半成品,用于测试,慎用!!!
#!/bin/sh
IPT="sudo /usr/sbin/iptables"
SUDO="sudo"
#### wan is 3com ext if
#### lan is 8139 int if
WAN=eth0
LAN=eth1
DMZ=eth2
LAN_IP=192.168.0.0/24
DMZ_SQUID=10.0.0.3
DMZ_SQUID_PORT=50401
WAN_IP="192.168.1.222"
SAFE_IP="192.168.1.88"
SAFE_IP_RANGE="192.168.1.8-192.168.1.88"
LAN_PORTS="8881,8882,8883,8888"
#--------A------
LAN_IPA="192.168.0.112"
WAN_IPA="192.168.1.112"
#--------B------
LAN_IPB="192.168.0.113"
WAN_IPB="192.168.1.113"
#--------B------
LAN_IPC="192.168.0.114"
WAN_IPC="192.168.1.114"
#---------------
SSH_PORT="22"
WAN_WEB_PORT="8080"
LAN_WEB_PORT="80"
RSYNC_PORT="600"
SAFE_PORTS="8001,8002"
SAFE_PORTS_RANGE="8001:8003"
#---------------
start () {
echo "start()"
$SUDO modprobe ip_conntrack_amanda
$SUDO modprobe ip_conntrack_ftp
$SUDO modprobe ip_conntrack_tftp
$SUDO modprobe ip_conntrack_irc
$SUDO modprobe ip_nat_irc
$SUDO modprobe ip_nat_ftp
$SUDO modprobe ip_nat_amanda
$SUDO modprobe ip_nat_tftp
#使IP的动态分配功能可用
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "sysctl net.ipv4.ip_forward=1"
$SUDO sysctl net.ipv4.ip_forward=1
#echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "$SUDO sysctl net.ipv4.tcp_syncookies=1"
$SUDO sysctl net.ipv4.tcp_syncookies=1
echo "echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses"
$SUDO sysctl net.ipv4.icmp_ignore_bogus_error_responses=1
$IPT -P FORWARD DROP
$IPT -P INPUT DROP
#$IPT -P INPUT ACCEPT
#$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
#$IPT -P FORWARD ACCEPT
#$IPT -A FORWARD -i $LAN -o $WAN -j ACCEPT
#$IPT -A FORWARD -i $WAN -o $LAN -j ACCEPT
#$IPT -A FORWARD -i $WAN -s 192.168.1.0/24 -o $LAN -j ACCEPT
#$IPT -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE
#$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE
#--------------------A-------------------------------------
$IPT -t nat -A POSTROUTING -o $WAN -s $LAN_IPA -j SNAT --to-source $WAN_IPA
$IPT -t nat -A PREROUTING -i $WAN -d $WAN_IPA -j DNAT --to-destination $LAN_IPA
#$IPT -t nat -A PREROUTING -i $WAN --dport $WAN_WEB_PORT -j DNAT --to $LAN_IPA:$LAN_WEB_PORT
#$IPT -t nat -A PREROUTING -i $WAN -d $WAN_IP --dport $WAN_WEB_PORT -j DNAT --to $LAN_IPA:$LAN_WEB_PORT
#echo "start == $IPT -t nat -A PREROUTING -i $WAN -d $WAN_IP --dport $WAN_WEB_PORT -j DNAT --to $LAN_IPA:$LAN_WEB_PORT"
$IPT -t nat -A PREROUTING -i $WAN -d $WAN_IP -p tcp --dport $WAN_WEB_PORT -j DNAT --to $LAN_IPA:$LAN_WEB_PORT
echo "end == $IPT -t nat -A PREROUTING -i $WAN -d $WAN_IP --dport $WAN_WEB_PORT -j DNAT --to $LAN_IPA:$LAN_WEB_PORT"
#--------------------B-------------------------------------
$IPT -t nat -A POSTROUTING -o $WAN -s $LAN_IPB -j SNAT --to-source $WAN_IPB
$IPT -t nat -A PREROUTING -i $WAN -d $WAN_IPB -j DNAT --to-destination $LAN_IPB
#--------------------C-------------------------------------
$IPT -t nat -A POSTROUTING -o $WAN -s $LAN_IPC -j SNAT --to-source $WAN_IPC
$IPT -t nat -A PREROUTING -i $WAN -d $WAN_IPC -j DNAT --to-destination $LAN_IPC
#----------------------------------------------------------
$IPT -I FORWARD -i ${WAN} -s 192.168.1.0/255.255.0.0 -p tcp --dport $SSH_PORT -j ACCEPT
$IPT -I FORWARD -i ${WAN} -s 192.168.0.0/255.255.0.0 -p tcp --dport $SSH_PORT -j ACCEPT
#$IPT -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
#--------------------------for rsync --------------------------
$IPT -A INPUT -p tcp --dport $RSYNC_PORT -i ${WAN} -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport $RSYNC_PORT -o ${WAN} -j ACCEPT
#--------------------------for rsync end--------------------------
#====================================================================
#禁止PING
$IPT -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j DROP
#-------------以下扫描据说过时了--------------------
#标志为FIN,URG,PSH拒绝
# $IPT -A INPUT -i $WAN -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# $IPT -A INPUT -i $WAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# $IPT -A INPUT -i $WAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# $IPT -A INPUT -i $WAN -p tcp --tcp-flags ALL ALL -j DROP
# $IPT -A INPUT -i $WAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# $IPT -A INPUT -i $WAN -p tcp --tcp-flags ALL NONE -j DROP
#====================================================================
#disable ping
#$IPT -A OUTPUT -p icmp --icmp-type echo-request -j DROP
#$IPT -I INPUT -i $WAN -p icmp -s 0/0 -d 0/0 -j ACCEPT
#$IPT -t nat -A PREROUTING -i $WAN -d $WAN_IPA -dport $LAN_PORTS -j DNAT --to-destination $LAN_IPA
#$IPT -t filter -A INPUT -i $WAN -j ACCEPT
#$IPT -t filter -A INPUT -i $LAN -j ACCEPT
$IPT -I INPUT 1 -i ${LAN} -j ACCEPT
$IPT -I INPUT 1 -i lo -j ACCEPT
echo "-------------"
$IPT -A INPUT -p UDP --dport bootps -i ${LAN} -j REJECT
$IPT -A INPUT -p UDP --dport domain -i ${LAN} -j REJECT
$IPT -A INPUT -p TCP -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
$IPT -A INPUT -p UDP -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
# $IPT -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
# $IPT -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
# $IPT -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
# $IPT -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
echo "-------------"
$IPT -t filter -A INPUT -i $WAN -p tcp -m multiport --dports $LAN_PORTS -j ACCEPT
#$IPT -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
$IPT -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
$IPT -A FORWARD -i ${WAN} -d 192.168.1.0/255.255.0.0 -j ACCEPT
#$IPT -A FORWARD -s 192.168.0.3 -j DROP
#$IPT -A FORWARD -m mac --mac-source 11:22:33:44:55:66 -j DROP
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s --dport $SSH_PORT -j ACCEPT
$IPT -A FORWARD -p tcp --syn --dport $SSH_PORT -j DROP
$IPT -A INPUT -p tcp --syn -m limit --limit 1/s --dport $SSH_PORT -j ACCEPT
$IPT -A INPUT -p tcp --syn --dport $SSH_PORT -j DROP
# $IPT -t filter -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
# $IPT -t filter -A FORWARD -i $LAN -o $WAN -j ACCEPT
#----------iprange-----------------------
#$IPT -A FORWARD -m iprange --src-range $SAFE_IP_RANGE -j DROP
#---------------------------------
#$IPT -A INPUT -s 10.0.0.0/24 -p tcp --syn -m connlimit --connlimit-above 10 -j DROP
#---------------------------------
$IPT -N sshguard
$IPT -A INPUT -p tcp --dport $SSH_PORT -j sshguard
#tail -n0 -f /var/log/auth.log | /usr/sbin/sshguard
#sudo iptables -L sshguard
#sudo iptables sshguard -F
#sudo iptables -D sshguard x.x.x.x --dport $SSH_PORT -j DROP
#---------------------------------
$IPT -A INPUT -m iprange --src-range $SAFE_IP_RANGE -p tcp -m multiport --dports $SAFE_PORTS -j ACCEPT
#$IPT -A INPUT -s $SAFE_IP -p tcp --dport $SAFE_PORT -j ACCEPT
#$IPT -A FORWARD -m iprange --src-range $SAFE_IP_RANGE -j DROP
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do
#echo "echo 1 > $f"
$SUDO sh -c "echo 1 > $f"
done
}
stop() {
echo "stop()"
$IPT -F
$IPT -X
$IPT -Z
$IPT -F -t nat
$IPT -X -t nat
$IPT -Z -t nat
$IPT -F -t mangle
$IPT -X -t mangle
$IPT -Z -t mangle
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
}
meet () {
while read meet;do
$IPT -A FORWARD -d $meet -j ACCEPT
done<meet.txt
}
sometime () {
cat /etc/hosts |grep 192| awk '{printf("%s\n",$2)}'|more
read -p "Please input hostname:" IP
read -p "Please input allow hour:(1 to 8)" H
$IPT -A FORWARD -d $IP -m time --timestart `date +%H:%M` --timestop `date -d '$H hour' +%H:%M` -j ACCEPT
}
case $1 in
start)stop;start;;
stop)stop;;
meet)meet;;
time)sometime;;
*)echo "$0 start|stop|meet|time";;
esac
#!/bin/sh
IPT="sudo /usr/sbin/iptables"
SUDO="sudo"
#### wan is 3com ext if
#### lan is 8139 int if
WAN=eth0
LAN=eth1
DMZ=eth2
LAN_IP=192.168.0.0/24
DMZ_SQUID=10.0.0.3
DMZ_SQUID_PORT=50401
WAN_IP="192.168.1.222"
SAFE_IP="192.168.1.88"
SAFE_IP_RANGE="192.168.1.8-192.168.1.88"
LAN_PORTS="8881,8882,8883,8888"
#--------A------
LAN_IPA="192.168.0.112"
WAN_IPA="192.168.1.112"
#--------B------
LAN_IPB="192.168.0.113"
WAN_IPB="192.168.1.113"
#--------B------
LAN_IPC="192.168.0.114"
WAN_IPC="192.168.1.114"
#---------------
SSH_PORT="22"
WAN_WEB_PORT="8080"
LAN_WEB_PORT="80"
RSYNC_PORT="600"
SAFE_PORTS="8001,8002"
SAFE_PORTS_RANGE="8001:8003"
#---------------
start () {
echo "start()"
$SUDO modprobe ip_conntrack_amanda
$SUDO modprobe ip_conntrack_ftp
$SUDO modprobe ip_conntrack_tftp
$SUDO modprobe ip_conntrack_irc
$SUDO modprobe ip_nat_irc
$SUDO modprobe ip_nat_ftp
$SUDO modprobe ip_nat_amanda
$SUDO modprobe ip_nat_tftp
#使IP的动态分配功能可用
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "sysctl net.ipv4.ip_forward=1"
$SUDO sysctl net.ipv4.ip_forward=1
#echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "$SUDO sysctl net.ipv4.tcp_syncookies=1"
$SUDO sysctl net.ipv4.tcp_syncookies=1
echo "echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses"
$SUDO sysctl net.ipv4.icmp_ignore_bogus_error_responses=1
$IPT -P FORWARD DROP
$IPT -P INPUT DROP
#$IPT -P INPUT ACCEPT
#$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
#$IPT -P FORWARD ACCEPT
#$IPT -A FORWARD -i $LAN -o $WAN -j ACCEPT
#$IPT -A FORWARD -i $WAN -o $LAN -j ACCEPT
#$IPT -A FORWARD -i $WAN -s 192.168.1.0/24 -o $LAN -j ACCEPT
#$IPT -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE
#$IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE
#--------------------A-------------------------------------
$IPT -t nat -A POSTROUTING -o $WAN -s $LAN_IPA -j SNAT --to-source $WAN_IPA
$IPT -t nat -A PREROUTING -i $WAN -d $WAN_IPA -j DNAT --to-destination $LAN_IPA
#$IPT -t nat -A PREROUTING -i $WAN --dport $WAN_WEB_PORT -j DNAT --to $LAN_IPA:$LAN_WEB_PORT
#$IPT -t nat -A PREROUTING -i $WAN -d $WAN_IP --dport $WAN_WEB_PORT -j DNAT --to $LAN_IPA:$LAN_WEB_PORT
#echo "start == $IPT -t nat -A PREROUTING -i $WAN -d $WAN_IP --dport $WAN_WEB_PORT -j DNAT --to $LAN_IPA:$LAN_WEB_PORT"
$IPT -t nat -A PREROUTING -i $WAN -d $WAN_IP -p tcp --dport $WAN_WEB_PORT -j DNAT --to $LAN_IPA:$LAN_WEB_PORT
echo "end == $IPT -t nat -A PREROUTING -i $WAN -d $WAN_IP --dport $WAN_WEB_PORT -j DNAT --to $LAN_IPA:$LAN_WEB_PORT"
#--------------------B-------------------------------------
$IPT -t nat -A POSTROUTING -o $WAN -s $LAN_IPB -j SNAT --to-source $WAN_IPB
$IPT -t nat -A PREROUTING -i $WAN -d $WAN_IPB -j DNAT --to-destination $LAN_IPB
#--------------------C-------------------------------------
$IPT -t nat -A POSTROUTING -o $WAN -s $LAN_IPC -j SNAT --to-source $WAN_IPC
$IPT -t nat -A PREROUTING -i $WAN -d $WAN_IPC -j DNAT --to-destination $LAN_IPC
#----------------------------------------------------------
$IPT -I FORWARD -i ${WAN} -s 192.168.1.0/255.255.0.0 -p tcp --dport $SSH_PORT -j ACCEPT
$IPT -I FORWARD -i ${WAN} -s 192.168.0.0/255.255.0.0 -p tcp --dport $SSH_PORT -j ACCEPT
#$IPT -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
#--------------------------for rsync --------------------------
$IPT -A INPUT -p tcp --dport $RSYNC_PORT -i ${WAN} -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport $RSYNC_PORT -o ${WAN} -j ACCEPT
#--------------------------for rsync end--------------------------
#====================================================================
#禁止PING
$IPT -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j DROP
#-------------以下扫描据说过时了--------------------
#标志为FIN,URG,PSH拒绝
# $IPT -A INPUT -i $WAN -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# $IPT -A INPUT -i $WAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# $IPT -A INPUT -i $WAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# $IPT -A INPUT -i $WAN -p tcp --tcp-flags ALL ALL -j DROP
# $IPT -A INPUT -i $WAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# $IPT -A INPUT -i $WAN -p tcp --tcp-flags ALL NONE -j DROP
#====================================================================
#disable ping
#$IPT -A OUTPUT -p icmp --icmp-type echo-request -j DROP
#$IPT -I INPUT -i $WAN -p icmp -s 0/0 -d 0/0 -j ACCEPT
#$IPT -t nat -A PREROUTING -i $WAN -d $WAN_IPA -dport $LAN_PORTS -j DNAT --to-destination $LAN_IPA
#$IPT -t filter -A INPUT -i $WAN -j ACCEPT
#$IPT -t filter -A INPUT -i $LAN -j ACCEPT
$IPT -I INPUT 1 -i ${LAN} -j ACCEPT
$IPT -I INPUT 1 -i lo -j ACCEPT
echo "-------------"
$IPT -A INPUT -p UDP --dport bootps -i ${LAN} -j REJECT
$IPT -A INPUT -p UDP --dport domain -i ${LAN} -j REJECT
$IPT -A INPUT -p TCP -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
$IPT -A INPUT -p UDP -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
# $IPT -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
# $IPT -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
# $IPT -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
# $IPT -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
echo "-------------"
$IPT -t filter -A INPUT -i $WAN -p tcp -m multiport --dports $LAN_PORTS -j ACCEPT
#$IPT -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
$IPT -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
$IPT -A FORWARD -i ${WAN} -d 192.168.1.0/255.255.0.0 -j ACCEPT
#$IPT -A FORWARD -s 192.168.0.3 -j DROP
#$IPT -A FORWARD -m mac --mac-source 11:22:33:44:55:66 -j DROP
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s --dport $SSH_PORT -j ACCEPT
$IPT -A FORWARD -p tcp --syn --dport $SSH_PORT -j DROP
$IPT -A INPUT -p tcp --syn -m limit --limit 1/s --dport $SSH_PORT -j ACCEPT
$IPT -A INPUT -p tcp --syn --dport $SSH_PORT -j DROP
# $IPT -t filter -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
# $IPT -t filter -A FORWARD -i $LAN -o $WAN -j ACCEPT
#----------iprange-----------------------
#$IPT -A FORWARD -m iprange --src-range $SAFE_IP_RANGE -j DROP
#---------------------------------
#$IPT -A INPUT -s 10.0.0.0/24 -p tcp --syn -m connlimit --connlimit-above 10 -j DROP
#---------------------------------
$IPT -N sshguard
$IPT -A INPUT -p tcp --dport $SSH_PORT -j sshguard
#tail -n0 -f /var/log/auth.log | /usr/sbin/sshguard
#sudo iptables -L sshguard
#sudo iptables sshguard -F
#sudo iptables -D sshguard x.x.x.x --dport $SSH_PORT -j DROP
#---------------------------------
$IPT -A INPUT -m iprange --src-range $SAFE_IP_RANGE -p tcp -m multiport --dports $SAFE_PORTS -j ACCEPT
#$IPT -A INPUT -s $SAFE_IP -p tcp --dport $SAFE_PORT -j ACCEPT
#$IPT -A FORWARD -m iprange --src-range $SAFE_IP_RANGE -j DROP
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do
#echo "echo 1 > $f"
$SUDO sh -c "echo 1 > $f"
done
}
stop() {
echo "stop()"
$IPT -F
$IPT -X
$IPT -Z
$IPT -F -t nat
$IPT -X -t nat
$IPT -Z -t nat
$IPT -F -t mangle
$IPT -X -t mangle
$IPT -Z -t mangle
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
}
meet () {
while read meet;do
$IPT -A FORWARD -d $meet -j ACCEPT
done<meet.txt
}
sometime () {
cat /etc/hosts |grep 192| awk '{printf("%s\n",$2)}'|more
read -p "Please input hostname:" IP
read -p "Please input allow hour:(1 to 8)" H
$IPT -A FORWARD -d $IP -m time --timestart `date +%H:%M` --timestop `date -d '$H hour' +%H:%M` -j ACCEPT
}
case $1 in
start)stop;start;;
stop)stop;;
meet)meet;;
time)sometime;;
*)echo "$0 start|stop|meet|time";;
esac
转载于:https://blog.51cto.com/axlrose/1287323
扫一扫
523
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
