。。。。。。。。。。。
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_log
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
# Disable response to broadcasts.
echo 1 >; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets.
echo 0 >; /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance.
echo 0 >; /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection
echo 1 >; /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Log spoofed packets, source routed packets, redirect packets
echo 1 >; /proc/sys/net/ipv4/conf/all/log_martians
# Turn on IP forwarding
echo 1 >; /proc/sys/net/ipv4/ip_forward
start () {
# Clean old iptables
iptables -F
iptables -X
iptables -Z
#1.首先设置默认过虑所有包
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# 2.允许所有内部网的转发包和状态为ESTABLISHED和RELATED的包
Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT
# 3防火墙规则Firewall Rules
# 3.1允许本地的回环Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#3.2允许外网口输入状态为ESTABLISHED和RELATED的
1024以上端口
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport
1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# 3.3 DNS
# 允许DNS端口(UDP53)Allow UDP packets in for DNS client from
nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state
ESTABLISHED -j ACCEPT
# 3.4允许HTTP/HTTPS端口(TCP80、443)
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# 允许FTP端口(TCP20,21)
# 3.5主动FTP模式Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# 3.6允许返回的ICMP包Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state
ESTABLISHED,RELATED -j ACCEPT
# 3.7允许内网发起的SMTP和POP3包
iptables -A input –i eth0 –p tcp –s 0/0 –sport 25 –m state --state
ESTABLISHED,RELATED –j ACCEPT
iptables -A input -i eth0 –p tcp –s 0/0 --sport 110 –m state --state
ESTABLISHED,RELATED –j ACCEPT
#4.设置NAT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to
222.20.xxx.xxx
##或做MAXQUERADE,即PAT,效果应该一样吧?Do masquerading through
eth0
##iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# 5. 访问控制
#此功能与Cisco IOS基本上是相似的,也是Firewall的主要部分,如:只允许
访问主机:222.20.16.254的www,端口为:80
iptables –A FORWARD –o eth0 –p TCP –d 222.20.16.254 --dport !80 –j DENY
#6. 静态端口重定向
# 将外部IP地址端口影射到内部的IP和端口Port Forwarding
##iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2222 -j
DNAT --to-destination 192.168.100.2:22
#!----外部用户直接访问地址222.20.xxx.xxx telnet端口,通过iptables重定向
到内部主机192.168.0.10的telnet端口(23)。
iptables –A INPUT –i eth0 –p tcp –-dport 23 –j ACCEPT
iptables –t nat –A PREROUTING –i eth0 –p tcp –-dport 23 –j DNAT –-to
192.168.0.10
#!----外部用户直接访问地址222.20.xxx.xxx FTP,通过PIX重定向到内部
192.168.0.10的FTP Server。
iptables –A INPUT –i eth0 –p tcp –-dport 20,21 –j ACCEPT
iptables –t nat –A PREROUTING –i eth0 –p tcp –-dport 20,21 –j DNAT –-to
192.168.0.10
#!----外部用户直接访问地址222.20.xxx.xxx www(即80端口),通过PIX重定
向到内部192.168.0.10的主机的www(即80端口)。
iptables –A INPUT –i eth0 –p tcp –-dport 80 –j ACCEPT
iptables –t nat –A PREROUTING –i eth0 –p tcp –-dport 80 –j DNAT –-to
192.168.0.10
#!----外部用户直接访问地址222.20.16.201 HTTP(8080端口),通过PIX重定向
到内部192.168.0.10的主机的www(即80端口)。
iptables –A INPUT –i eth0 –p tcp –-dport 80 –j ACCEPT
iptables –t nat –A PREROUTING –i eth0 –p tcp –-dport 8080 –j DNAT –-to
192.168.0.10
iptables –t nat –A PREROUTING –i eth0 –p tcp –-dport 8080 –j REDIRECT –-to
80
#!----外部用户直接访问地址222.20.xxx.xxx smtp(25端口),通过PIX重定向到
内部192.168.0.10的邮件主机的smtp(即25端口)
iptables –A INPUT –i eth0 –p tcp –-dport 25 –j ACCEPT
iptables –t nat –A PREROUTING –i eth0 –p tcp –-dport 25 –j DNAT –-to
192.168.0.10
}
stop() {
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -F
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "usage wrong!"
;;
esac |
|