- 论坛徽章:
- 0
|
file:///C:/DOCUME%7E1/ADMINI%7E1/LOCALS%7E1/Temp/moz-screenshot.jpg
DMZ部分尚不完善,其中难免有疏漏,希望大家跟我一块改进,使他功能越来越强大,使用时请将firewall-dev copy
到/etc/rc.d/init.d将 firewall.conf copy
/etc/下,你只需修改firewall.conf文件就可以了。可以用firewall-dev
start|stop起动和关闭防火墙,功能增加中,如你有任何改动请发一份给我,
arlenecc@263.net
本着GPL的原则希望有志之士跟我一块完善它,如有改动请通知我!!!!
firewall-dev
#!/bin/bash
# This is a firewall script with the function of stateful and
# ip filter, (这是一个防火墙脚本的功能状态和ip过滤)
# you can change it to meet you need, (你可以修改它满足你的需要)
# in a words:(在这里文件中)
# uplink means the output interface ,(uplink是指输出的接口)
# router means if you neet it to be a router or not,(需要或者不需要路由功能)
# nat means if you are useing a dynamic ip address if you do , (如果你使用动态IP那么你可以使用nat)
# then you can change it to "dynamic",(然后你可以改动这个动态接口)
# interfaces means all the interface in you server ,services means all the services
# you server providing ,(接口是指你服务器所提供服务的接口)
# enjoy it !!! ----- write by arlenecc script Translation :YDY
##############################################################################
# #
# Copyright (c) 2002 arlenecc
arlenecc@netease.com
#
# All rights reserved #
# #
##############################################################################
#
# now begins the firewall
UPLINK=`less /root/firewall.conf | grep "UPLINK" | cut -d = -f 2 `
UPIP=`less /root/firewall.conf | grep "UPIP" | cut -d = -f 2`
ROUTER=`less /root/firewall.conf | grep "ROUTER" | cut -d = -f 2`
NAT=`less /root/firewall.conf | grep "NAT" | cut -d = -f 2`
INTERFACES=`less /root/firewall.conf | grep "INTERFACES" | cut -d = -f 2`
SERVICES=`less /root/firewall.conf | grep "SERVICES" | cut -d = -f 2`
DENYPORTS=`less /root/firewall.conf | grep "DENYPORTS" | cut -d = -f 2`
DENYUDPPORT=`less /root/firewall.conf | grep "DENYUDPPORT" | cut -d = -f 2`
LAN_IF=`less /root/firewall.conf | grep "LAN_IF" | cut -d = -f 2`
LAN_NET=`less /root/firewall.conf | grep "LAN_NET" | cut -d = -f 2`
DMZ_NET=`less /root/firewall.conf | grep "DMZ_NET" | cut -d = -f 2`
DMZ_IF=`less /root/firewall.conf | grep "DMZ_IF" | cut -d = -f 2`
DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d = -f 2`
DMZ_UDP_PORT=`less /root/firewall.conf | grep "DMZ_UDP_PORT" | cut -d = -f 2`
WEB_IP=`less /root/firewall.conf | grep "WEB_IP" | cut -d = -f 2`
FTP_IP=`less /root/firewall.conf | grep "FTP_IP" | cut -d = -f 2`
H323_PORT=`less /root/firewall.conf | grep "H323_PORT" | cut -d = -f 2`
H323=`less /root/firewall.conf | grep "H323" | cut -d = -f 2`
#上边的这些语句:
#前边的如 UPLINK 等等 这些都是 定义的变量将要赋的值是 后边语句的结果,这里``这样表示 #是先执行的意思less 查看,/root/firewall.conf文件中的 查找对应的UPLINK等于前边对应的
#字段grep来查找对应的,然后cut -d 是区域分隔符,这里以=为分割,显示第2个区域 -f 2
if [ "$1" = "start" ] #if 判断语句,这里$1指的是我们命令的第一个参数,如果是START的时候,
then
echo "Starting firewall......" #echo输出"starting firewall....."提示正在驱动防火墙。
echo "NOW prepareing kernel for use,please wait....." #echo 出提示,正在启动你准备试用的ketnel程序,
fi
# if [ -e /proc/sys/net/ipv4/ip_forward ] #if判断语句,这里用TEST测试参数-e 来测试 /proc/sys/net/ipv4/ip_forward是否
# #是文件,如果是则echo 参数 1 写入到该文件中,这个IP_FPRWARD文件被写入1以后会
# then #执行转发功能,做路由或者NAT的时候要打开这里。
# echo 1 >/proc/sys/net/ipv4/ip_forward
# fi
if [ "$NAT" = " dynamic " ] #if判断,如果上边定义的NAT等于动态地址那么就要echo写入数据1到下边这个文件开启
then
echo "Enable dynamic ip support...." #这个动态的服务,1是开启 0是关闭。
echo 1 >/proc/sys/net/ipv4/ip_dynaddr
echo " OK !!!!" #echo 提示,OK表示成功。
fi
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] #if 判断
这个目录下的文件,是否存在,如果存在,执行echo 写入
数据开启
#SYNCOOKIES过滤功能,防止SYN-FLOOD DDOS的攻击。
then
echo "Enable the syn cook flood protection"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ] #if判断是否在这个文件目录下有这个文件,如果有写入数值,降低链接时间。
then #ip_conntrack_max:Linux NAT 的
ip_conntrack 模組會記錄 tcp
通訊協定的 #established
connection 記錄, 而且預設 timeout 時間長達五天 (432,000 秒),
echo "Setting the maximum number of connections to track.... "
echo "4096" >/proc/sys/net/ipv4/ip_conntrack_max
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/ip_local_port_range ]
#ip_local_port_range”参数
ip_local_port_range”文件中有两个参数分别定义
#了用作TCP和UDP本地端口的端口范围。第一个参数是第一个端口号。第二个参数
#是最后一个本地端口号。对于使用率很高的系统,可以修改为:32768到61000。
then
echo " Setting local port range for TCP/UDP connection...."
echo -e "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] #禁止广播和ping入
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
then
echo "Enable bad error message protection......."
echo 1 >/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #这里只是定义错误的PING包
echo " OK !!!! "
fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
#Debian的ENC增强位,Debian默认设置/proc/sys/net/ipv4/tcp_ecn=1,这样在TCP握手时发的
#syn包ecn置位,对于一些严格的防火墙来说这不是syn包,所以拒绝和你建立连接。只需置零
#就可以了:
then
echo "Disabling tcp_ecn,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_ecn
echo " OK !!!! "
fi
for x in ${INTERFACES}
do #for语句,判断循环,这里的interfaces是在上边定义出来的,X在这些值里边,至于这个
#rp_filter是防止IP 欺骗。就是我上边定义的网卡接口全部启用防止IP欺骗。
echo " Enabling rp_filter on ${x} ,please wait...."
echo 1 >/proc/sys/net/ipv4/conf/${x}/rp_filter
echo " ${x} OK !!!! "
done
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]
then
echo "Disabing ICMP redirects,please wait...."
echo 0 >; /proc/sys/net/ipv4/conf/all/accept_redirects
echo " OK !!!! "
fi
#/proc/sys/net/ipv4/conf/*/accept_redirects
#如果主机所在的网段中有两个路由器,你将其中一个设置成了缺省网关,但是该网关
#在收到你的ip包时发现该ip包必须经过另外一个路由器,这时这个路由器就会给你
#发一个所谓的“重定向”icmp包,告诉将ip包转发到另外一个路由器。参数值为布尔
#值,1表示接收这类重定向icmp 信息,0表示忽略。在充当路由器的linux主机上缺
#省值为0,在一般的linux主机上缺省值为1。建议将其改为0以消除安全性隐患。
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]
then
echo "Disabling source routing of packets,please wait...."
for i in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 >; $i
echo " $i OK !!!! "
done
fi
#/proc/sys/net/ipv4/*/accept_source_route
#是否接受含有源路由信息的ip包。参数值为布尔值,1表示接受,0表示不接受。在
#充当网关的linux主机上缺省值为1,在一般的linux主机上缺省值为0。从安全性角
#度出发,建议关闭该功能。
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
then
echo "Ignore any broadcast icmp echo requests......"
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " OK !!!! "
fi
# if [ -e /proc/sys/net/ipv4/config/all/log_martians ]
#
# then
# echo "LOG packets with impossible addresses to kernel log...."
# echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
# echo " OK !!!! "
# fi
#如果您想要看看封包是否真的會被丟棄﹐那可以透過同一目錄的log_martians 檔案﹐告訴核心將之記錄到syslog 上面去
#echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all #该文件表示内核是否忽略所有的ICMP ECHO请求
#modprobe ip_tables
depmod -a
#加载模块
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT #拒绝和清空3条链默认规则
iptables -F -t nat
iptables -F -t mangle
iptables -Z #计数器清零
iptables -X #清除自建链规则
iptables -N CHECK_FLAGS #新建 链 check-flags
iptables -F CHECK_FLAGS # 清自建链规则。
iptables -N tcpHandler #新建tcpHandler 链
iptables -F tcpHandler #同上 -F
iptables -N udpHandler #新建
iptables -F udpHandler #同上-F
iptables -N icmpHandler
iptables -F icmpHandler
iptables -N DROP-AND-LOG
iptables -F DROP-AND-LOG
echo "OK,the kernel is now prepared to use for building a firewall!!!"
echo "Waitting ........................"
echo "Creating a drop chain....." #创建拒绝链。
iptables -A DROP-AND-LOG -j LOG --log-level 5
#日志对应等级:
0:系统瘫痪 emerg 或者 panic
1:必须要修复的错误 alert
2:临界点,必须处理 crit
3: 错误信息 error或err
4: 警告信息 waring 或 warn
5:一般的需要留意的信息 notice
6: 提示一些数据信息 info
7:特殊等级,debug消息
iptables -A DROP-AND-LOG -j DROP #新建立的DROP-AND-LOG 链的默认策略是拒绝 DROP
echo " OK !!!!"
echo "Now starting the check_flag rules,please wait...."
TCP 6个FLAG 位:
URG 紧急指针
PSH 这个标记为1时是为了加快处理
RST 为1时从新创建TCP链接
SYN 同步序列位 主动链接
FIN 发送结束位,断开链接位1
ACK 等ACK=1时确认序列号字段才有效果
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL
FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix
" INVAILD NMAP SCAN "
#定制CHECK_FLAGS 的TCP FLAGS 位,检测状态,如果没分钟收到5个 上边定义的FLAGS位的数据,则记录等级为6 并且记录到 定义的路径。
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #如果出现上边的 FLAGS 位则DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit
--limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "
定制状态检测FLAGS位,如果出现SYN,RST等 状态 ,每分钟出现5个的话,那么记录等级为6 并且指定记录路径。
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #出现以后拒绝。
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit
--limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "
#同上
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #同上
iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit
5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "
检测FLAG 64 匹配。 如果这个状态 如果状态匹配则记录日志到定义的位置。
iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit
5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 " #同上
iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit
5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"
#所有的TCP状态,如果匹配这个时间内定义的这个值那么就要记录
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP #如果匹配则拒绝。
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m
limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"
#所有的SYN,RST,ACK,FIN,URG
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit
5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN" #ALL NONE
所有的BIT都检测。
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
echo " OK !!!! Finished check_flags rules...."
echo "Now starting the input rules,please wait......."
for x in ${DENYPORTS} #for语句范围循环,X取值范围是上边定义的DENYPORTS里边的值,满足取值条件的时候做
do
iptables -A INPUT -i ${UPLINK} -p tcp
--dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT{x}
TCP IN:" #定制进入网卡,TCP协议到目标端口状态检测,NEW(新状态)记录日志,--log-prefix 路径。
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP
#定制进入网卡,TCP协议到目标端口的状态检测,为新状态的时候DROP。
iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT{x} SYN IN:"
#定制进入网卡,TCP协议主动链接到目标端口的记录日志,指定日志位置
iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j DROP
#定制进入网卡 TCP协议主动链接的到目标端口,全部DROP。
done
for x in ${DENYUDPPORT} #for语句范围循环,X取值范围是上边定义的DENYUDPPORT的值,满足条件的时候做
do
iptables -A INPUT -i ${UPLINK} -p udp
--dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT{x}
UDP IN:" #同上翻译
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT{x} UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP
done
#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
#开启NAT功能
for x in ${SERVICES} #for循环语句,X值在上边定义的SERVICES里边。那么做下边的 iptables 做定义的事情,
do # ESTABLISHED 工作状态。RELATED 目前仅指错误ICMP包错误。
# NEW 新建的TCP SYN请求或第一个UDP数据包, #INVALID 不是响应当前会话的ICMP错误。
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
#DROP-AND-LOG 新建的链,从上边定义的UPLINK进入的数据 源地址是 下边数据的 全部转到 DROP-AND-LOG 来检测。
iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG
#定义数据状态上边定义的局域网来的数据状态如果符合定义,那么允许通过。
#iptables -A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#从UPLINK进入的数据全部记录数据。
#iptables -A INPUT -i ${UPLINK} -j LOG --log-prefix " INVALID INPUT "
#TCP 非主动链接状态的 NEW DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#LAN_IF为eth0 如果从eth0 接受到的TCP数据 为主动链接状态为NEW,ESTABLISHED,RELATED的全部通过。
iptables -A INPUT -i ${LAN_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#DMZ区域为eth2 在这里接受的数据状态为主动链接, NEW,ESTABLISHED,RELATED全部允许。
iptables -A INPUT -i ${DMZ_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#input为TCP FLAGS 所有的syn和ack 都拒绝,驳回。
iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j REJECT
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM DMZ:"
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD UDP FROM DMZ:"
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD ICMP FROM DMZ:"
iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j DROP
iptables -A INPUT -p icmp -i ${UPLINK} -j LOG --log-prefix "INVAILD ICMP IN:"
iptables -A INPUT -p icmp -i ${UPLINK} -j REJECT --reject-with icmp-net-unreachable
iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"
iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j LOG --log-prefix "NEW,INVALID state:"
iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j DROP
iptables -A INPUT -i ${UPLINK} -f -j LOG --log-prefix "INVAILD FRAGMENTS ${UPLINK}:"
iptables -A INPUT -i ${UPLINK} -f -j DROP
iptables -A INPUT -i ${LAN_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${LAN_IF}:"
iptables -A INPUT -i ${LAN_IF} -f -j DROP
iptables -A INPUT -i ${DMZ_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${DMZ_IF}:"
iptables -A INPUT -i ${DMZ_IF} -f -j DROP
iptables -A INPUT -i ${UPLINK} -j DROP
echo " OK !!!! The input rules has been successful applied ,continure......"
echo " Now starting FORWARD rules ,please wait ....."
iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables
-A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit
5/minute --limit-burst 10 -j LOG --log-prefix " CONN TCP: "
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler
iptables
-A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit
5/minute --limit-burst 10 -j LOG --log-prefix " CONN UDP:"
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler
iptables
-A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit
5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICMP: "
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler
iptables -A tcpHandler -p tcp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "
iptables -A tcpHandler -p tcp -j DROP
iptables -A udpHandler -p udp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"
iptables -A udpHandler -p udp -j DROP
iptables -A icmpHandler -p icmp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"
iptables -A icmpHandler -p icmp -j DROP
iptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -j ACCEPT
iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT
#iptables -A FORWARD -o ${UPLINK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j REJECT --reject-with tcp-reset
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j LOG --log-prefix "INVAILD UDP FORWARD FROM DMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j DROP
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j DROP
iptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -s ${LAN_NET} -d ${DMZ_NET} -i ${LAN_IF} -j ACCEPT
iptables -A FORWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i ${DMZ_IF} ! --syn -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA"
iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD UDP FORWARD DATA"
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVALID ICMP FORWARD DATA"
iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -j DROP
echo " OK !!!! The forward rules has been successful applied,conniture......"
echo " Now applying output rules,please wait ...."
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${LAN_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${DMZ_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${LAN_NET} -o ${DMZ_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j LOG --log-prefix "INVAILD TCP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j LOG --log-prefix "INVAILD UDP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j DROP
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"
iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW,INVALID STATE:"
iptables -A OUTPUT -m state --state NEW,INVALID -j DROP
iptables -A OUTPUT -j DROP
echo " OK !!!! The OUTPUT rules has been successful applied,conniture......."
echo " Now applying nat rules ,please wait ...."
#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
#iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 23 -j REDIRECT --to-port 14867
iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK} -j DROP
iptables -t nat -A PREROUTING -d ${DMZ_NET} -i ${UPLINK} -j DROP
if [ " $ROUTER " = " yes " ] #判断如果route 等于YES 那么打开IP转发,
then
echo " enabing ip_forward,please wait..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "OK"
if [ " $NAT " = " dynamic " ] #再判断NAT是否等于动态,如果是动态IP则运用下边IP_ADDR语句来抓取IP赋值。
then
echo "Enableing MASQUERADING (dynamic ip )..."
echo "Dynamic PPP connection,Now getting the dynamic ip address"
IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`
echo " Now you IP ADDRESS is : ${IP_ADDR} "
iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE #路由以后的从UPLINK出去的全部伪装成这个接口的IP。
iptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR}
#从UPLINK出去,来自源地址为DMZ区域的,全部转到上边获取的IP来处理
iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 80 -j DNAT --to ${WEB_IP}:80
#从UPLINK进入,在路由器前确定如果是访问上边目标端口80的,全部转到WEB服务器的80端口。
iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21
iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20
#同上!
if [ " $H323 " = " yes " ] #IF判断如果H323等于YES,那么,FOR循环做Port取值范围。
then
echo "Startting H323 NAT setting......"
for port in ${H323_PORT}
do
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport
${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to
${H323HOST}{port}
#nat路由前,检测从UPLINK进入的数据,协议尾TCP的到目标IP(IP_ADDR)和端口的(port)
检测状态为
#NEW,ESTABLISHED,RELATED的,全部转到目标H323的主机和端口来处理。
iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport
${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to
${H323HOST}{port}
done
fi
echo " OK,NAT setting start succecc.."
elif [ " $NAT " != " " ] #再条件,ELIF 判断 如果NAT=空,那么开启SNAT
then
echo "Enableing SNAT (static ip)..."
# iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
iptables -t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
#路由以后全部转换为SNAT的UPIP来处理。
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80
#转接为WEB服务器的IP 去处理
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 20 -j DNAT --to ${FTP_IP}:20
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --to ${FTP_IP}:21
if [ "$H323 " = " yes " ]
then
echo "Startting H323 NAT setting........"
for port in ${H323_PORT}
do
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport
${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to
${H323HOST}{port} #同上
iptables -t nat
-A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state
--state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}{port}
done
fi
echo " OK !!!!"
fi
fi
if [ " $SELF_SET " = " yes " ]
then
echo "Starting the rules you set yourself......"
# firewall
echo " OK !!!!"
echo " All rules has been successful applied,enjoy it...."
elif [ "$1" = "stop" ]
then
echo "Stoping Firewall...."
iptables -F INPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F POSTROUTING
iptables -F tcpHandler
iptables -F udpHandler
iptables -F icmpHandler
iptables -F CHECK_FLAGS
iptables -F DROP-AND-LOG
iptables -X tcpHandler
iptables -X udpHandler
iptables -X icmpHandler
iptables -X CHECK_FLAGS
iptables -X DROP-AND-LOG
echo "The firewall has successful shuted down,be careful !!!"
fi
firewall.conf
UPLINK=eth1
UPIP=192.168.2.188
ROUTER=yes
NAT=192.168.2.188
INTERFACES=lo eth0 eth1 eth2
SERVICES=http ftp
DENYPORTS=1 7 9 15 107 135 137 138 139 369 389 445 515 752 873 8080
3128 2049 5432 5999 6063 9740 20034 12345 12346 27665 27444 31335
31337 8000 1433 3389 7007 22 23 25 110 79
DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369
LAN_IF=eth0
LAN_NET=192.168.1.0/24
DMZ_NET=192.168.3.0/24
DMZ_IF=eth2
DMZ_TCP_PORT=20 21 25 53 80 110
DMZ_UDP_PORT=53
WEB_IP=192.168.3.1
FTP_IP=192.168.3.2
H323_PORT=
H323=no
#here you can add the block rules yourself ,but be sure you do all these setting otherwise ,it will not work at all !!!!
SELF_SET=
BLOCK_TYPE=
PROTO=
INTE_IF=
SRC=
DST=
DPORT=
ACTION=
ACTION_TYPE=
#here you can add the icmp block rules yourself,Be sure you do all these setting otherwise ,it will not work at all !!!!
ICMP_IF=
ICMP_SRC=
ICMP_DST=
ICMP_ACTION=
ICMP_TYPE=
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u1/42005/showart_387510.html |
|
免费注册
发表于 2007-09-22 10:26