- 论坛徽章:
- 0
|
向大家求教一个redhat linux 问题
我的脚本,大家帮我看看有什么问题
#!/bin/sh
INET_IP="x.x.x.x"
INET_IFACE="eth0"
INET_BROADCAST="x.x.x.x"
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
LAN_IFACEA="bond0"
LAN_IFACEB="eth1"
LAN_IFACEC="eth2"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPT="/sbin/iptables"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
echo 1 >; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 >; /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 >; /proc/sys/net/ipv4/conf/all/accept_redirects
for interface in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 1 >; ${interface}
done
echo 0 >; /proc/sys/net/ipv4/ip_forward
for TABLE in filter nat mangle ; do
$IPT -t $TABLE -F
$IPT -t $TABLE -X
$IPT -t $TABLE -Z
done
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING DROP
$IPT -t nat -P POSTROUTING DROP
$IPT -N bad_tcp_packets
$IPT -N allowed
$IPT -N tcp_packets
$IPT -N udp_packets
$IPT -N icmp_packets
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A allowed -p tcp --syn -j ACCEPT
$IPT -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A allowed -p tcp -j DROP
$IPT -A udp_packets -p udp -i $INET_IFACE -d $INET_BROADCAST --destination-port 135:139 -j DROP
$IPT -A udp_packets -p udp -i $INET_IFACE -d 255.255.255.255 --destination-port 67:68 -j DROP
$IPT -A icmp_packets -i $INET_IFACE -p icmp -j DROP
$IPT -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
$IPT -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p tcp -j bad_tcp_packets
$IPT -A INPUT -p all -i $LAN_IFACEA -s $LAN_IP_RANGE -j ACCEPT
$IPT -A INPUT -p all -i $LAN_IFACEB -s $LAN_IP_RANGE -j ACCEPT
$IPT -A INPUT -p all -i $LAN_IFACEC -s $LAN_IP_RANGE -j ACCEPT
$IPT -A INPUT -p all -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p all -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPT -A INPUT -p all -i $LO_IFACE -s $INET_IP -j ACCEPT
for DNS in $(grep ^n /etc/resolv.conf|awk '{print $2}') ; do
$IPT -A INPUT -p udp -s $DNS --sport domain -j ACCEPT
done
$IPT -A INPUT -p all -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -i $INET_IFACE -j udp_packets
$IPT -A INPUT -p icmp -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
$IPT -A FORWARD -p tcp -j bad_tcp_packets
$IPT -A FORWARD -f -m limit --limit 100/second --limit-burst 100 -j ACCEPT
$IPT -A FORWARD -p icmp -m limit --limit 1/second --limit-burst 10 -j ACCEPT
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACEA -s $LAN_IP_RANGE -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACEB -s $LAN_IP_RANGE -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACEC -s $LAN_IP_RANGE -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp -j bad_tcp_packets
$IPT -A OUTPUT -p all -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p all -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p all -s $INET_IP -j ACCEPT
$IPT -t nat -A PREROUTING -s $LAN_IP_RANGE -j ACCEPT
for DNSA in $(grep ^n /etc/resolv.conf|awk '{print $2}') ; do
$IPT -t nat -A PREROUTING -d $DNSA -j ACCEPT
done
if [ "$INET_IFACE" = "ppp0" ] ; then
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
else
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
fi
$IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -j ACCEPT
echo 1 >; /proc/sys/net/ipv4/ip_forward |
|
免费注册
发表于 2005-01-28 23:02
