来源:网络
网吧使用的Nat+Iptables+Squid的脚本
#!/bin/bash
# 飘飘的风于2003年7月26日修改,端口影射成功。
###--------------------------------------------------------------------###
#以下是定义变数
###--------------------------------------------------------------------###
PATH=/sbin:/usr/sbin:/bin:/usr/bin
RC_SQUID=/etc/rc.d/init.d/squid
EXT_IF=eth1
#外网接口,确定网卡,如果是拨号就用ppp0
INT_IF=eth0
LAN_IP_RANGE="192.168.0.0/24"
STATIC_IP="80.234.71.88"
TRUSTED_TCP_PORT="22 25 53 80 110 143 443 993 995 3389"
TRUSTED_UDP_PORT="53 3389"
ALLOWED_ICMP="0 3 3/4 4 11 12 14 16 18"
###--------------------------------------------------------------------###
#确定iptables安装情况
###--------------------------------------------------------------------###
which iptables &>/dev/null || {
echo
echo "$(basename $0): iptables程序没有找到"
echo "请先安装好这个程序."
echo
exit 1
}
###--------------------------------------------------------------------###
#废掉ipchains,这是针对redhat以前的版本,新版已经把iptables嵌到内核里了
###--------------------------------------------------------------------###
lsmod | grep ipchains &>/dev/null && {
echo "正在废掉ipchains服务........."
rmmod ipchains
}
###--------------------------------------------------------------------###
#装载模块modules
###--------------------------------------------------------------------###
echo "模块正在载人......"
modprobe ip_tables &>/dev/null || {
echo -n "$(basename $0): ip_tables模块载人失败"
echo "请检查"
exit 3
}
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o
do
module=$(basename $file)
modprobe ${module%.*} &>/dev/null
done
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o
do
module=$(basename $file)
modprobe ${module%.*} &>/dev/null
done
# ------------- 端口开启 ------------
echo "开启所要的端口...."
iptables -N services
for PORT in $TRUSTED_TCP_PORT; do
iptables -A services -i $EXT_IF -p tcp --dport $PORT -j ACCEPT
done
for PORT in $TRUSTED_UDP_PORT; do
iptables -A services -i $EXT_IF -p udp --dport $PORT -j ACCEPT
done
#----ipforwarding--------
echo "打开foward功能"
echo "1" > /proc/sys/net/ipv4/ip_forward
#动态ip使用
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#这里是动态ip实现nat共享必改之处
###---------------------------------------------------###
#清除先前的设定
###---------------------------------------------------###
echo "正在清除先前的设定......."
#清除预定表filter中,所有规则链中的规则
iptables -F
#清除预定表filter中,使用者自定链中的规则
iptables -X
#清除预定表mangle中,所有规则链中的规则
iptables -F -t mangle
#清除预定表mangle中,使用者自定链中的规则
iptables -X -t mangle
#清除nat表中的规则
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
###---------------------------------------------------###
#设定预设规则
###---------------------------------------------------###
#预设规则要么为全部丢弃,要么为全部接受
#本列为全部丢弃,然后逐步开放,这是安全系数很高的设法
#若目标为DROP,则policy设为ACCEPT;若目标为ACCEPT,则policy设为DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#TCP的设定
#
#我们丢弃坏的TCP包
#
iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
#局域网共享的实现
#iptables -t nat -A POSTROUTING -o $EXT_IF -s $LAN_IP_RANGE -j SNAT --to-source $STATIC_IP
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
echo "局域网共享的已实现,请试用局域网机器"
#这一步实现局域网内部机对外部网开放
#凡对$STATIC_IP:80连线者,则转址到192.168.0.100:80
iptables -t nat -A PREROUTING -d 80.234.71.88 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.100:80
iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 80 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -d 192.168.0.100 --dport 80 -j SNAT --to 192.168.0.1
#192.168.0.250装有win2003,提供远程桌面服务
iptables -t nat -A PREROUTING -d 80.234.71.88 -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.250:3389
iptables -A FORWARD -p tcp -d 192.168.0.250 --dport 3389 -j ACCEPT
#允许内网机使用外网机的IP访问内网机,把内网机的IP转换成网关IP
iptables -t nat -I POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -d 192.168.0.250 --dport 3389 -j SNAT --to 192.168.0.1
#允许要转向的包
iptables -A FORWARD -i $INT_IF -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#对于不管来自哪里的ip碎片都进行控制,允许每秒通过100个碎片
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
#icmp包通过的控制,防止icmp黑客攻击
iptables -A FORWARD -p udp -d $LAN_IP_RANGE -i $EXT_IF -j ACCEPT
#这一条是针对oicq等使用udp服务而接收所有的udp包
#开放主机的ssh port 22,使内部机以ssh连至外部
iptables -A OUTPUT -o $EXT_IF -p tcp -s $STATIC_IP --sport 1024:65535 -d any/0 --dport 22 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p tcp ! --syn -s any/0 --sport 22 -d $STATIC_IP --dport 1024:65535 -j ACCEPT
#防止外网用内网ip欺骗
iptables -t nat -A PREROUTING -i $EXT_IF -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $EXT_IF -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $EXT_IF -s 172.16.0.0/12 -j DROP
#-----------透明代理------------
$RC_SQUID status | grep pid &>/dev/null && {
echo "透明代理实现"
INT_IP=$(ifconfig | grep $INT_IF -A 1 | awk '/inet/ {print $2}' | sed -e s/addr\://)
if [ -z "$INT_IP" ]; then
echo
echo "$(basename $0): $INT_IF没有IP存在"
echo "请检查$INT_IF是否正确配置了"
echo
exit 3
fi
}
exit 0
## EOS
适用于中小型公司有内网服务器发布的IPTABLES脚本
网络环境如下:
1.网通5M共享带宽线路,一个独立公网IP.
2.内部网络有邮件服务器一台,OA服务器一台,FTP服务器一台,都需要对内和对外发布.
3.局域网络内部总共有40台客户机.
本人考虑到安全性及稳定性,易用性方面的因素,决定采用Red Hat AS4 Kernel 2.6.9-22.EL + iptables 的方案来架设一台代理服务器,并能发布内网服务器并实现NAT,透明防火墙的功能,实在是企业经济选择的最佳方案.
以下是iptables脚本:
eth0: 192.168.1.1 #内网卡地址
eth1: 210.22.25.X #外网卡地址
邮件服务器:192.168.1.84
OA服务器: 192.168.1.85
FTP服务器: 192.168.1.86
在/etc/rc.d 里面 touch fw.sh
并且chmod u+x 改为可执行,然后 vi fw.sh 进入编辑,加入以下脚本.
#!/bin/sh
echo "Enable IP Forwarding..."
echo "1">/proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#Refresh all chains
/sbin/iptables -F -t nat
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -Z
#Presetup
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -d 0/0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
#Public 3389 发布OA的3389端口
/sbin/iptables -t nat -A PREROUTING -d 210.22.25.38 -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.85:3389
/sbin/iptables -A FORWARD -p tcp -d 192.168.1.85 --dport 3389 -j ACCEPT
#Public WEB
/sbin/iptables -t nat -A PREROUTING -d 210.22.25.38 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.85:80
/sbin/iptables -A FORWARD -p tcp -d 192.168.1.85 --dport 80 -j ACCEPT
/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.0/255.255.255.0 -p tcp -d 192.168.1.85 --dport 80 -j SNAT --to 192.168.1.1
#Public FTP
/sbin/iptables -t nat -A PREROUTING -d 210.22.25.38 -p tcp --dport 21 -j DNAT --to-destination 192.168.1.84:21
/sbin/iptables -A FORWARD -p tcp -d 192.168.1.86 --dport 21 -j ACCEPT
/sbin/iptables -t nat -I POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -d 192.168.1.86 --dport 21 SNAT --to 192.168.1.1
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 3000:3020 -d 210.22.25.38 -j DNAT --to 192.168.1.86:3000-3020 #被动FTP PSAV端口
#Public MAIL
/sbin/iptables -t nat -A PREROUTING -d 210.22.25.38 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.84:25
/sbin/iptables -A FORWARD -p tcp -d 192.168.1.84 --dport 25 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d 210.22.25.38 -p tcp --dport 110 -j DNAT --to-destination 192.168.1.84:110
/sbin/iptables -A FORWARD -p tcp -d 192.168.1.84 --dport 110 -j ACCEPT
#deny need close port and hacker
/sbin/iptables -A INPUT -i eth1 -s 0.0.0.0/0 -p ICMP -j DROP
/sbin/iptables -A INPUT -i eth1 -s 0.0.0.0/0 -p TCP -port ! 80 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 135 -j DROP
/sbin/iptables -A INPUT -s 255.255.255.255 -i eth0 -j DROP
/sbin/iptables -A INPUT -s 224.0.0.0/224.0.0.0 -i eth0 -j DROP
/sbin/iptables -A INPUT -d 0.0.0.0 -i eth0 -j DROP
/sbin/iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
/sbin/iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A INPUT -i eth1 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -N synfoold
/sbin/iptables -A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN
/sbin/iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p tcp -m state --state NEW -j synfoold
#MY COMPUTER
/sbin/iptables -I INPUT -s 192.168.1.35 -j ACCEPT
/sbin/iptables -I FORWARD -s 192.168.1.35 -j ACCEPT
/sbin/iptables -I OUTPUT -s 192.168.1.35 -j ACCEPT
#我的电脑当然全部放行拉 :D
注:该脚本我已经在公司里面运行稳定超过半年,而且效果相当令人满意,基本上是免维护了,开机就能用.OUTPUT链鉴于公司领导的要求,我全放行,没办法.由于INPUT链默认是 DROP, 只开放需要开放的端口,一般的黑客攻击是很难成功地:D
Copyright 2006 by 孤零飘客
iptables脚本主要实现了过滤数据包,端口转发,代理服务等功能
#!/bin/sh
echo "Starting Firewall...."
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -F INPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -t nat -F
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8009 -j ACCEPT
iptables -A INPUT -p tcp --dport 9080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j ACCEPT
iptables -A INPUT -p tcp --dport 8005 -j ACCEPT
iptables -A INPUT -p tcp --dport 6802 -j ACCEPT
iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
iptables -A INPUT -p tcp --dport 22121 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 7890 -j ACCEPT
iptables -A INPUT -p tcp --sport 7910 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 168.168.20.220 -j ACCEPT
iptables -A INPUT -s 211.94.188.183 -j ACCEPT
iptables -A INPUT -s 211.94.188.140 -j ACCEPT
iptables -A INPUT -s 211.136.85.72/29 -j ACCEPT
iptables -A INPUT -s 211.136.83.80/29 -j ACCEPT
iptables -A INPUT -s 210.21.206.72/29 -j ACCEPT
iptables -A INPUT -s 211.137.43.213 -j ACCEPT
iptables -A INPUT -s 211.137.43.214 -j ACCEPT
iptables -A INPUT -s 202.104.139.254 -j ACCEPT
iptables -A INPUT -s 61.144.222.118 -j ACCEPT
iptables -A INPUT -s 168.168.0.1/16 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp ! --syn -j ACCEPT
#iptables -A INPUT -p tcp -j DROP
#iptables -A INPUT -p udp -j DROP
iptables -A FORWARD -p tcp -d 168.168.30.172 -j ACCEPT
iptables -A FORWARD -d 168.168.10.127 -j ACCEPT
iptables -A FORWARD -s 202.104.139.254 -d 168.168.11.11 -j ACCEPT
iptables -A FORWARD -s 218.206.71.36/28 -d 168.168.11.11 -j ACCEPT
iptables -A FORWARD -d 168.168.11.11 -j DROP
iptables -A FORWARD -d 168.168.20.250 -j DROP
iptables -A FORWARD -p tcp --sport 4662 -j DROP
iptables -A FORWARD -p udp --sport 4672 -j DROP
iptables -A FORWARD -p tcp --sport 4682 -j DROP
iptables -A FORWARD -p tcp --sport 6881:6890 -j DROP
iptables -A FORWARD -p tcp --sport 6969 -j DROP
iptables -A FORWARD -s 211.148.218.7 -j DROP
iptables -A FORWARD -d 61.152.145.70 -j DROP
iptables -A FORWARD -d 61.152.145.70 -j DROP
iptables -A FORWARD -d 217.75.120.114 -j DROP
iptables -A FORWARD -s 217.75.120.114 -j DROP
iptables -A FORWARD -s 220.170.79.24 -j DROP
#iptables -A FORWARD -d 168.168.10.158 -j DROP
#iptables -A FORWARD -d 168.168.10.172 -j DROP
#iptables -A FORWARD -d 168.168.10.159 -j DROP
#iptables -A FORWARD -d 168.168.10.170 -j DROP
#iptables -I FORWARD -p tcp -m mac --mac-source 00:11:25:86:CD:02 -j DROP
#iptables -A FORWARD -j ACCEPT
iptables -A FORWARD -s 168.168.0.0/16 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 168.168.0.0/16 -o eth0 -j SNAT --to 210.21.206.75
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 22121 -j DNAT --to 168.168.20.221:21
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 3398 -j DNAT --to 168.168.10.127:3389
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 8500 -j DNAT --to 168.168.10.127:5800
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 9500 -j DNAT --to 168.168.10.127:5900
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 4662 -j DNAT --to 168.168.10.127:4662
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 4672 -j DNAT --to 168.168.10.127:4672
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 443 -j DNAT --to 168.168.10.127:443
#iptables -t nat -A POSTROUTING -s 168.168.0.0/16 -o eth0 -j LOG --log-prefix "DROP_AAA__ " --log-level info
iptables脚本
大家帮我看看,哪个该注释,哪个不该注释,谢谢?
如果有出错的地方请帮忙修改一下,谢谢了?
#!/bin/sh
echo "0" > /proc/sys/net/ipv4/ip_forward
#If you config you device
OUTSIDE_DEVICE=eth0
INSIDE_DEVICE=eth1
LO_DEVICE=lo
#If you config you IP address
OUTSIDE_IP=222.90.69.26
INSIDE_IP=192.168.1.254
LO_IP=127.0.0.1
#CS_IP=192.168.1.250
#FTP_IP=192.168.1.253
#WEB_IP=192.168.1.253
#WIN2000_IP=192.168.1.250
#MIR_IP=192.168.1.250
#MAIL_IP=192.168.1.253
#SERVER_IP=xxx.xxx.xxx.xxx
#OUTSIDE_IP_GW=
#SERVER_IP_GW=
#If you have PC more than 255,Please use 3 C Class address
#ifconfig eth1:1 10.10.0.1 netmask 255.255.255.0 broadcast 10.10.0.255
#ifconfig eth1:2 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
#ifconfig eth1:3 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255
#If you have OTHER IP ADDRESS
#ifconfig eth0:1 xxx.xxx.xxx.xxx netmask 255.255.255.x broadcast xxx.xxx.xxx.xxx
#route del -net default gw ${OUTSIDE_IP_GW} netmask 255.255.255.252 dev eth0
#route del -net default gw ${SERVER_IP_GW} netmask 255.255.255.0 dev eth1
#route add -net default gw ${OUTSIDE_IP_GW} netmask 255.255.255.252 dev eth0
#route add -net default gw ${SERVER_IP_GW} netmask 255.255.255.0 dev eth1
#
# We like ues FTP server
#/sbin/modprobe -a
#/sbin/modprobe ip_conntrack
#/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_nat
#/sbin/modprobe iptable_mangle
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_state
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ipt_REJRCT
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_MASQUERADE
IPTABLES="/sbin/iptables"
# Flushing the chains.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -Z # zero all counters
# Policy for chains DROP everything
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N bad_tcp_packets
#$IPTABLES -N lan_forward
$IPTABLES -N icmp_packets
#bad_tcp_packets rules
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG --log-level 5 --log-prefix "dai li ru qin bad man:"
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
#iptables -A bad_tcp_packets -i ${OUTSIDE_DEVICE} -p tcp ! --syn -m state --state NEW -j LOG --log-level 5 --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#FORWARD NEW rules
#$IPTABLES -A lan_forward -p tcp -j bad_tcp_packets
#$IPTABLES -A lan_forward -p ALL -j ACCEPT
# icmp_packets
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 3 -j ACCEPT
# icmp-type 5 wang luo chong ding xiang
#$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp -s 0/0 -j DROP
# Good old masquerading.
#$IPTABLES -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -j SNAT --to-source ${OUTSIDE_IP}
# DNS Forward to ISP Dns Server
#$IPTABLES -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.9:53
#$IPTABLES -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.4:53
#$IPTABLES -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 202.100.4.15:53
#forward rules
$IPTABLES -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP
#$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"
#INPUT chain
$IPTABLES -A INPUT -p tcp -m state --state NEW -s 0/0 -j bad_tcp_packets
# squid
#$IPTABLES -A INPUT -p ALL -i ${INSIDE_DEVICE} --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 3200 -j ACCEPT
$IPTABLES -A INPUT -p icmp -i ${INSIDE_DEVICE} -j icmp_packets
$IPTABLES -A INPUT -p ALL -s 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "IPT INPUT packet died:"
#squid
#$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# output chain
#IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s ${LO_IP} -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s ${INSIDE_IP} -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s ${OUTSIDE_IP} -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died:"
#WINDOWS 2000 SERVER TSC
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 3389 -j DNAT --to ${WIN2000_IP}:3389
#$IPTABLES -I FORWARD 3 -p tcp -d ${WIN2000_IP} --dport 3389 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${WIN2000_IP} -j SNAT --to-source ${INSIDE_IP}
# Web:
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${WEB_IP}:80
#$IPTABLES -I FORWARD 3 -p tcp -d ${WEB_IP} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${WEB_IP} -j SNAT --to-source ${OUTSIDE_IP}
#mir
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 7000 -j DNAT --to ${MIR_IP}:7000
#$IPTABLES -I FORWARD 3 -p tcp -d ${MIR_IP} --dport 7000 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${MIR_IP} -j SNAT --to-source ${INSIDE_IP}
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 7100 -j DNAT --to ${MIR_IP}:7100
#$IPTABLES -I FORWARD 3 -p tcp -d ${MIR_IP} --dport 7100 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${MIR_IP} -j SNAT --to ${INSIDE_IP}
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 7200 -j DNAT --to ${MIR_IP1}:7200
#$IPTABLES -I FORWARD 3 -p tcp -d ${MIR_IP1} --dport 7200 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${MIR_IP} -j SNAT --to ${INSIDE_IP}
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 63000 -j DNAT --to ${MIR_IP}:63000
#$IPTABLES -I FORWARD 3 -p tcp -d ${MIR_IP} --dport 63000 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${MIR_IP} --dport 63000 -j SNAT --to ${INSIDE_IP}
# FTP:
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 1200 -j DNAT --to ${FTP_IP}:21
#$IPTABLES -I FORWARD 3 -p tcp -d ${FTP_IP} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${FTP_IP} -j SNAT --to ${INSIDE_IP}
# 5800
#$IPTABLES -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 5800 -j DNAT --to ${SERVER_IP}:5800
#$IPTABLES -I FORWARD 3 -p tcp -d ${SERVER_IP} --dport 5800 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 5800 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}
# CS
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 27017 -j DNAT --to ${CS_IP}:27017
#$IPTABLES -I FORWARD 3 -p tcp -d ${CS_IP} --dport 27017 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${CS_IP} -j SNAT --to ${INSIDE_IP}
# MAIL:
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 25 -j DNAT --to ${MAIL_IP}:25
#$IPTABLES -I FORWARD 3 -p tcp -d ${MAIL_IP} --dport 25 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 143 -j DNAT --to ${MAIL_IP}:110
#$IPTABLES -I FORWARD 3 -p tcp -d ${MAIL_IP} --dport 110 -o ${INSIDE_DEVICE} -j ACCEPT
# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
# keep it here.
#$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# We don't like the NetBIOS and Samba leaking..
$IPTABLES -t nat -A PREROUTING -p TCP -i ${INSIDE_DEVICE} --dport 135:139 -j DROP
$IPTABLES -t nat -A PREROUTING -p UDP -i ${INSIDE_DEVICE} --dport 137:139 -j DROP
# Finally, list what we have
#$IPTABLES -L
# If broken DNS:
$IPTABLES -L -n
# This enables dynamic IP address following (ADSL)
#echo 7 > /proc/sys/net/ipv4/ip_dynaddr
# Rules set, we can enable forwarding in the kernel.
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
阅读(1642) | 评论(0) | 转发(0) |
<script type=text/javascript charset=utf-8 src="http://static.bshare.cn/b/buttonLite.js#style=-1&uuid=&pophcol=3&lang=zh"></script> <script type=text/javascript charset=utf-8 src="http://static.bshare.cn/b/bshareC0.js"></script>
网吧使用的Nat+Iptables+Squid的脚本
#!/bin/bash
# 飘飘的风于2003年7月26日修改,端口影射成功。
###--------------------------------------------------------------------###
#以下是定义变数
###--------------------------------------------------------------------###
PATH=/sbin:/usr/sbin:/bin:/usr/bin
RC_SQUID=/etc/rc.d/init.d/squid
EXT_IF=eth1
#外网接口,确定网卡,如果是拨号就用ppp0
INT_IF=eth0
LAN_IP_RANGE="192.168.0.0/24"
STATIC_IP="80.234.71.88"
TRUSTED_TCP_PORT="22 25 53 80 110 143 443 993 995 3389"
TRUSTED_UDP_PORT="53 3389"
ALLOWED_ICMP="0 3 3/4 4 11 12 14 16 18"
###--------------------------------------------------------------------###
#确定iptables安装情况
###--------------------------------------------------------------------###
which iptables &>/dev/null || {
echo
echo "$(basename $0): iptables程序没有找到"
echo "请先安装好这个程序."
echo
exit 1
}
###--------------------------------------------------------------------###
#废掉ipchains,这是针对redhat以前的版本,新版已经把iptables嵌到内核里了
###--------------------------------------------------------------------###
lsmod | grep ipchains &>/dev/null && {
echo "正在废掉ipchains服务........."
rmmod ipchains
}
###--------------------------------------------------------------------###
#装载模块modules
###--------------------------------------------------------------------###
echo "模块正在载人......"
modprobe ip_tables &>/dev/null || {
echo -n "$(basename $0): ip_tables模块载人失败"
echo "请检查"
exit 3
}
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o
do
module=$(basename $file)
modprobe ${module%.*} &>/dev/null
done
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o
do
module=$(basename $file)
modprobe ${module%.*} &>/dev/null
done
# ------------- 端口开启 ------------
echo "开启所要的端口...."
iptables -N services
for PORT in $TRUSTED_TCP_PORT; do
iptables -A services -i $EXT_IF -p tcp --dport $PORT -j ACCEPT
done
for PORT in $TRUSTED_UDP_PORT; do
iptables -A services -i $EXT_IF -p udp --dport $PORT -j ACCEPT
done
#----ipforwarding--------
echo "打开foward功能"
echo "1" > /proc/sys/net/ipv4/ip_forward
#动态ip使用
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#这里是动态ip实现nat共享必改之处
###---------------------------------------------------###
#清除先前的设定
###---------------------------------------------------###
echo "正在清除先前的设定......."
#清除预定表filter中,所有规则链中的规则
iptables -F
#清除预定表filter中,使用者自定链中的规则
iptables -X
#清除预定表mangle中,所有规则链中的规则
iptables -F -t mangle
#清除预定表mangle中,使用者自定链中的规则
iptables -X -t mangle
#清除nat表中的规则
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
###---------------------------------------------------###
#设定预设规则
###---------------------------------------------------###
#预设规则要么为全部丢弃,要么为全部接受
#本列为全部丢弃,然后逐步开放,这是安全系数很高的设法
#若目标为DROP,则policy设为ACCEPT;若目标为ACCEPT,则policy设为DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#TCP的设定
#
#我们丢弃坏的TCP包
#
iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
#局域网共享的实现
#iptables -t nat -A POSTROUTING -o $EXT_IF -s $LAN_IP_RANGE -j SNAT --to-source $STATIC_IP
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
echo "局域网共享的已实现,请试用局域网机器"
#这一步实现局域网内部机对外部网开放
#凡对$STATIC_IP:80连线者,则转址到192.168.0.100:80
iptables -t nat -A PREROUTING -d 80.234.71.88 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.100:80
iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 80 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -d 192.168.0.100 --dport 80 -j SNAT --to 192.168.0.1
#192.168.0.250装有win2003,提供远程桌面服务
iptables -t nat -A PREROUTING -d 80.234.71.88 -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.250:3389
iptables -A FORWARD -p tcp -d 192.168.0.250 --dport 3389 -j ACCEPT
#允许内网机使用外网机的IP访问内网机,把内网机的IP转换成网关IP
iptables -t nat -I POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -d 192.168.0.250 --dport 3389 -j SNAT --to 192.168.0.1
#允许要转向的包
iptables -A FORWARD -i $INT_IF -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#对于不管来自哪里的ip碎片都进行控制,允许每秒通过100个碎片
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
#icmp包通过的控制,防止icmp黑客攻击
iptables -A FORWARD -p udp -d $LAN_IP_RANGE -i $EXT_IF -j ACCEPT
#这一条是针对oicq等使用udp服务而接收所有的udp包
#开放主机的ssh port 22,使内部机以ssh连至外部
iptables -A OUTPUT -o $EXT_IF -p tcp -s $STATIC_IP --sport 1024:65535 -d any/0 --dport 22 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p tcp ! --syn -s any/0 --sport 22 -d $STATIC_IP --dport 1024:65535 -j ACCEPT
#防止外网用内网ip欺骗
iptables -t nat -A PREROUTING -i $EXT_IF -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $EXT_IF -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $EXT_IF -s 172.16.0.0/12 -j DROP
#-----------透明代理------------
$RC_SQUID status | grep pid &>/dev/null && {
echo "透明代理实现"
INT_IP=$(ifconfig | grep $INT_IF -A 1 | awk '/inet/ {print $2}' | sed -e s/addr\://)
if [ -z "$INT_IP" ]; then
echo
echo "$(basename $0): $INT_IF没有IP存在"
echo "请检查$INT_IF是否正确配置了"
echo
exit 3
fi
}
exit 0
## EOS
适用于中小型公司有内网服务器发布的IPTABLES脚本
网络环境如下:
1.网通5M共享带宽线路,一个独立公网IP.
2.内部网络有邮件服务器一台,OA服务器一台,FTP服务器一台,都需要对内和对外发布.
3.局域网络内部总共有40台客户机.
本人考虑到安全性及稳定性,易用性方面的因素,决定采用Red Hat AS4 Kernel 2.6.9-22.EL + iptables 的方案来架设一台代理服务器,并能发布内网服务器并实现NAT,透明防火墙的功能,实在是企业经济选择的最佳方案.
以下是iptables脚本:
eth0: 192.168.1.1 #内网卡地址
eth1: 210.22.25.X #外网卡地址
邮件服务器:192.168.1.84
OA服务器: 192.168.1.85
FTP服务器: 192.168.1.86
在/etc/rc.d 里面 touch fw.sh
并且chmod u+x 改为可执行,然后 vi fw.sh 进入编辑,加入以下脚本.
#!/bin/sh
echo "Enable IP Forwarding..."
echo "1">/proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#Refresh all chains
/sbin/iptables -F -t nat
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -Z
#Presetup
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -d 0/0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
#Public 3389 发布OA的3389端口
/sbin/iptables -t nat -A PREROUTING -d 210.22.25.38 -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.85:3389
/sbin/iptables -A FORWARD -p tcp -d 192.168.1.85 --dport 3389 -j ACCEPT
#Public WEB
/sbin/iptables -t nat -A PREROUTING -d 210.22.25.38 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.85:80
/sbin/iptables -A FORWARD -p tcp -d 192.168.1.85 --dport 80 -j ACCEPT
/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.0/255.255.255.0 -p tcp -d 192.168.1.85 --dport 80 -j SNAT --to 192.168.1.1
#Public FTP
/sbin/iptables -t nat -A PREROUTING -d 210.22.25.38 -p tcp --dport 21 -j DNAT --to-destination 192.168.1.84:21
/sbin/iptables -A FORWARD -p tcp -d 192.168.1.86 --dport 21 -j ACCEPT
/sbin/iptables -t nat -I POSTROUTING -s 192.168.0.0/255.255.255.0 -p tcp -d 192.168.1.86 --dport 21 SNAT --to 192.168.1.1
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 3000:3020 -d 210.22.25.38 -j DNAT --to 192.168.1.86:3000-3020 #被动FTP PSAV端口
#Public MAIL
/sbin/iptables -t nat -A PREROUTING -d 210.22.25.38 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.84:25
/sbin/iptables -A FORWARD -p tcp -d 192.168.1.84 --dport 25 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d 210.22.25.38 -p tcp --dport 110 -j DNAT --to-destination 192.168.1.84:110
/sbin/iptables -A FORWARD -p tcp -d 192.168.1.84 --dport 110 -j ACCEPT
#deny need close port and hacker
/sbin/iptables -A INPUT -i eth1 -s 0.0.0.0/0 -p ICMP -j DROP
/sbin/iptables -A INPUT -i eth1 -s 0.0.0.0/0 -p TCP -port ! 80 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 135 -j DROP
/sbin/iptables -A INPUT -s 255.255.255.255 -i eth0 -j DROP
/sbin/iptables -A INPUT -s 224.0.0.0/224.0.0.0 -i eth0 -j DROP
/sbin/iptables -A INPUT -d 0.0.0.0 -i eth0 -j DROP
/sbin/iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
/sbin/iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A INPUT -i eth1 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -N synfoold
/sbin/iptables -A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN
/sbin/iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p tcp -m state --state NEW -j synfoold
#MY COMPUTER
/sbin/iptables -I INPUT -s 192.168.1.35 -j ACCEPT
/sbin/iptables -I FORWARD -s 192.168.1.35 -j ACCEPT
/sbin/iptables -I OUTPUT -s 192.168.1.35 -j ACCEPT
#我的电脑当然全部放行拉 :D
注:该脚本我已经在公司里面运行稳定超过半年,而且效果相当令人满意,基本上是免维护了,开机就能用.OUTPUT链鉴于公司领导的要求,我全放行,没办法.由于INPUT链默认是 DROP, 只开放需要开放的端口,一般的黑客攻击是很难成功地:D
Copyright 2006 by 孤零飘客
iptables脚本主要实现了过滤数据包,端口转发,代理服务等功能
#!/bin/sh
echo "Starting Firewall...."
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -F INPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -t nat -F
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8009 -j ACCEPT
iptables -A INPUT -p tcp --dport 9080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j ACCEPT
iptables -A INPUT -p tcp --dport 8005 -j ACCEPT
iptables -A INPUT -p tcp --dport 6802 -j ACCEPT
iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
iptables -A INPUT -p tcp --dport 22121 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 7890 -j ACCEPT
iptables -A INPUT -p tcp --sport 7910 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 168.168.20.220 -j ACCEPT
iptables -A INPUT -s 211.94.188.183 -j ACCEPT
iptables -A INPUT -s 211.94.188.140 -j ACCEPT
iptables -A INPUT -s 211.136.85.72/29 -j ACCEPT
iptables -A INPUT -s 211.136.83.80/29 -j ACCEPT
iptables -A INPUT -s 210.21.206.72/29 -j ACCEPT
iptables -A INPUT -s 211.137.43.213 -j ACCEPT
iptables -A INPUT -s 211.137.43.214 -j ACCEPT
iptables -A INPUT -s 202.104.139.254 -j ACCEPT
iptables -A INPUT -s 61.144.222.118 -j ACCEPT
iptables -A INPUT -s 168.168.0.1/16 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp ! --syn -j ACCEPT
#iptables -A INPUT -p tcp -j DROP
#iptables -A INPUT -p udp -j DROP
iptables -A FORWARD -p tcp -d 168.168.30.172 -j ACCEPT
iptables -A FORWARD -d 168.168.10.127 -j ACCEPT
iptables -A FORWARD -s 202.104.139.254 -d 168.168.11.11 -j ACCEPT
iptables -A FORWARD -s 218.206.71.36/28 -d 168.168.11.11 -j ACCEPT
iptables -A FORWARD -d 168.168.11.11 -j DROP
iptables -A FORWARD -d 168.168.20.250 -j DROP
iptables -A FORWARD -p tcp --sport 4662 -j DROP
iptables -A FORWARD -p udp --sport 4672 -j DROP
iptables -A FORWARD -p tcp --sport 4682 -j DROP
iptables -A FORWARD -p tcp --sport 6881:6890 -j DROP
iptables -A FORWARD -p tcp --sport 6969 -j DROP
iptables -A FORWARD -s 211.148.218.7 -j DROP
iptables -A FORWARD -d 61.152.145.70 -j DROP
iptables -A FORWARD -d 61.152.145.70 -j DROP
iptables -A FORWARD -d 217.75.120.114 -j DROP
iptables -A FORWARD -s 217.75.120.114 -j DROP
iptables -A FORWARD -s 220.170.79.24 -j DROP
#iptables -A FORWARD -d 168.168.10.158 -j DROP
#iptables -A FORWARD -d 168.168.10.172 -j DROP
#iptables -A FORWARD -d 168.168.10.159 -j DROP
#iptables -A FORWARD -d 168.168.10.170 -j DROP
#iptables -I FORWARD -p tcp -m mac --mac-source 00:11:25:86:CD:02 -j DROP
#iptables -A FORWARD -j ACCEPT
iptables -A FORWARD -s 168.168.0.0/16 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 168.168.0.0/16 -o eth0 -j SNAT --to 210.21.206.75
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 22121 -j DNAT --to 168.168.20.221:21
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 3398 -j DNAT --to 168.168.10.127:3389
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 8500 -j DNAT --to 168.168.10.127:5800
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 9500 -j DNAT --to 168.168.10.127:5900
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 4662 -j DNAT --to 168.168.10.127:4662
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 4672 -j DNAT --to 168.168.10.127:4672
iptables -t nat -A PREROUTING -p tcp -d 210.21.206.75 --dport 443 -j DNAT --to 168.168.10.127:443
#iptables -t nat -A POSTROUTING -s 168.168.0.0/16 -o eth0 -j LOG --log-prefix "DROP_AAA__ " --log-level info
iptables脚本
大家帮我看看,哪个该注释,哪个不该注释,谢谢?
如果有出错的地方请帮忙修改一下,谢谢了?
#!/bin/sh
echo "0" > /proc/sys/net/ipv4/ip_forward
#If you config you device
OUTSIDE_DEVICE=eth0
INSIDE_DEVICE=eth1
LO_DEVICE=lo
#If you config you IP address
OUTSIDE_IP=222.90.69.26
INSIDE_IP=192.168.1.254
LO_IP=127.0.0.1
#CS_IP=192.168.1.250
#FTP_IP=192.168.1.253
#WEB_IP=192.168.1.253
#WIN2000_IP=192.168.1.250
#MIR_IP=192.168.1.250
#MAIL_IP=192.168.1.253
#SERVER_IP=xxx.xxx.xxx.xxx
#OUTSIDE_IP_GW=
#SERVER_IP_GW=
#If you have PC more than 255,Please use 3 C Class address
#ifconfig eth1:1 10.10.0.1 netmask 255.255.255.0 broadcast 10.10.0.255
#ifconfig eth1:2 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
#ifconfig eth1:3 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255
#If you have OTHER IP ADDRESS
#ifconfig eth0:1 xxx.xxx.xxx.xxx netmask 255.255.255.x broadcast xxx.xxx.xxx.xxx
#route del -net default gw ${OUTSIDE_IP_GW} netmask 255.255.255.252 dev eth0
#route del -net default gw ${SERVER_IP_GW} netmask 255.255.255.0 dev eth1
#route add -net default gw ${OUTSIDE_IP_GW} netmask 255.255.255.252 dev eth0
#route add -net default gw ${SERVER_IP_GW} netmask 255.255.255.0 dev eth1
#
# We like ues FTP server
#/sbin/modprobe -a
#/sbin/modprobe ip_conntrack
#/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_nat
#/sbin/modprobe iptable_mangle
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_state
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ipt_REJRCT
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_MASQUERADE
IPTABLES="/sbin/iptables"
# Flushing the chains.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -Z # zero all counters
# Policy for chains DROP everything
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N bad_tcp_packets
#$IPTABLES -N lan_forward
$IPTABLES -N icmp_packets
#bad_tcp_packets rules
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG --log-level 5 --log-prefix "dai li ru qin bad man:"
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
#iptables -A bad_tcp_packets -i ${OUTSIDE_DEVICE} -p tcp ! --syn -m state --state NEW -j LOG --log-level 5 --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#FORWARD NEW rules
#$IPTABLES -A lan_forward -p tcp -j bad_tcp_packets
#$IPTABLES -A lan_forward -p ALL -j ACCEPT
# icmp_packets
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 3 -j ACCEPT
# icmp-type 5 wang luo chong ding xiang
#$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp -s 0/0 -j DROP
# Good old masquerading.
#$IPTABLES -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -j SNAT --to-source ${OUTSIDE_IP}
# DNS Forward to ISP Dns Server
#$IPTABLES -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.9:53
#$IPTABLES -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.4:53
#$IPTABLES -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 202.100.4.15:53
#forward rules
$IPTABLES -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP
#$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"
#INPUT chain
$IPTABLES -A INPUT -p tcp -m state --state NEW -s 0/0 -j bad_tcp_packets
# squid
#$IPTABLES -A INPUT -p ALL -i ${INSIDE_DEVICE} --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 --dport 3200 -j ACCEPT
$IPTABLES -A INPUT -p icmp -i ${INSIDE_DEVICE} -j icmp_packets
$IPTABLES -A INPUT -p ALL -s 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 5 --log-prefix "IPT INPUT packet died:"
#squid
#$IPTABLES -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# output chain
#IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s ${LO_IP} -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s ${INSIDE_IP} -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s ${OUTSIDE_IP} -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died:"
#WINDOWS 2000 SERVER TSC
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 3389 -j DNAT --to ${WIN2000_IP}:3389
#$IPTABLES -I FORWARD 3 -p tcp -d ${WIN2000_IP} --dport 3389 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${WIN2000_IP} -j SNAT --to-source ${INSIDE_IP}
# Web:
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${WEB_IP}:80
#$IPTABLES -I FORWARD 3 -p tcp -d ${WEB_IP} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${WEB_IP} -j SNAT --to-source ${OUTSIDE_IP}
#mir
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 7000 -j DNAT --to ${MIR_IP}:7000
#$IPTABLES -I FORWARD 3 -p tcp -d ${MIR_IP} --dport 7000 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${MIR_IP} -j SNAT --to-source ${INSIDE_IP}
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 7100 -j DNAT --to ${MIR_IP}:7100
#$IPTABLES -I FORWARD 3 -p tcp -d ${MIR_IP} --dport 7100 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${MIR_IP} -j SNAT --to ${INSIDE_IP}
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 7200 -j DNAT --to ${MIR_IP1}:7200
#$IPTABLES -I FORWARD 3 -p tcp -d ${MIR_IP1} --dport 7200 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${MIR_IP} -j SNAT --to ${INSIDE_IP}
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 63000 -j DNAT --to ${MIR_IP}:63000
#$IPTABLES -I FORWARD 3 -p tcp -d ${MIR_IP} --dport 63000 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${MIR_IP} --dport 63000 -j SNAT --to ${INSIDE_IP}
# FTP:
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 1200 -j DNAT --to ${FTP_IP}:21
#$IPTABLES -I FORWARD 3 -p tcp -d ${FTP_IP} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${FTP_IP} -j SNAT --to ${INSIDE_IP}
# 5800
#$IPTABLES -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 5800 -j DNAT --to ${SERVER_IP}:5800
#$IPTABLES -I FORWARD 3 -p tcp -d ${SERVER_IP} --dport 5800 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 5800 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}
# CS
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 27017 -j DNAT --to ${CS_IP}:27017
#$IPTABLES -I FORWARD 3 -p tcp -d ${CS_IP} --dport 27017 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -p tcp -d ${CS_IP} -j SNAT --to ${INSIDE_IP}
# MAIL:
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 25 -j DNAT --to ${MAIL_IP}:25
#$IPTABLES -I FORWARD 3 -p tcp -d ${MAIL_IP} --dport 25 -o ${INSIDE_DEVICE} -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -p tcp -d ${OUTSIDE_IP} --dport 143 -j DNAT --to ${MAIL_IP}:110
#$IPTABLES -I FORWARD 3 -p tcp -d ${MAIL_IP} --dport 110 -o ${INSIDE_DEVICE} -j ACCEPT
# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
# keep it here.
#$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# We don't like the NetBIOS and Samba leaking..
$IPTABLES -t nat -A PREROUTING -p TCP -i ${INSIDE_DEVICE} --dport 135:139 -j DROP
$IPTABLES -t nat -A PREROUTING -p UDP -i ${INSIDE_DEVICE} --dport 137:139 -j DROP
# Finally, list what we have
#$IPTABLES -L
# If broken DNS:
$IPTABLES -L -n
# This enables dynamic IP address following (ADSL)
#echo 7 > /proc/sys/net/ipv4/ip_dynaddr
# Rules set, we can enable forwarding in the kernel.
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
相关热门文章
给主人留下些什么吧!~~
评论热议