全都是外国人写的防火墙脚本,我也来写一个,希望大家跟我一块做好
DMZ部分尚不完善,其中难免有疏漏,希望大家跟我一块改进,使他功能越来越强大,使用时请将firewall-dev copy 到/etc/rc.d/init.d将 firewall.conf copy /etc/下,你只需修改firewall.conf文件就可以了。可以用firewall-dev start|stop起动和关闭防火墙,功能增加中,如你有任何改动请发一份给我,arlenecc@263.net
本着GPL的原则希望有志之士跟我一块完善它,如有改动请通知我!!!!
firewall-dev
#!/bin/bash
# This is a firewall script with the function of stateful and
# ip filter, you can change it to meet you need,in a words:
# uplink means the output interface ,router means if you neet it
# to be a router or not,nat means if you are useing a dynamic ip
# address
# if you do ,then you can change it to "dynamic",interfaces means
# all the interface in you server ,services means all the services
# you server providing ,enjoy it !!! ----- write by arlenecc
#
##############################################################################
# #
# Copyright (c) 2002 arlenecc arlenecc@netease.com #
# All rights reserved #
# #
##############################################################################
#
# now begins the firewall
UPLINK=`less /root/firewall.conf | grep "UPLINK" | cut -d = -f 2 `
UPIP=`less /root/firewall.conf | grep "UPIP" | cut -d = -f 2`
ROUTER=`less /root/firewall.conf | grep "ROUTER" | cut -d = -f 2`
NAT=`less /root/firewall.conf | grep "NAT" | cut -d = -f 2`
INTERFACES=`less /root/firewall.conf | grep "INTERFACES" | cut -d = -f 2`
SERVICES=`less /root/firewall.conf | grep "SERVICES" | cut -d = -f 2`
DENYPORTS=`less /root/firewall.conf | grep "DENYPORTS" | cut -d = -f 2`
DENYUDPPORT=`less /root/firewall.conf | grep "DENYUDPPORT" | cut -d = -f 2`
LAN_IF=`less /root/firewall.conf | grep "LAN_IF" | cut -d = -f 2`
LAN_NET=`less /root/firewall.conf | grep "LAN_NET" | cut -d = -f 2`
DMZ_NET=`less /root/firewall.conf | grep "DMZ_NET" | cut -d = -f 2`
DMZ_IF=`less /root/firewall.conf | grep "DMZ_IF" | cut -d = -f 2`
DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d = -f 2`
DMZ_UDP_PORT=`less /root/firewall.conf | grep "DMZ_UDP_PORT" | cut -d = -f 2`
WEB_IP=`less /root/firewall.conf | grep "WEB_IP" | cut -d = -f 2`
FTP_IP=`less /root/firewall.conf | grep "FTP_IP" | cut -d = -f 2`
H323_PORT=`less /root/firewall.conf | grep "H323_PORT" | cut -d = -f 2`
H323=`less /root/firewall.conf | grep "H323" | cut -d = -f 2`
if [ "$1" = "start" ]
then
echo "Starting firewall......"
echo "NOW prepareing kernel for use,please wait....."
# if [ -e /proc/sys/net/ipv4/ip_forward ]
#
# then
# echo 1 >/proc/sys/net/ipv4/ip_forward
# fi
if [ "$NAT" = " dynamic " ]
then
echo "Enable dynamic ip support...."
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo "Enable the syn cook flood protection"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]
then
echo "Setting the maximum number of connections to track.... "
echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/ip_local_port_range ]
then
echo " Setting local port range for TCP/UDP connection...."
echo -e "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo "Enable bad error message protection......."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " OK !!!! "
fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo "Disabling tcp_ecn,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_ecn
echo " OK !!!! "
fi
for x in ${INTERFACES}
do
echo " Enabling rp_filter on ${x} ,please wait...."
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
echo " ${x} OK !!!! "
done
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]
then
echo "Disabing ICMP redirects,please wait...."
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo " OK !!!! "
fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]
then
echo "Disabling source routing of packets,please wait...."
for i in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $i
echo " $i OK !!!! "
done
fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
then
echo "Ignore any broadcast icmp echo requests......"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " OK !!!! "
fi
# if [ -e /proc/sys/net/ipv4/config/all/log_martians ]
#
# then
# echo "LOG packets with impossible addresses to kernel log...."
# echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# echo " OK !!!! "
# fi
#echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
#modprobe ip_tables
depmod -a
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
iptables -F -t mangle
iptables -Z
iptables -X
iptables -N CHECK_FLAGS
iptables -F CHECK_FLAGS
iptables -N tcpHandler
iptables -F tcpHandler
iptables -N udpHandler
iptables -F udpHandler
iptables -N icmpHandler
iptables -F icmpHandler
iptables -N DROP-AND-LOG
iptables -F DROP-AND-LOG
echo "OK,the kernel is now prepared to use for building a firewall!!!"
echo "Waitting ........................"
echo "Creating a drop chain....."
iptables -A DROP-AND-LOG -j LOG --log-level 5
iptables -A DROP-AND-LOG -j DROP
echo " OK !!!!"
echo "Now starting the check_flag rules,please wait...."
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN "
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "
iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 "
iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
echo " OK !!!! Finished check_flags rules...."
echo "Now starting the input rules,please wait......."
for x in ${DENYPORTS}
do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} TCP IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} SYN IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j DROP
done
for x in ${DENYUDPPORT}
do
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT:${x} UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP
done
#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
for x in ${SERVICES}
do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG
#iptables -A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i ${UPLINK} -j LOG --log-prefix " INVALID INPUT "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i ${LAN_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ${DMZ_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j REJECT
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM DMZ:"
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD UDP FROM DMZ:"
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD ICMP FROM DMZ:"
iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j DROP
iptables -A INPUT -p icmp -i ${UPLINK} -j LOG --log-prefix "INVAILD ICMP IN:"
iptables -A INPUT -p icmp -i ${UPLINK} -j REJECT --reject-with icmp-net-unreachable
iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"
iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j LOG --log-prefix "NEW,INVALID state:"
iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j DROP
iptables -A INPUT -i ${UPLINK} -f -j LOG --log-prefix "INVAILD FRAGMENTS ${UPLINK}:"
iptables -A INPUT -i ${UPLINK} -f -j DROP
iptables -A INPUT -i ${LAN_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${LAN_IF}:"
iptables -A INPUT -i ${LAN_IF} -f -j DROP
iptables -A INPUT -i ${DMZ_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${DMZ_IF}:"
iptables -A INPUT -i ${DMZ_IF} -f -j DROP
iptables -A INPUT -i ${UPLINK} -j DROP
echo " OK !!!! The input rules has been successful applied ,continure......"
echo " Now starting FORWARD rules ,please wait ....."
iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN TCP: "
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN UDP:"
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICMP: "
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler
iptables -A tcpHandler -p tcp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "
iptables -A tcpHandler -p tcp -j DROP
iptables -A udpHandler -p udp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"
iptables -A udpHandler -p udp -j DROP
iptables -A icmpHandler -p icmp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"
iptables -A icmpHandler -p icmp -j DROP
iptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -j ACCEPT
iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT
#iptables -A FORWARD -o ${UPLINK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j REJECT --reject-with tcp-reset
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j LOG --log-prefix "INVAILD UDP FORWARD FROM DMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j DROP
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j DROP
iptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -s ${LAN_NET} -d ${DMZ_NET} -i ${LAN_IF} -j ACCEPT
iptables -A FORWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i ${DMZ_IF} ! --syn -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA"
iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD UDP FORWARD DATA"
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVALID ICMP FORWARD DATA"
iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -j DROP
echo " OK !!!! The forward rules has been successful applied,conniture......"
echo " Now applying output rules,please wait ...."
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${LAN_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${DMZ_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${LAN_NET} -o ${DMZ_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j LOG --log-prefix "INVAILD TCP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j LOG --log-prefix "INVAILD UDP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j DROP
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"
iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW,INVALID STATE:"
iptables -A OUTPUT -m state --state NEW,INVALID -j DROP
iptables -A OUTPUT -j DROP
echo " OK !!!! The OUTPUT rules has been successful applied,conniture......."
echo " Now applying nat rules ,please wait ...."
#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
#iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 23 -j REDIRECT --to-port 14867
iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK} -j DROP
iptables -t nat -A PREROUTING -d ${DMZ_NET} -i ${UPLINK} -j DROP
if [ " $ROUTER " = " yes " ]
then
echo " enabing ip_forward,please wait..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "OK"
if [ " $NAT " = " dynamic " ]
then
echo "Enableing MASQUERADING (dynamic ip )..."
echo "Dynamic PPP connection,Now getting the dynamic ip address"
IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`
echo " Now you IP ADDRESS is : ${IP_ADDR} "
iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
iptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR}
iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 80 -j DNAT --to ${WEB_IP}:80
iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21
iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20
if [ " $H323 " = " yes " ]
then
echo "Startting H323 NAT setting......"
for port in ${H323_PORT}
do
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
done
fi
echo " OK,NAT setting start succecc.."
elif [ " $NAT " != " " ]
then
echo "Enableing SNAT (static ip)..."
# iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
iptables -t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 20 -j DNAT --to ${FTP_IP}:20
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --to ${FTP_IP}:21
if [ "$H323 " = " yes " ]
then
echo "Startting H323 NAT setting........"
for port in ${H323_PORT}
do
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
done
fi
echo " OK !!!!"
fi
fi
if [ " $SELF_SET " = " yes " ]
then
echo "Starting the rules you set yourself......"
# firewall
echo " OK !!!!"
echo " All rules has been successful applied,enjoy it...."
elif [ "$1" = "stop" ]
then
echo "Stoping Firewall...."
iptables -F INPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F POSTROUTING
iptables -F tcpHandler
iptables -F udpHandler
iptables -F icmpHandler
iptables -F CHECK_FLAGS
iptables -F DROP-AND-LOG
iptables -X tcpHandler
iptables -X udpHandler
iptables -X icmpHandler
?ptables -X CHECK_FLAGS
iptables -X DROP-AND-LOG
echo "The firewall has successful shuted down,be careful !!!"
fi
firewall.conf
UPLINK=eth1
UPIP=192.168.2.188
ROUTER=yes
NAT=192.168.2.188
INTERFACES=lo eth0 eth1 eth2
SERVICES=http ftp
DENYPORTS=1 7 9 15 107 135 137 138 139 369 389 445 515 752 873 8080 3128 2049 5432 5999 6063 9740 20034 12345 12346 27665 27444 31335 31337 8000 1433 3389 7007 22 23 25 110 79
DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369
LAN_IF=eth0
LAN_NET=192.168.1.0/24
DMZ_NET=192.168.3.0/24
DMZ_IF=eth2
DMZ_TCP_PORT=20 21 25 53 80 110
DMZ_UDP_PORT=53
WEB_IP=192.168.3.1
FTP_IP=192.168.3.2
H323_PORT=
H323=no
#here you can add the block rules yourself ,but be sure you do all these setting otherwise ,it will not work at all !!!!
SELF_SET=
BLOCK_TYPE=
PROTO=
INTE_IF=
SRC=
DST=
DPORT=
ACTION=
ACTION_TYPE=
#here you can add the icmp block rules yourself,Be sure you do all these setting otherwise ,it will not work at all !!!!
ICMP_IF=
ICMP_SRC=
ICMP_DST=
ICMP_ACTION=
ICMP_TYPE=
http://61.129.112.46/firewall-0.0.2.tar.gz
解包之后运行install.sh,如果要根据自己的需求用的话修改/etc/firewall.conf的相关配置
DMZ部分尚不完善,其中难免有疏漏,希望大家跟我一块改进,使他功能越来越强大,使用时请将firewall-dev copy 到/etc/rc.d/init.d将 firewall.conf copy /etc/下,你只需修改firewall.conf文件就可以了。可以用firewall-dev start|stop起动和关闭防火墙,功能增加中,如你有任何改动请发一份给我,arlenecc@263.net
本着GPL的原则希望有志之士跟我一块完善它,如有改动请通知我!!!!
firewall-dev
#!/bin/bash
# This is a firewall script with the function of stateful and
# ip filter, you can change it to meet you need,in a words:
# uplink means the output interface ,router means if you neet it
# to be a router or not,nat means if you are useing a dynamic ip
# address
# if you do ,then you can change it to "dynamic",interfaces means
# all the interface in you server ,services means all the services
# you server providing ,enjoy it !!! ----- write by arlenecc
#
##############################################################################
# #
# Copyright (c) 2002 arlenecc arlenecc@netease.com #
# All rights reserved #
# #
##############################################################################
#
# now begins the firewall
UPLINK=`less /root/firewall.conf | grep "UPLINK" | cut -d = -f 2 `
UPIP=`less /root/firewall.conf | grep "UPIP" | cut -d = -f 2`
ROUTER=`less /root/firewall.conf | grep "ROUTER" | cut -d = -f 2`
NAT=`less /root/firewall.conf | grep "NAT" | cut -d = -f 2`
INTERFACES=`less /root/firewall.conf | grep "INTERFACES" | cut -d = -f 2`
SERVICES=`less /root/firewall.conf | grep "SERVICES" | cut -d = -f 2`
DENYPORTS=`less /root/firewall.conf | grep "DENYPORTS" | cut -d = -f 2`
DENYUDPPORT=`less /root/firewall.conf | grep "DENYUDPPORT" | cut -d = -f 2`
LAN_IF=`less /root/firewall.conf | grep "LAN_IF" | cut -d = -f 2`
LAN_NET=`less /root/firewall.conf | grep "LAN_NET" | cut -d = -f 2`
DMZ_NET=`less /root/firewall.conf | grep "DMZ_NET" | cut -d = -f 2`
DMZ_IF=`less /root/firewall.conf | grep "DMZ_IF" | cut -d = -f 2`
DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d = -f 2`
DMZ_UDP_PORT=`less /root/firewall.conf | grep "DMZ_UDP_PORT" | cut -d = -f 2`
WEB_IP=`less /root/firewall.conf | grep "WEB_IP" | cut -d = -f 2`
FTP_IP=`less /root/firewall.conf | grep "FTP_IP" | cut -d = -f 2`
H323_PORT=`less /root/firewall.conf | grep "H323_PORT" | cut -d = -f 2`
H323=`less /root/firewall.conf | grep "H323" | cut -d = -f 2`
if [ "$1" = "start" ]
then
echo "Starting firewall......"
echo "NOW prepareing kernel for use,please wait....."
# if [ -e /proc/sys/net/ipv4/ip_forward ]
#
# then
# echo 1 >/proc/sys/net/ipv4/ip_forward
# fi
if [ "$NAT" = " dynamic " ]
then
echo "Enable dynamic ip support...."
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo "Enable the syn cook flood protection"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]
then
echo "Setting the maximum number of connections to track.... "
echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/ip_local_port_range ]
then
echo " Setting local port range for TCP/UDP connection...."
echo -e "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo "Enable bad error message protection......."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " OK !!!! "
fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo "Disabling tcp_ecn,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_ecn
echo " OK !!!! "
fi
for x in ${INTERFACES}
do
echo " Enabling rp_filter on ${x} ,please wait...."
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
echo " ${x} OK !!!! "
done
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]
then
echo "Disabing ICMP redirects,please wait...."
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo " OK !!!! "
fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]
then
echo "Disabling source routing of packets,please wait...."
for i in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $i
echo " $i OK !!!! "
done
fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
then
echo "Ignore any broadcast icmp echo requests......"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " OK !!!! "
fi
# if [ -e /proc/sys/net/ipv4/config/all/log_martians ]
#
# then
# echo "LOG packets with impossible addresses to kernel log...."
# echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# echo " OK !!!! "
# fi
#echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
#modprobe ip_tables
depmod -a
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
iptables -F -t mangle
iptables -Z
iptables -X
iptables -N CHECK_FLAGS
iptables -F CHECK_FLAGS
iptables -N tcpHandler
iptables -F tcpHandler
iptables -N udpHandler
iptables -F udpHandler
iptables -N icmpHandler
iptables -F icmpHandler
iptables -N DROP-AND-LOG
iptables -F DROP-AND-LOG
echo "OK,the kernel is now prepared to use for building a firewall!!!"
echo "Waitting ........................"
echo "Creating a drop chain....."
iptables -A DROP-AND-LOG -j LOG --log-level 5
iptables -A DROP-AND-LOG -j DROP
echo " OK !!!!"
echo "Now starting the check_flag rules,please wait...."
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN "
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "
iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 "
iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
echo " OK !!!! Finished check_flags rules...."
echo "Now starting the input rules,please wait......."
for x in ${DENYPORTS}
do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} TCP IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} SYN IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j DROP
done
for x in ${DENYUDPPORT}
do
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT:${x} UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP
done
#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
for x in ${SERVICES}
do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG
#iptables -A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i ${UPLINK} -j LOG --log-prefix " INVALID INPUT "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i ${LAN_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ${DMZ_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j REJECT
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM DMZ:"
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD UDP FROM DMZ:"
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD ICMP FROM DMZ:"
iptables -A INPUT -p icmp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j DROP
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix "INVALID SYN REQUIRE:"
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j DROP
iptables -A INPUT -p icmp -i ${UPLINK} -j LOG --log-prefix "INVAILD ICMP IN:"
iptables -A INPUT -p icmp -i ${UPLINK} -j REJECT --reject-with icmp-net-unreachable
iptables -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:"
iptables -A INPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j LOG --log-prefix "NEW,INVALID state:"
iptables -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -j DROP
iptables -A INPUT -i ${UPLINK} -f -j LOG --log-prefix "INVAILD FRAGMENTS ${UPLINK}:"
iptables -A INPUT -i ${UPLINK} -f -j DROP
iptables -A INPUT -i ${LAN_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${LAN_IF}:"
iptables -A INPUT -i ${LAN_IF} -f -j DROP
iptables -A INPUT -i ${DMZ_IF} -f -j LOG --log-prefix "INVAILD FRAGMENT ${DMZ_IF}:"
iptables -A INPUT -i ${DMZ_IF} -f -j DROP
iptables -A INPUT -i ${UPLINK} -j DROP
echo " OK !!!! The input rules has been successful applied ,continure......"
echo " Now starting FORWARD rules ,please wait ....."
iptables -A FORWARD -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN TCP: "
iptables -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN UDP:"
iptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHandler
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICMP: "
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --state NEW -j icmpHandler
iptables -A tcpHandler -p tcp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A tcpHandler -p tcp -j LOG --log-prefix " Drop TCP exceed connections "
iptables -A tcpHandler -p tcp -j DROP
iptables -A udpHandler -p udp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A udpHandler -p udp -j LOG --log-prefix "Drop UDP exceed connections"
iptables -A udpHandler -p udp -j DROP
iptables -A icmpHandler -p icmp -m limit --limit 5/minute --limit-burst 10 -j RETURN
iptables -A icmpHandler -p icmp -j LOG --log-prefix "Drop ICMP exceed connections"
iptables -A icmpHandler -p icmp -j DROP
iptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${LAN_IF} -o ${UPLINK} -j ACCEPT
iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT
#iptables -A FORWARD -o ${UPLINK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p tcp -j REJECT --reject-with tcp-reset
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j LOG --log-prefix "INVAILD UDP FORWARD FROM DMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p udp -j DROP
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:"
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_IF} -p icmp -j DROP
iptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -s ${LAN_NET} -d ${DMZ_NET} -i ${LAN_IF} -j ACCEPT
iptables -A FORWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i ${DMZ_IF} ! --syn -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA"
iptables -A FORWARD -p tcp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVAILD UDP FORWARD DATA"
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --log-prefix "INVALID ICMP FORWARD DATA"
iptables -A FORWARD -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROP
iptables -A FORWARD -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -j DROP
echo " OK !!!! The forward rules has been successful applied,conniture......"
echo " Now applying output rules,please wait ...."
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${LAN_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${DMZ_NET} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${LAN_NET} -o ${DMZ_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j LOG --log-prefix "INVAILD TCP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j LOG --log-prefix "INVAILD UDP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p udp -j DROP
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j LOG --log-prefix "INVAILD ICMP OUTPUT FROM DMZ:"
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p icmp -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"
iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW,INVALID STATE:"
iptables -A OUTPUT -m state --state NEW,INVALID -j DROP
iptables -A OUTPUT -j DROP
echo " OK !!!! The OUTPUT rules has been successful applied,conniture......."
echo " Now applying nat rules ,please wait ...."
#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
#iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 23 -j REDIRECT --to-port 14867
iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK} -j DROP
iptables -t nat -A PREROUTING -d ${DMZ_NET} -i ${UPLINK} -j DROP
if [ " $ROUTER " = " yes " ]
then
echo " enabing ip_forward,please wait..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "OK"
if [ " $NAT " = " dynamic " ]
then
echo "Enableing MASQUERADING (dynamic ip )..."
echo "Dynamic PPP connection,Now getting the dynamic ip address"
IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`
echo " Now you IP ADDRESS is : ${IP_ADDR} "
iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
iptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR}
iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 80 -j DNAT --to ${WEB_IP}:80
iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21
iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20
if [ " $H323 " = " yes " ]
then
echo "Startting H323 NAT setting......"
for port in ${H323_PORT}
do
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
done
fi
echo " OK,NAT setting start succecc.."
elif [ " $NAT " != " " ]
then
echo "Enableing SNAT (static ip)..."
# iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
iptables -t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 20 -j DNAT --to ${FTP_IP}:20
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --to ${FTP_IP}:21
if [ "$H323 " = " yes " ]
then
echo "Startting H323 NAT setting........"
for port in ${H323_PORT}
do
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}:${port}
done
fi
echo " OK !!!!"
fi
fi
if [ " $SELF_SET " = " yes " ]
then
echo "Starting the rules you set yourself......"
# firewall
echo " OK !!!!"
echo " All rules has been successful applied,enjoy it...."
elif [ "$1" = "stop" ]
then
echo "Stoping Firewall...."
iptables -F INPUT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F POSTROUTING
iptables -F tcpHandler
iptables -F udpHandler
iptables -F icmpHandler
iptables -F CHECK_FLAGS
iptables -F DROP-AND-LOG
iptables -X tcpHandler
iptables -X udpHandler
iptables -X icmpHandler
?ptables -X CHECK_FLAGS
iptables -X DROP-AND-LOG
echo "The firewall has successful shuted down,be careful !!!"
fi
firewall.conf
UPLINK=eth1
UPIP=192.168.2.188
ROUTER=yes
NAT=192.168.2.188
INTERFACES=lo eth0 eth1 eth2
SERVICES=http ftp
DENYPORTS=1 7 9 15 107 135 137 138 139 369 389 445 515 752 873 8080 3128 2049 5432 5999 6063 9740 20034 12345 12346 27665 27444 31335 31337 8000 1433 3389 7007 22 23 25 110 79
DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369
LAN_IF=eth0
LAN_NET=192.168.1.0/24
DMZ_NET=192.168.3.0/24
DMZ_IF=eth2
DMZ_TCP_PORT=20 21 25 53 80 110
DMZ_UDP_PORT=53
WEB_IP=192.168.3.1
FTP_IP=192.168.3.2
H323_PORT=
H323=no
#here you can add the block rules yourself ,but be sure you do all these setting otherwise ,it will not work at all !!!!
SELF_SET=
BLOCK_TYPE=
PROTO=
INTE_IF=
SRC=
DST=
DPORT=
ACTION=
ACTION_TYPE=
#here you can add the icmp block rules yourself,Be sure you do all these setting otherwise ,it will not work at all !!!!
ICMP_IF=
ICMP_SRC=
ICMP_DST=
ICMP_ACTION=
ICMP_TYPE=
http://61.129.112.46/firewall-0.0.2.tar.gz
解包之后运行install.sh,如果要根据自己的需求用的话修改/etc/firewall.conf的相关配置
转载于:https://blog.51cto.com/firsthoo/210895
扫一扫
420
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
