|
 | 作者: abctm [abctm]
 版主 |
登录 |
| #!/bin/sh</P><P># Firewall setup. # Setting up iptables #</P><P>. /etc/config</P><P># # Do you want to do port forwaring to an internal server? # Set the server IP here and sort out the port stuff later in this file. # SERVER_IP=10.0.0.254</P><P># # Stopping forwarding (this script may be run during normal uptime because # for re-lease of HDCP or demand dialing / PPPoE. # echo "0" > /proc/sys/net/ipv4/ip_forward</P><P># # Overriding the /etc/config and adding additional information. # . /etc/outside.info . /etc/inside.info</P><P># # Brad suggested this: # And he suggested to check and maybe change the formatting. # Well do that later. # echo "Starting firewall with the following config:" echo echo " Inside Outside" echo " Physical device: ${INSIDE_DEV} ${OUTSIDE_DEV}" echo " Logical device: ${INSIDE_DEVICE} ${OUTSIDE_DEVICE}" echo " Network: ${INSIDE_NETWORK} ${OUTSIDE_NETWORK}" echo " IP Address: ${INSIDE_IP} ${OUTSIDE_IP}" echo " Netmask: ${INSIDE_NETMASK} ${OUTSIDE_NETMASK}" echo " Broadcast: ${INSIDE_BROADCAST} ${OUTSIDE_BROADCAST}" echo " Gateway: [None Set] ${OUTSIDE_GATEWAY}" echo</P><P># # Flushing the chains. #</P><P>iptables -F for i in `cat /proc/net/ip_tables_names`; do iptables -F -t $i ; done iptables -X iptables -Z # zero all counters</P><P> # # Policy for chains DROP everything #</P><P>iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP</P><P># # SYN-Flooding protection # Looks good and nicked from a firewall script mentioned on floppyfw.something. # Didnt work that well.. # iptables -N syn-flood iptables -A INPUT -i ${INSIDE_DEVICE} -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP # Make sure NEW tcp connections are SYN packets iptables -A INPUT -i ${INSIDE_DEVICE} -p tcp ! --syn -m state --state NEW -j DROP </P><P> # # Good old masquerading. # iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -j MASQUERADE</P><P># # Forwarding outside ports to an internal server. # This used to be the ipchains / ipmasqadm portfw commad. # # SSH:</P><P>#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 22 -j DNAT --to ${SERVER_IP}:22 #iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 22 -o ${INSIDE_DEVICE} -j ACCEPT</P><P> # Web: #iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${SERVER_IP}:80 #iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT # This rule helps the "I cant reach my web server from the inside" problem. #iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 80 -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP}</P><P># FTP:</P><P>#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 21 -j DNAT --to ${SERVER_IP}:21 #iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT</P><P># SMTP (Internal mail server): #iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 25 -j DNAT --to ${SERVER_IP}:25 #iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 25 -o ${INSIDE_DEVICE} -j ACCEPT # This rule helps the "I cant reach my server from the inside" problem. #iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 25 -s ${INSIDE_NETWORK} -j SNAT --to ${OUTSIDE_IP}</P><P># # Keep state. # iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP</P><P># # This is mainly for PPPoE usage but it wont hurt anyway so well just # keep it here. # iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</P><P># # We dont like the NetBIOS and Samba leaking.. # iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEVICE} --dport 135:139 -j DROP iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEVICE} --dport 137:139 -j DROP iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEVICE} --dport 445 -j DROP iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEVICE} --dport 445 -j DROP</P><P># # We would like to ask for names from our floppyfw box # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT</P><P># Ping and friends. iptables -A OUTPUT -p icmp -j ACCEPT # to both sides. iptables -A INPUT -p icmp -j ACCEPT </P><P># And also, DHCP, but we can basically accept anything from the inside. iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT</P><P># # If the user wants to have the fake identd running, the identd has to # be able to answer. # if [ ${FAKEIDENT} ] then iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j ACCEPT else iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j REJECT --reject-with tcp-reset fi</P><P> # # And, some attempt to get interactive sesions a bit more interactive # under load: # iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay # iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput</P><P> # # Finally, list what we have # # iptables -L</P><P># If broken DNS: #iptables -L -n</P><P># # The insert stuff into the kernel (ipsysctl) - section: # # Some of there goes under the "Better safe than sorry" - banner. #</P><P> # # This enables dynamic IP address following # echo 7 > /proc/sys/net/ipv4/ip_dynaddr</P><P># # trying to stop some smurf attacks. # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts</P><P># # Dont accept source routed packets. # /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route</P><P># # Syncookies (if they are really needed any more?) # echo "1" > /proc/sys/net/ipv4/tcp_syncookies</P><P># # We dont like IP spoofing, # if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "1" > $interface done else echo "Anti spoofing is not available, the author of this floppy spoofed, mail him." fi</P><P># # nor ICMP redirect, #</P><P>if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ] ; then for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo "0" > ${interface} done else echo "Anti spoofing is not available, the author of this floppy spoofed, mail him." fi</P><P># # Enable bad error message protection. # /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses </P><P># # This is commented out and will be an option when we have a "LOG_STUFF" # config option. # /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians</P><P># # Rules set, we can enable forwarding in the kernel. # echo "Enabling IP forwarding."</P><P>echo "1" > /proc/sys/net/ipv4/ip_forward |
| 地主 发表时间: 11/23 21:42 |
 | 回复: zhuyaping [zhuyaping]  论坛用户 |
登录 |
|
我顶!希望以后这位大哥教教我LINUX |
| B1层 发表时间: 11/27 21:56 |
 | 回复: wizard_y [wizard_y]  论坛用户 |
登录 |
|
http://www.neweasier.com/article.html?class=12 |
| B2层 发表时间: 11/29 15:49 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: UNIX系统 标题: linux下制作防火墙【z】