- 论坛徽章:
- 0
|
关于route得问题
就是有个ipchains规则脚本,但那里没有加这个route啊 ,如下:
#!/bin/bash
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin
netinfo ()
{
IP=""
MASK=""
NET=""
for NIC in "$@" ; do
{
IP=`ifconfig $NIC |grep 'inet addr' |awk '{print $2}'|sed -e "s/addr\://"`
MASK=`ifconfig $NIC |grep 'inet addr' |awk '{print $4}'|sed -e "s/Mask\://"`
IP1=`echo $IP |awk -F'.' '{print $1}'`
if [ "$IP1" = "" ]; then
echo ""
echo "Warning: there is no IP found on $NIC."
echo "Action is aborted."
echo " lease make sure the interface is setup properly, then try again."
echo ""
exit 1
else
IP2=`echo $IP |awk -F'.' '{print $2}'`
IP3=`echo $IP |awk -F'.' '{print $3}'`
IP4=`echo $IP |awk -F'.' '{print $4}'`
MASK1=`echo $MASK |awk -F'.' '{print $1}'`
MASK2=`echo $MASK |awk -F'.' '{print $2}'`
MASK3=`echo $MASK |awk -F'.' '{print $3}'`
MASK4=`echo $MASK |awk -F'.' '{print $4}'`
let NET1="$IP1 & $MASK1"
let NET2="$IP2 & $MASK2"
let NET3="$IP3 & $MASK3"
let NET4="$IP4 & $MASK4"
NET="$NET1.$NET2.$NET3.$NET4"
fi
}
done
}
# --- Define interfaces ---
HI="1024:65535"
ALL="0.0.0.0/0"
LO="127.0.0.1"
INT_IF="eth1"
DMZ_IF="eth1"
EXT_IF="eth0"
# --- determine network infortion ---
netinfo "$INT_IF"
INT_IP="$IP"
INT_NET="$NET"/"$MASK"
netinfo "$DMZ_IF"
DMZ_IP="$IP"
DMZ_NET="$NET"/"$MASK"
netinfo "$EXT_IF"
EXT_IP="$IP"
EXT_NET="$NET"/"$MASK"
#
# --- Define Service IPs ---
DMZ_SSH_IP="192.168.2.2"
DMZ_WWW_IP="192.168.2.2"
DMZ_DNS_IP="192.168.2.2"
#DMZ_FTP_IP="192.168.2.1"
DMZ_SMTP_IP="192.168.2.1"
DMZ_POP_IP="192.168.2.1"
DMZ_IMAP_IP="192.168.2.1"
EXT_SSH_IP="$EXT_IP"
EXT_WWW_IP="$EXT_IP"
EXT_DNS_IP="$EXT_IP"
#EXT_FTP_IP="$EXT_IP"
EXT_SMTP_IP="$EXT_IP"
EXT_POP_IP="$EXT_IP"
EXT_IMAP_IP="$EXT_IP"
#
#
echo "Starting NAT script..."
#
echo '-------------------------------'
echo "Configuring ipmasqadm..."
#
ipmasqadm portfw -f
ipmasqadm autofw -F
#
#
echo "Forwarding SSH requests..."
ipmasqadm portfw -a -P tcp -L $EXT_SSH_IP 22 -R $DMZ_SSH_IP 22
ipmasqadm portfw -a -P udp -L $EXT_SSH_IP 22 -R $DMZ_SSH_IP 22
#
echo "Forwarding DNS requests..."
ipmasqadm portfw -a -P tcp -L $EXT_DNS_IP 53 -R $DMZ_DNS_IP 53
ipmasqadm portfw -a -P udp -L $EXT_DNS_IP 53 -R $DMZ_DNS_IP 53
ipmasqadm portfw -a -P tcp -L $EXT_DNS_IP 42 -R $DMZ_DNS_IP 42
#
echo "Forwarding WWW requests..."
ipmasqadm portfw -a -P tcp -L $EXT_WWW_IP 80 -R $DMZ_WWW_IP 80
ipmasqadm portfw -a -P udp -L $EXT_WWW_IP 80 -R $DMZ_WWW_IP 80
ipmasqadm portfw -a -P tcp -L $EXT_WWW_IP 443 -R $DMZ_WWW_IP 443
ipmasqadm portfw -a -P udp -L $EXT_WWW_IP 443 -R $DMZ_WWW_IP 443
#
#echo "Forwarding FTP requests..."
#ipmasqadm portfw -a -P tcp -L $EXT_FTP_IP 20 -R $DMZ_FTP_IP 20
#ipmasqadm portfw -a -P tcp -L $EXT_FTP_IP 21 -R $DMZ_FTP_IP 21
#
echo "Forwarding MAIL requests..."
ipmasqadm portfw -a -P tcp -L $EXT_SMTP_IP 25 -R $DMZ_SMTP_IP 25
ipmasqadm portfw -a -P tcp -L $EXT_POP_IP 109 -R $DMZ_POP_IP 109
ipmasqadm portfw -a -P udp -L $EXT_POP_IP 109 -R $DMZ_POP_IP 109
ipmasqadm portfw -a -P tcp -L $EXT_POP_IP 110 -R $DMZ_POP_IP 110
ipmasqadm portfw -a -P udp -L $EXT_POP_IP 110 -R $DMZ_POP_IP 110
ipmasqadm portfw -a -P tcp -L $EXT_IMAP_IP 143 -R $DMZ_IMAP_IP 143
ipmasqadm portfw -a -P udp -L $EXT_IMAP_IP 143 -R $DMZ_IMAP_IP 143
ipmasqadm portfw -a -P tcp -L $EXT_IMAP_IP 220 -R $DMZ_IMAP_IP 220
ipmasqadm portfw -a -P udp -L $EXT_IMAP_IP 220 -R $DMZ_IMAP_IP 220
#
#
#
echo '-------------------------------'
echo "Turning on IP forwarding..."
echo 1 >; /proc/sys/net/ipv4/ip_forward
#
echo "Cleaning up rules..."
ipchains -F
ipchains -X
#
echo "Deny all..."
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
#
echo "Allow local network..."
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
ipchains -A input -i $INT_IF -j ACCEPT
ipchains -A output -i $INT_IF -j ACCEPT
ipchains -A input -i $DMZ_IF -j ACCEPT
ipchains -A output -i $DMZ_IF -j ACCEPT
#
echo "Turning on anti-spoofing..."
ipchains -A input -i $EXT_IF -s $EXT_IP -d $ALL -j DENY
ipchains -A input -i $EXT_IF -s $DMZ_NET -d $ALL -j DENY
ipchains -A output -i $EXT_IF -s $DMZ_NET -d $ALL -j DENY
ipchains -A input -i $EXT_IF -s $INT_NET -d $ALL -j DENY
ipchains -A output -i $EXT_IF -s $INT_NET -d $ALL -j DENY
#
echo "Accept outbound requests only..."
ipchains -A input -p TCP -i $EXT_IF ! -y -s $ALL -j ACCEPT
#
echo "Allow ICMP..."
ipchains -A output -i $EXT_IF -p ICMP -d $ALL -j ACCEPT
ipchains -A input -i $EXT_IF -p ICMP -s $ALL -j ACCEPT
ipchains -A forward -p ICMP -s $DMZ_NET -j MASQ
ipchains -A forward -p ICMP -d $DMZ_NET -j DENY
#
echo "Accept SSH..."
ipchains -A input -i $EXT_IF -p UDP -s $ALL --sport $HI -d $EXT_SSH_IP/32 ssh -j ACCEPT
ipchains -A output -i $EXT_IF -p UDP -s $EXT_SSH_IP/32 ssh -d $ALL --dport $HI -j ACCEPT
ipchains -A input -i $EXT_IF -p TCP -s $ALL --sport $HI -d $EXT_SSH_IP/32 ssh -j ACCEPT
ipchains -A output -i $EXT_IF -p TCP -s $EXT_SSH_IP/32 ssh -d $ALL --dport $HI -j ACCEPT
ipchains -A output -i $EXT_IF -p UDP -s $EXT_SSH_IP/32 --sport $HI -d $ALL ssh -j ACCEPT
ipchains -A input -i $EXT_IF -p UDP -s $ALL ssh -d $EXT_SSH_IP/32 --dport $HI -j ACCEPT
ipchains -A output -i $EXT_IF -p TCP -s $EXT_SSH_IP/32 --sport $HI -d $ALL ssh -j ACCEPT
ipchains -A input -i $EXT_IF -p TCP -s $ALL ssh -d $EXT_SSH_IP/32 --dport $HI -j ACCEPT
ipchains -A output -i $EXT_IF -p UDP -s $EXT_SSH_IP/32 ssh -d $ALL ssh -j ACCEPT
ipchains -A input -i $EXT_IF -p UDP -s $ALL SSH -d $EXT_SSH_IP/32 ssh -j ACCEPT
ipchains -A forward -s $DMZ_SSH_IP/32 -d $ALL -j MASQ
#
echo "Accept DNS..."
ipchains -A input -i $EXT_IF -p UDP -s $ALL --sport $HI -d $EXT_DNS_IP/32 domain -j ACCEPT
ipchains -A output -i $EXT_IF -p UDP -s $EXT_DNS_IP/32 domain -d $ALL --dport $HI -j ACCEPT
ipchains -A input -i $EXT_IF -p TCP -s $ALL --sport $HI -d $EXT_DNS_IP/32 domain -j ACCEPT
ipchains -A output -i $EXT_IF -p TCP -s $EXT_DNS_IP/32 domain -d $ALL --dport $HI -j ACCEPT
ipchains -A output -i $EXT_IF -p UDP -s $EXT_DNS_IP/32 --sport $HI -d $ALL domain -j ACCEPT
ipchains -A input -i $EXT_IF -p UDP -s $ALL domain -d $EXT_DNS_IP/32 --dport $HI -j ACCEPT
ipchains -A output -i $EXT_IF -p TCP -s $EXT_DNS_IP/32 --sport $HI -d $ALL domain -j ACCEPT
ipchains -A input -i $EXT_IF -p TCP -s $ALL domain -d $EXT_DNS_IP/32 --dport $HI -j ACCEPT
ipchains -A output -i $EXT_IF -p UDP -s $EXT_DNS_IP/32 domain -d $ALL domain -j ACCEPT
ipchains -A input -i $EXT_IF -p UDP -s $ALL domain -d $EXT_DNS_IP/32 domain -j ACCEPT
ipchains -A forward -s $DMZ_DNS_IP/32 -d $ALL -j MASQ
#
echo "Accept HTTP..."
ipchains -A input -i $EXT_IF -p TCP -s $ALL --sport $HI -d $EXT_WWW_IP/32 www -j ACCEPT
ipchains -A output -i $EXT_IF -p TCP -s $EXT_WWW_IP/32 www -d $ALL --dport $HI -j ACCEPT
ipchains -A input -i $EXT_IF -p UDP -s $ALL --sport $HI -d $EXT_WWW_IP/32 www -j ACCEPT
ipchains -A output -i $EXT_IF -p UDP -s $EXT_WWW_IP/32 www -d $ALL --dport $HI -j ACCEPT
ipchains -A output -i $EXT_IF -p TCP -s $EXT_WWW_IP/32 --sport $HI -d $ALL www -j ACCEPT
ipchains -A input -i $EXT_IF -p TCP -s $ALL www -d $EXT_WWW_IP/32 --dport $HI ! -y -j ACCEPT
ipchains -A output -i $EXT_IF -p UDP -s $EXT_WWW_IP/32 --sport $HI -d $ALL www -j ACCEPT
ipchains -A input -i $EXT_IF -p UDP -s $ALL www -d $EXT_WWW_IP/32 --dport $HI -j ACCEPT
ipchains -A forward -s $DMZ_WWW_IP/32 -d $ALL -j MASQ
#
#echo "Accept FTP..."
#ipchains -A input -i $EXT_IF -p TCP -s $ALL --sport $HI -d $EXT_FTP_IP/32 ftp -j ACCEPT
#ipchains -A output -i $EXT_IF -p TCP -s $EXT_FTP_IP/32 ftp -d $ALL --dport $HI -j ACCEPT
#ipchains -A output -i $EXT_IF -p TCP -s $EXT_FTP_IP/32 ftp-data -d $ALL $HI -j ACCEPT
#ipchains -A input -i $EXT_IF -p TCP -s $ALL --sport $HI -d $EXT_FTP_IP/32 ftp-data -j ACCEPT
#ipchains -A input -i $EXT_IF -p TCP -s $ALL --sport $HI -d $EXT_FTP_IP/32 --dport 6000:6003 -j DENY
#ipchains -A input -i $EXT_IF -p TCP -s $ALL --sport $HI -d $EXT_FTP_IP/32 --dport $HI -j ACCEPT
#ipchains -A output -i $EXT_IF -p TCP -s $EXT_FTP_IP/32 --sport $HI -d $ALL --dport $HI -j ACCEPT
#ipchains -A forward -s $DMZ_FTP_IP/32 -d $ALL -j MASQ
#
echo "Accept MAIL ..."
#--- smtp ---
ipchains -A input -i $EXT_IF -p TCP -s $ALL --sport $HI -d $EXT_SMTP_IP/32 smtp -j ACCEPT
ipchains -A output -i $EXT_IF -p TCP -s $EXT_SMTP_IP/32 smtp -d $ALL --dport $HI ! -y -j ACCEPT
ipchains -A output -i $EXT_IF -p TCP -s $EXT_SMTP_IP/32 --sport $HI -d $ALL smtp -j ACCEPT
ipchains -A input -i $EXT_IF -p TCP -s $ALL smtp -d $EXT_SMTP_IP/32 --dport $HI ! -y -j ACCEPT
ipchains -A forward -p TCP -s $DMZ_SMTP_IP/32 -d $ALL -j MASQ
#-- pop3 --
ipchains -A input -i $EXT_IF -p TCP -s $ALL --sport $HI -d $EXT_POP_IP/32 pop-3 -j ACCEPT
ipchains -A output -i $EXT_IF -p TCP -s $EXT_POP_IP/32 pop-3 -d $ALL --dport $HI ! -y -j ACCEPT
ipchains -A input -i $EXT_IF -p UDP -s $ALL --sport $HI -d $EXT_POP_IP/32 pop-3 -j ACCEPT
ipchains -A output -i $EXT_IF -p UDP -s $EXT_POP_IP/32 pop-3 -d $ALL --dport $HI -j ACCEPT
ipchains -A forward -p TCP -s $DMZ_POP_IP/32 -d $ALL -j MASQ
#-- imap3 --
ipchains -A input -i $EXT_IF -p TCP -s $ALL --sport $HI -d $EXT_IMAP_IP/32 imap3 -j ACCEPT
ipchains -A output -i $EXT_IF -p TCP -s $EXT_IMAP_IP/32 imap3 -d $ALL --dport $HI -j ACCEPT
ipchains -A input -i $EXT_IF -p UDP -s $ALL --sport $HI -d $EXT_IMAP_IP/32 imap3 -j ACCEPT
ipchains -A output -i $EXT_IF -p UDP -s $EXT_IMAP_IP/32 imap3 -d $ALL --dport $HI -j ACCEPT
ipchains -A forward -p TCP -s $DMZ_IMAP_IP/32 -d $ALL -j MASQ
#
#
echo '-------------------------------'
echo "Masquerading internal network..."
#
echo "Turning on MASQ modules..."
KVERSION="2.2.16-22"
if [ -f /lib/modules/$KVERSION/ipv4/ip_masq_ftp.o ]; then
modprobe ip_masq_ftp
fi
if [ -f /lib/modules/$KVERSION/ipv4/ip_masq_raudio.o ]; then
modprobe ip_masq_raudio
fi
if [ -f /lib/modules/$KVERSION/ipv4/ip_masq_irc.o ]; then
modprobe ip_masq_irc
fi
if [ -f /lib/modules/$KVERSION/ipv4/ip_masq_autofw.o ]; then
modprobe ip_masq_autofw
fi
if [ -f /lib/modules/$KVERSION/ipv4/ip_masq_cuseeme.o ]; then
modprobe ip_masq_cuseeme
fi
if [ -f /lib/modules/$KVERSION/ipv4/ip_masq_portfw.o ]; then
modprobe ip_masq_portfw
fi
if [ -f /lib/modules/$KVERSION/ipv4/ip_masq_quake.o ]; then
modprobe ip_masq_quake
fi
if [ -f /lib/modules/$KVERSION/ipv4/ip_masq_vdolive.o ]; then
modprobe ip_masq_vdolive
fi
if [ -f /lib/modules/$KVERSION/ipv4/ip_masq_user.o ]; then
modprobe ip_masq_user
fi
if [ -f /lib/modules/$KVERSION/ipv4/ip_masq_mfw.o ]; then
modprobe ip_masq_mfw
fi
#
echo "Allow common protocols and optimizing..."
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP -d $ALL telnet -t 0x01 0x10
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP -d $ALL www -t 0x01 0x10
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP -d $ALL https -t 0x01 0x10
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP -d $ALL ftp -t 0x01 0x10
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP -d $ALL ftp-data -t 0x01 0x08
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP -d $ALL nntp -t 0x01 0x02
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP -d $ALL pop-3 -t 0x01 0x02
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP -d $ALL imap -t 0x01 0x02
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP -d $ALL smtp -t 0x01 0x02
#
echo "Allow SSH..."
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP -d $ALL ssh -t 0x01 0x10
ipchains -A output -p UDP -j ACCEPT -i $EXT_IF -s $EXT_IP -d $ALL ssh -t 0x01 0x10
ipchains -A input -p TCP -j ACCEPT -i $EXT_IF ! -y -s $ALL ssh -d $EXT_IP -t 0x01 0x10
ipchains -A input -p UDP -j ACCEPT -i $EXT_IF -s $ALL ssh -d $EXT_IP -t 0x01 0x10
#
echo "Accept turn-back only..."
ipchains -A input -p TCP -j ACCEPT -i $EXT_IF ! -y -s $ALL -d $EXT_IP
#
echo "Allow DNS..."
ipchains -A output -p UDP -j ACCEPT -i $EXT_IF -s $EXT_IP --sport $HI -d $ALL domain
ipchains -A input -p UDP -j ACCEPT -i $EXT_IF -s $ALL domain -d $EXT_IP --dport $HI
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP --sport $HI -d $ALL domain
ipchains -A input -p TCP -j ACCEPT -i $EXT_IF ! -y -s $ALL domain -d $EXT_IP --dport $HI
ipchains -A output -p UDP -j ACCEPT -i $EXT_IF -s $EXT_IP domain -d $ALL domain
ipchains -A input -p UDP -j ACCEPT -i $EXT_IF -s $ALL domain -d $EXT_IP domain
#
echo "Allow ICMP..."
ipchains -A output -p ICMP -j ACCEPT -i $EXT_IF -s $EXT_IP -d $ALL
ipchains -A input -p ICMP -j ACCEPT -i $EXT_IF -s $ALL -d $EXT_IP
ipchains -A forward -p ICMP -j MASQ -s $INT_NET
ipchains -A forward -p ICMP -j MASQ -s $DMZ_NET
ipchains -A forward -p ICMP -j DENY -d $INT_NET
ipchains -A forward -p ICMP -j DENY -d $DMZ_NET
#
echo "Allow FTP..."
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP --sport $HI -d $ALL ftp
ipchains -A input -p TCP -j ACCEPT -i $EXT_IF -s $ALL ftp -d $EXT_IP --dport $HI
ipchains -A input -p TCP -j ACCEPT -i $EXT_IF -s $ALL ftp-data -d $EXT_IP --dport $HI
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -s $EXT_IP --sport $HI -d $ALL --dport $HI
ipchains -A input -p TCP -j ACCEPT -i $EXT_IF ! -y -s $ALL --sport $HI -d $EXT_IP --dport $HI
#
# auth protocol may be needed for both FTP and NNTP
ipchains -A output -p TCP -j ACCEPT -i $EXT_IF -b -s $EXT_IP -d $ALL auth
ipchains -A input -p TCP -j ACCEPT -i $EXT_IF -b -s $ALL auth -d $EXT_IP
ipchains -A output -p TCP -j ACCEPT -b -i $EXT_IF -d $ALL auth
ipchains -A input -p TCP -j ACCEPT -b -i $EXT_IF -s $ALL auth
#
echo "Turning on MASQ..."
ipchains -A forward -j MASQ -s $INT_NET -d $ALL
ipchains -A forward -j MASQ -s $DMZ_NET -d $ALL
#
#echo "Allow high ports..."
#ipchains -A input -p UDP -i $EXT_IF -b -s $ALL -d $EXT_IP --dport $HI -j ACCEPT
#ipchains -A output -p UDP -i $EXT_IF -b -s $EXT_IP -d $ALL --dport $HI -j ACCEPT
#
echo "Current firewall status:"
echo -n "/proc/sys/net/ipv4/ip_forward: "
cat /proc/sys/net/ipv4/ip_forward
echo INT_NET is "$INT_NET" on "$INT_IF" with "$INT_IP"
echo DMZ_NET is "$DMZ_NET" on "$DMZ_IF" with "$DMZ_IP"
echo EXT_NET is "$EXT_NET" on "$EXT_IF" with "$EXT_IP"
# |
|
免费注册
发表于 2004-02-02 12:48
