- 论坛徽章:
- 0
|
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
#
##tcp allow ports
#
TPORTS="80 22 21 20"
#
##udp allow ports
#
UPORTS="53 123"
#
##config out_eth interface
OUT_ETH="eth1"
OUT_ETH_IP="192.168.10.1"
##set out_eth_ip(firewall out ip) ports
OUT_ETH_IP_PORTS="22"
##config in_eth interface
IN_ETH="eth0"
IN_ETH_IP="172.18.10.37"
##internal ip range
SERVER_IP="172.18.10.0/24"
#
##disable forwarding
#
echo 0 >; /proc/sys/net/ipv4/ip_forward
#
#reset default policies
#
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#
##del all iptables rules
#
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
#
##clean all non-default chains
#
iptables -X
iptables -t nat -X
#
##iptables default rules
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
##allow ping packets
#
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -m limit --limit 5/s -j ACCEPT
iptables -A FORWARD -p ICMP -j ACCEPT
#
##enable forwarding
#
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
##STATE RELATED for router
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
##accept internal packets on the internal i/f
#
iptables -A INPUT -i $IN_ETH -s $SERVER_IP -p tcp -j ACCEPT
#iptables -A INPUT -i $IN_ETH ! -s $SERVER_IP -p tcp -j DROP
##accept firewall out eth ip ports
for OEP in $OUT_ETH_IP_PORTS
do
iptables -A INPUT -d $OUT_ETH_IP -p tcp --destination-port $OEP -j ACCEPT
done
#
##open ports on router for server/services
#
#TCP PORTS
for ATP in $TPORTS
do
iptables -A INPUT ! -s $SERVER_IP -d $SERVER_IP -p tcp --destination-port $ATP -j ACCEPT
iptables -A FORWARD -p tcp --destination-port $ATP -j ACCEPT
done
#UDP PORTS
for AUP in $UPORTS
do
iptables -A INPUT -p udp --destination-port $AUP -j ACCEPT
iptables -A FORWARD -p udp --destination-port $AUP -j ACCEPT
done
#
##bad_packets chain
##drop INVALID packets immediately
#
iptables -A INPUT -p ALL -m state --state INVALID -j DROP
#
##limit SYN flood
#
#iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
##deny all ICMP packets,eth0 is external net_eth
#iptables -A INPUT -i eth0 -s 0.0.0.0/0 -p ICMP -j DROP
#
##allow loopback
#
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
#
##enable forwarding
#
echo 1 >; /proc/sys/net/ipv4/ip_forward
#
##config net-eth ip address
#
ifconfig eth0:1 172.18.10.10 netmask 255.255.255.128
#
##set static IP nat rule, POSTROUTING/PREROUTING
##(snat)iptables -t nat -A POSTROUTING -j SNAT --to 202.202.210.10
##(dnat)iptables -t nat -A PREROUTING -j DNAT --to 10.10.10.10
#
iptables -t nat -A POSTROUTING -s 172.18.10.10 -j SNAT --to 192.168.10.10
iptables -t nat -A PREROUTING -d 192.168.10.10 -j DNAT --to 172.18.10.10
以上代码请高手指点一二啊,是否还有不妥的地方啊。
跪求各位大哥的见解!!! |
|