QQ登录

只需一步,快速开始

 找回密码
 注册

QQ登录

只需一步,快速开始

查看: 659|回复: 0

高手指点一下!iptables问题!急~~~

[复制链接]
发表于 2003-4-4 01:09:57 | 显示全部楼层 |阅读模式
#!/bin/bash
IPTABLES="/usr/sbin/iptables"                        # set to your iptables location, must be set
TCP_ALLOW="22"                                        # TCP ports to allow (port<LOCIP)
UDP_ALLOW="68 6112 6119 4000"                        # UDP ports to allow (port<LOCIP)
INET_IFACE="eth1"                                # the interface your internet's on (one only), must be set
LAN_IFACE="eth0"                                # the interface(s) your LAN is on
INTERNAL_LAN="192.168.0.0/24 192.168.1.0/24"        # The internal LAN (including DMZs but not censored hosts)
MASQ_LAN="192.168.0.0/24 192.168.1.0/24"        # the internal network(s) to be masqueraded (this is overridden by MAC_MASQ)
SNAT_LAN=""                                        # Internal networks/hosts to use static NAT (format is <internal ip or network>:&lt;external ip&gt;) (this is overridden by MAC_SNAT)
DROP="TREJECT"                                        # What to do with packets we don't want: DROP, REJECT, TREJECT (Reject with tcp-reset for TCP), LDROP (log and drop), LREJECT (log and reject), LTREJECT (log and reject with tcp-reset), ULDROP (ULOG and DROP)
DENY_ALL=""                                        # Internet hosts to explicitly deny from accessing your system at all; format is "IP&lt;LOCIP"
DENY_HOSTWISE_TCP=""                                # Specific hosts to deny access to specific TCP ports; format is "IP&gt;PORT&lt;LOCIP"
DENY_HOSTWISE_UDP=""                                # Specific hosts to deny access to specific UDP ports; format is "IP&gt;PORT&lt;LOCIP"
BLACKHOLE=""                                        # People you don't want to have anything to do with (equivlent of my old TK_DROP).  This is a bidirectional drop.
BLACKHOLE_DROP="DROP"                                # What to do for the blackholes (same options as DROP directive above)
ALLOW_HOSTWISE_TCP=""                                # Specific hosts allowed access to specific TCP ports; format is "IP&gt;PORT&lt;LOCIP"
ALLOW_HOSTWISE_UDP=""                                # Specific hosts allowed access to specific UDP ports; format is "IP&gt;PORT&lt;LOCIP"
TCP_FW=""                                        # TCP port forwards, form is "SPORT:DPORT&gt;DESTIP&lt;LOCIP" &lt;LOCIP may be omitted
UDP_FW=""                                        # UDP port forwards, form is "SPORT:DPORT&gt;DESTIP&lt;LOCIP" &lt;LOCIP may be omitted
MANGLE_TOS_OPTIMIZE="FALSE"                        # TOS "optimizations" on or off (TRUE/FALSE toggle)
DHCP_SERVER="FALSE"                                # Set to true if you run a DHCP server. DHCP clients do not need this. This allows broadcasts to the server from potential clients on the LAN to succeede.
BAD_ICMP="5 9 10 15 16 17 18"                        # ICMP messages to NOT allow in from internet
ENABLE="N"                                        # Set to 'Y' when it's configured; this is for your own safety

# Flood Params.  You will still recieve the packets and the bandwidth will be used, but this will cause floods to be ignored (useful against SYNFLOODS especially)
LOG_FLOOD="2/s"                                        # Limit on logging (for LTREJECT, LREJECT and LDROP, the packet will always take the policy regardless of logging)
SYN_FLOOD="20/s"                                # GLOBAL limit on SYN packets (servers will probably need even higher sustained rates as this isn't on a per IP basis)
PING_FLOOD="1/s"                                # GLOBAL limit on ICMP echo-requests to reply to

# Outbound filters
ALLOW_OUT_TCP=""                                # Internal hosts allowed to be forwarded out on TCP (do not put this/these host/s in INTERNAL_LAN, but do define their method of access [snat, masq] if not a public ip)
PROXY=""                                        # Redirect for Squid or other TRANSPARENT proxy. Syntax to specify the proxy is "host:port".

# Below here is experimental (please report your successes/failures)
MAC_MASQ=""                                        # MAC addresses permitted to use masquerading, leave blank to not use
MAC_SNAT=""                                        # MAC addresses permitted to use static NAT, leave blank to not use (format is &lt;MAC Address&gt;:&lt;external ip&gt;)
TTL_SAFE=""                                        # How many hops packets need to make once they get on your LAN (null disables the mangling) (requires patch from patch-o-matic)
USE_SYNCOOKIES="FALSE"                                # TCP SynCookies on or off (TRUE/FALSE toggle)
RP_FILTER="TRUE"                                # Turns rp_filter on or off on all interfaces (TRUE/FALSE toggle)
ACCEPT_SOURCE_ROUTE="FALSE"                        # Turns accept_source_route on or off on all interfaces (TRUE/FALSE toggle)
SUPER_EXEMPT=""                                        # Hosts which get to bypass the packet filter entirely (be REALLY careful with these)
BRAINDEAD_ISP="FALSE"                                # Force no fragments, useful if your ISP has a broken firewall or if you are on a tunneled connection (like PPPoE DSL)
ALLOW_HOSTWISE_PROTO=""                                # Specific hosts allowed access on specific IP protocols; format is "IP&gt;PROTO&lt;LOCIP"


# Only touch these if you're daring (PREALPHA stuff, as in basically non-functional)
DMZ_IFACE=""                                        # Interface your DMZ is on (leave blank if you don't have one)


# ----------------------------------------------------------------------|
# These control basic script behavior; there should be no need to        |
#        change any of these settings for normal use.                        |
# ----------------------------------------------------------------------|
FILTER_CHAINS="INETIN INETOUT DMZIN DMZOUT TCPACCEPT UDPACCEPT LDROP LREJECT TREJECT LTREJECT"
UL_FILTER_CHAINS="ULDROP ULREJECT ULTREJECT"
LOOP_IFACE="lo"

# ----------------------------------------------------------------------|
# You shouldn't need to modify anything below here                        |
# Main Script Starts                                                        |
# ----------------------------------------------------------------------|

# Let's load it!
echo "Loading iptables firewall:"

# Configuration Sanity Checks
echo -n "Checking configuration..."

# It's hard to run an iptables script without iptables...
if ! [ -x $IPTABLES ] ; then
        echo
        echo "ERROR IN CONFIGURATION: ${IPTABLES} doesn't exist or isn't executable!"
        exit 4
fi

# Basic interface sanity
for dev in ${LAN_IFACE} ; do
        if [ "$dev" = "${DMZ_IFACE}" ] &amp;&amp; [ "$dev" != "" ]; then
                echo
                echo "ERROR IN CONFIGURATION: DMZ_IFACE and LAN_IFACE can't have a duplicate interface!"
                exit 1
        fi
done

# Create a test chain to work with for system ablilities testing
${IPTABLES} -N SYSTEST
if [ "$?" != "0" ] ; then
        echo
        echo "IPTABLES can't create new chains or the script was interrupted previously!"
        echo "Flush IPTABLES rulesets or delete chain SYSTEST and try again."
        exit 4
fi

# Check for ULOG support
${IPTABLES} -A SYSTEST -j ULOG &gt; /dev/null 2&gt;&amp;1
if [ "$?" = "0" ] ; then
        HAVE_ULOG="true"
else
        HAVE_ULOG="false"
fi

# Check for LOG support
${IPTABLES} -A SYSTEST -j LOG &gt; /dev/null 2&gt;&amp;1
if [ "$?" != "0" ] ; then
        echo
        echo "Your kernel lacks LOG support reqiored by this script. Aborting."
        exit 3
fi

# Check for stateful matching
${IPTABLES} -A SYSTEST -m state --state ESTABLISHED -j ACCEPT &gt; /dev/null 2&gt;&amp;1
if [ "$?" != "0" ] ; then
        echo
        echo "Your kernel lacks stateful matching, this would break this script. Aborting."
        exit 3
fi

# Check for the limit match
${IPTABLES} -A SYSTEST -m limit -j ACCEPT &gt; /dev/null 2&gt;&amp;1
if [ "$?" != "0" ] ; then
        echo
        echo "Support not found for limiting needed by this script. Aborting."
        exit 3
fi

# Check for REJECT
${IPTABLES} -A SYSTEST -j REJECT &gt; /dev/null 2&gt;&amp;1
if [ "$?" != "0" ] ; then
        echo
        echo "Support not found for the REJECT target needed by this script. Aborting."
        exit 3
fi

# Check DROP sanity
if [ "$DROP" = "" ] ; then
        echo
        echo "There needs to be a DROP policy (try TREJECT)!"
        exit 1
fi
if [ "$DROP" = "ACCEPT" ] ; then
        echo
        echo "The DROP policy is set to ACCEPT; there is no point in loading the firewall as there wouldn't be one."
        exit 2
fi
if [ "$DROP" = "ULDROP" ] || [ "$DROP" = "ULREJECT" ] || [ "$DROP" = "ULTREJECT" ] ; then
        if [ "$HAVE_ULOG" != "true" ] ; then
                echo
                echo "You have selected a ULOG policy, but your system lacks ULOG support."
                echo "Please choose a policy that your system has support for."
                exit 5
        fi
fi

# Problems with blackholes?
if [ "$BLACKHOLE" != "" ] &amp;&amp; [ "$BLACKHOLE_DROP" = "" ] ; then
        echo
        echo "You can't use blackholes and not have a policy for them!"
        exit 1
fi

# Has it been configured?
if ! [ "$ENABLE" = "Y" ] ; then
        echo
        echo "You need to *EDIT YOUR CONFIGURATION* and set ENABLE to Y!"
        exit 99
fi

# Flush and remove the chain SYSTEST
${IPTABLES} -F SYSTEST
${IPTABLES} -X SYSTEST

# Seems ok...
echo "passed"


# ===============================================
# ----------------Preprocessing------------------
# ===============================================

# Turn TCP_ALLOW and UDP_ALLOW into ALLOW_HOSTWISE
echo -n "Performing TCP_ALLOW and UDP_ALLOW alias preprocessing..."
if [ "$TCP_ALLOW" != "" ] ; then
        for rule in ${TCP_ALLOW} ; do
                ALLOW_HOSTWISE_TCP="${ALLOW_HOSTWISE_TCP} 0/0&gt;$rule"
        done
fi
if [ "$UDP_ALLOW" != "" ] ; then
        for rule in ${UDP_ALLOW} ; do
                ALLOW_HOSTWISE_UDP="${ALLOW_HOSTWISE_UDP} 0/0&gt;$rule"
        done
fi
echo "done"


# ===============================================
# -------Set some Kernel stuff via SysCTL--------
# ===============================================

# Turn on IP forwarding

if [ "$INTERNAL_LAN" != "" ] ; then
        echo -n "Checking IP Forwarding..."
        if [ -e /proc/sys/net/ipv4/ip_forward ] ; then
                echo 1 &gt; /proc/sys/net/ipv4/ip_forward
                echo "enabled."
        else
                echo "support not found! This will cause problems if you need to do any routing."
        fi
fi

# Enable TCP Syncookies
echo -n "Checking IP SynCookies..."
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
        if [ "$USE_SYNCOOKIES" = "TRUE" ] ; then
                echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
                echo "enabled."
        else
                echo 0 &gt; /proc/sys/net/ipv4/tcp_syncookies
                echo "disabled."
        fi
else
        echo "support not found, but that's OK."
fi

# Enable Route Verification to prevent martians and other such crud that
# seems to be commonplace on the internet today
echo -n "Checking Route Verification..."
if [ "$INET_IFACE" != "" ] ; then
        if [ -e /proc/sys/net/ipv4/conf/$INET_IFACE/rp_filter ] ; then
                if [ "$RP_FILTER" = "TRUE" ] ; then
                        echo 1 &gt; /proc/sys/net/ipv4/conf/$INET_IFACE/rp_filter
                        echo -n "activated:${INET_IFACE} "
                else
                        echo 0 &gt; /proc/sys/net/ipv4/conf/$INET_IFACE/rp_filter
                        echo -n "disabled:${INET_IFACE} "
                fi
        else
                echo "not found:${INET_IFACE} "
        fi               
fi

if [ "$LAN_IFACE" != "" ] ; then
        for dev in ${LAN_IFACE} ; do
                if [ -e /proc/sys/net/ipv4/conf/$dev/rp_filter ] ; then
                        if [ "$RP_FILTER" = "TRUE" ] ; then
                                echo 1 &gt; /proc/sys/net/ipv4/conf/$dev/rp_filter
                                echo -n "activated:$dev "
                        else
                                echo 0 &gt; /proc/sys/net/ipv4/conf/$dev/rp_filter
                                echo -n "disabled:$dev "
                        fi
                else
                        echo "not found:$dev "
                fi
        done
fi

if [ "$DMZ_IFACE" != "" ] ; then
        if [ -e /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter ] ; then
                if [ "$RP_FILTER" = "TRUE" ] ; then
                        echo 1 &gt; /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter
                        echo -n "activated:${DMZ_IFACE} "
                else
                        echo 0 &gt; /proc/sys/net/ipv4/conf/$DMZ_IFACE/rp_filter
                        echo -n "disabled:${DMZ_IFACE} "
                fi
        else
                echo "not found:${DMZ_IFACE} "
        fi               
fi
echo

# Tell the Kernel to Ignore Source Routed Packets
echo -n "Refusing SSR Packets via SysCtl..."
if [ "$INET_IFACE" != "" ] ; then
        if [ -e /proc/sys/net/ipv4/conf/$INET_IFACE/accept_source_route ] ; then
                if [ "$ACCEPT_SOURCE_ROUTE" = "TRUE" ] ; then
                        echo "1" &gt; /proc/sys/net/ipv4/conf/$INET_IFACE/accept_source_route
                        echo -n "disabled:${INET_IFACE} "
                else
                        echo "0" &gt; /proc/sys/net/ipv4/conf/$INET_IFACE/accept_source_route
                        echo -n "activated:${INET_IFACE} "
                fi
        else
                echo "not found:${INET_IFACE} "
        fi               
fi

if [ "$LAN_IFACE" != "" ] ; then
        for dev in ${LAN_IFACE} ; do
                if [ -e /proc/sys/net/ipv4/conf/$dev/accept_source_route ] ; then
                        if [ "$ACCEPT_SOURCE_ROUTE" = "TRUE" ] ; then
                                echo "1" &gt; /proc/sys/net/ipv4/conf/$dev/accept_source_route
                                echo -n "disabled:$dev "
                        else
                                echo "0" &gt; /proc/sys/net/ipv4/conf/$dev/accept_source_route
                                echo -n "activated:$dev "
                        fi
                else
                        echo "not found:$dev "
                fi               
        done
fi

if [ "$DMZ_IFACE" != "" ] ; then
        if [ -e /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route ] ; then
                if [ "$ACCEPT_SOURCE_ROUTE" = "TRUE" ] ; then
                        echo "1" &gt; /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route
                        echo -n "disabled:${DMZ_IFACE} "
                else
                        echo "0" &gt; /proc/sys/net/ipv4/conf/$DMZ_IFACE/accept_source_route
                        echo -n "activated:${DMZ_IFACE} "
                fi
        else
                echo "not found:${DMZ_IFACE} "
        fi               
fi
echo

# ===============================================
# --------Actual NetFilter Stuff Follows---------
# ===============================================

# Flush everything
# If you need compatability, you can comment some or all of these out,
# but remember, if you re-run it, it'll just add the new rules in, it
# won't remove the old ones for you then, this is how it removes them.
echo -n "Flush: "
${IPTABLES} -t filter -F INPUT
echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
echo -n "OUTPUT3"
echo

# Create new chains
# Output to /dev/null in case they don't exist from a previous invocation
echo -n "Creating chains: "
for chain in ${FILTER_CHAINS} ; do
        ${IPTABLES} -t filter -F ${chain} &gt; /dev/null 2&gt;&amp;1
        ${IPTABLES} -t filter -X ${chain} &gt; /dev/null 2&gt;&amp;1
        ${IPTABLES} -t filter -N ${chain}
        echo -n "${chain} "
done
if [ ${HAVE_ULOG} = "true" ] ; then
        for chain in ${UL_FILTER_CHAINS} ; do
                ${IPTABLES} -t filter -F ${chain} &gt; /dev/null 2&gt;&amp;1
                ${IPTABLES} -t filter -X ${chain} &gt; /dev/null 2&gt;&amp;1
                ${IPTABLES} -t filter -N ${chain}
                echo -n "${chain} "
        done       
fi
echo

# Default Policies
# INPUT policy is drop as of 2.3.7-pre5
# Policy can't be reject because of kernel limitations
echo -n "Default Policies: "
${IPTABLES} -t filter -P INPUT DROP
echo -n "INPUT:DROP "
${IPTABLES} -t filter -P OUTPUT ACCEPT
echo -n "OUTPUT:ACCEPT "
${IPTABLES} -t filter -P FORWARD DROP
echo -n "FORWARD:DROP "
echo

# ===============================================
# -------Chain setup before jumping to them------
# ===============================================

#These logging chains are valid to specify in DROP= above
#Set up LDROP
echo -n "Setting up drop chains chains: "
${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "ICMP Dropped "
${IPTABLES} -t filter -A LDROP -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level 4 --log-prefix "FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
echo -n "LDROP "
        
#And LREJECT too
${IPTABLES} -t filter -A LREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "TCP Rejected "
${IPTABLES} -t filter -A LREJECT -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "UDP Rejected "
${IPTABLES} -t filter -A LREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "ICMP Rejected "
${IPTABLES} -t filter -A LREJECT -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level 4 --log-prefix "FRAGMENT Rejected "
${IPTABLES} -t filter -A LREJECT -j REJECT
echo -n "LREJECT "

#Don't forget TREJECT
${IPTABLES} -t filter -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
${IPTABLES} -t filter -A TREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
${IPTABLES} -t filter -A TREJECT -p icmp -j DROP
${IPTABLES} -t filter -A TREJECT -j REJECT
echo -n "TREJECT "

#And LTREJECT
${IPTABLES} -t filter -A LTREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "TCP Rejected "
${IPTABLES} -t filter -A LTREJECT -p udp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "UDP Rejected "
${IPTABLES} -t filter -A LTREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j LOG --log-level 6 --log-prefix "ICMP Rejected "
${IPTABLES} -t filter -A LTREJECT -f -m limit --limit ${LOG_FLOOD} -j LOG --log-level 4 --log-prefix "FRAGMENT Rejected "
${IPTABLES} -t filter -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset
${IPTABLES} -t filter -A LTREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
${IPTABLES} -t filter -A LTREJECT -p icmp -j DROP
${IPTABLES} -t filter -A LTREJECT -j REJECT
echo -n "LTREJECT "

#And ULOG stuff, same as above but ULOG instead of LOG
if [ ${HAVE_ULOG} = "true" ] ; then
        ${IPTABLES} -t filter -A ULDROP -p tcp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_TCP
        ${IPTABLES} -t filter -A ULDROP -p udp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_UDP
        ${IPTABLES} -t filter -A ULDROP -p icmp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_ICMP
        ${IPTABLES} -t filter -A ULDROP -f -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LDROP_FRAG
        ${IPTABLES} -t filter -A ULDROP -j DROP
        echo -n "ULDROP "

        ${IPTABLES} -t filter -A ULREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_TCP
        ${IPTABLES} -t filter -A ULREJECT -p udp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_UDP
        ${IPTABLES} -t filter -A ULREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_UDP
        ${IPTABLES} -t filter -A ULREJECT -f -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LREJECT_FRAG
        ${IPTABLES} -t filter -A ULREJECT -j REJECT
        echo -n "LREJECT "

        ${IPTABLES} -t filter -A ULTREJECT -p tcp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_TCP
        ${IPTABLES} -t filter -A ULTREJECT -p udp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_UDP
        ${IPTABLES} -t filter -A ULTREJECT -p icmp -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_ICMP
        ${IPTABLES} -t filter -A ULTREJECT -f -m limit --limit ${LOG_FLOOD} -j ULOG --ulog-nlgroup 1 --ulog-prefix LTREJECT_FRAG
        ${IPTABLES} -t filter -A ULTREJECT -p tcp -j REJECT --reject-with tcp-reset
        ${IPTABLES} -t filter -A ULTREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
        ${IPTABLES} -t filter -A ULTREJECT -p icmp -j DROP
        ${IPTABLES} -t filter -A ULTREJECT -j REJECT
        echo -n "ULTREJECT "
fi
#newline
echo


# Set up the per-proto ACCEPT chains
echo -n "Setting up per-proto ACCEPT: "

# TCPACCEPT
# SYN Flood "Protection"
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit ${SYN_FLOOD} -j ACCEPT
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Possible SynFlood "
${IPTABLES} -t filter -A TCPACCEPT -p tcp --syn -j ${DROP}
${IPTABLES} -t filter -A TCPACCEPT -p tcp ! --syn -j ACCEPT
# Log anything that hasn't matched yet and ${DROP} it since it isn't TCP and shouldn't be here
${IPTABLES} -t filter -A TCPACCEPT -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Mismatch in TCPACCEPT "
${IPTABLES} -t filter -A TCPACCEPT -j ${DROP}
echo -n "TCPACCEPT "

#UDPACCEPT
${IPTABLES} -t filter -A UDPACCEPT -p udp -j ACCEPT
# Log anything not UDP and ${DROP} it since it's not supposed to be here
${IPTABLES} -t filter -A UDPACCEPT -m limit --limit ${LOG_FLOOD} -j LOG --log-prefix "Mismatch on UDPACCEPT "
${IPTABLES} -t filter -A UDPACCEPT -j ${DROP}
echo -n "UDPACCEPT "

#Done
echo

# =================================================
# -------------------Exemptions--------------------
# =================================================
if [ "$SUPER_EXEMPT" != "" ] ; then
        echo -n "Super Exemptions: "
        for host in ${SUPER_EXEMPT} ; do
                ${IPTABLES} -t filter -A INPUT -s ${host} -j ACCEPT
                ${IPTABLES} -t filter -A OUTPUT -d ${host} -j ACCEPT
                ${IPTABLES} -t filter -A FORWARD -s ${host} -j ACCEPT
                ${IPTABLES} -t filter -A FORWARD -d ${host} -j ACCEPT
                echo -n "${host} "
        done
        echo
fi


# =================================================
# ----------------Explicit Denies------------------
# =================================================

#Blackholes will not be overridden by hostwise allows
if [ "$BLACKHOLE" != "" ] ; then
        echo -n "Blackholes: "
        for host in ${BLACKHOLE} ; do
                ${IPTABLES} -t filter -A INPUT -s ${host} -j ${BLACKHOLE_DROP}
                ${IPTABLES} -t filter -A OUTPUT -d ${host} -j ${BLACKHOLE_DROP}
                ${IPTABLES} -t filter -A FORWARD -s ${host} -j ${BLACKHOLE_DROP}
                ${IPTABLES} -t filter -A FORWARD -d ${host} -j ${BLACKHOLE_DROP}
                echo -n "${host} "
        done
        echo
fi

if [ "$DENY_ALL" != "" ] ; then
        echo -n "Denying hosts: "
        for rule in ${DENY_ALL} ; do
                echo "$rule" | {
                        IFS='&lt;' read shost dhost
                                if [ "$dhost" == "" ] ; then
                                        ${IPTABLES} -t filter -A INPUT -s ${shost} -j ${DROP}
                                        ${IPTABLES} -t filter -A FORWARD -s ${shost} -j ${DROP}
                                else
                                        ${IPTABLES} -t filter -A INPUT -s ${shost} -d ${dhost} -j ${DROP}
                                        ${IPTABLES} -t filter -A FORWARD -s ${shost} -d ${dhost} -j ${DROP}
                                fi
                }
                echo -n "${rule} "                                       
        done
        echo
fi



if [ "$DENY_HOSTWISE_TCP" != "" ] ; then
        echo -n "Hostwise TCP Denies: "
        for rule in ${DENY_HOSTWISE_TCP} ; do
                echo "$rule" | {
                        IFS='&gt;&lt;' read shost port dhost
                                echo "$port" | {
                                        IFS='-' read fsp lsp
                                        if [ "$dhost" == "" ] ; then       
                                                if [ "$lsp" != "" ] ; then
                                                        ${IPTABLES} -t filter -A INPUT -p tcp -s ${shost} --dport ${fsp}:${lsp} -j ${DROP}
                                                        ${IPTABLES} -t filter -A FORWARD -p tcp -s ${shost} --dport ${fsp}:${lsp} -j ${DROP}
                                                else
                                                        ${IPTABLES} -t filter -A INPUT -p tcp -s ${shost} --dport ${port} -j ${DROP}
                                                        ${IPTABLES} -t filter -A FORWARD -p tcp -s ${shost} --dport ${port} -j ${DROP}
                                                fi
                                        else
                                                if [ "$lsp" != "" ] ; then
                                                        ${IPTABLES} -t filter -A INPUT -p tcp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j ${DROP}
                                                        ${IPTABLES} -t filter -A FORWARD -p tcp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j ${DROP}
                                                else
                                                        ${IPTABLES} -t filter -A INPUT -p tcp -s ${shost} -d ${dhost} --dport ${port} -j ${DROP}
                                                        ${IPTABLES} -t filter -A FORWARD -p tcp -s ${shost} -d ${dhost} --dport ${port} -j ${DROP}
                                                fi
                                        fi
                                               echo -n "${rule} "
                                }
                }
        done
        echo
fi

if [ "$DENY_HOSTWISE_UDP" != "" ] ; then
        echo -n "Hostwise UDP Denies: "
        for rule in ${DENY_HOSTWISE_UDP} ; do
                echo "$rule" | {
                        IFS='&gt;&lt;' read shost port dhost
                                echo "$port" | {
                                        IFS='-' read fsp lsp
                                        if [ "$dhost" == "" ] ; then       
                                                if [ "$lsp" != "" ] ; then
                                                        ${IPTABLES} -t filter -A INPUT -p udp -s ${shost} --dport ${fsp}:${lsp} -j ${DROP}
                                                        ${IPTABLES} -t filter -A FORWARD -p udp -s ${shost} --dport ${fsp}:${lsp} -j ${DROP}
                                                else
                                                        ${IPTABLES} -t filter -A INPUT -p udp -s ${shost} --dport ${port} -j ${DROP}
                                                        ${IPTABLES} -t filter -A FORWARD -p udp -s ${shost} --dport ${port} -j ${DROP}
                                                fi
                                        else
                                                if [ "$lsp" != "" ] ; then
                                                        ${IPTABLES} -t filter -A INPUT -p udp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j ${DROP}
                                                        ${IPTABLES} -t filter -A FORWARD -p udp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j ${DROP}
                                                else
                                                        ${IPTABLES} -t filter -A INPUT -p udp -s ${shost} -d ${dhost} --dport ${port} -j ${DROP}
                                                        ${IPTABLES} -t filter -A FORWARD -p udp -s ${shost} -d ${dhost} --dport ${port} -j ${DROP}
                                                fi
                                        fi
                                               echo -n "${rule} "
                                }
                }
        done
        echo
fi



#Invalid packets are always annoying
echo -n "${DROP}ing invalid packets..."
${IPTABLES} -t filter -A INETIN -m state --state INVALID -j ${DROP}
echo "done"


# ------------------------------------------------------------------------

# Internet jumps to INET chains and DMZ
# Set up INET chains
echo -n "Setting up INET chains: "
${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN
for dev in ${LAN_IFACE} ; do
        ${IPTABLES} -t filter -A FORWARD -i ${INET_IFACE} -o $dev -j INETIN
done
echo -n "INETIN "

${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT
for dev in ${LAN_IFACE} ; do
        ${IPTABLES} -t filter -A FORWARD -o ${INET_IFACE} -i $dev -j INETOUT
done
echo -n "INETOUT "
echo

if [ "$BRAINDEAD_ISP" = "TRUE" ] ; then
        ${IPTABLES} -t filter -A INETOUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi

# For now we'll subject the DMZ to the same rules as the internet when going onto the trusted LAN
# And we'll let it go anywhere on the internet
if [ "$DMZ_IFACE" != "" ] ; then
        echo -n "Setting up DMZ Chains: "
        ${IPTABLES} -A OUTPUT -o ${DMZ_IFACE} -j DMZOUT
        ${IPTABLES} -A FORWARD -i ${LAN_IFACE} -o ${DMZ_IFACE} -j DMZOUT
        ${IPTABLES} -A FORWARD -i ${INET_IFACE} -o ${DMZ_IFACE} -j ACCEPT

        echo -n "DMZOUT "
        echo -n "DMZ for Internet Forwarding to INETOUT..."
        ${IPTABLES} -A DMZOUT -j INETOUT

        ${IPTABLES} -A INPUT -i ${DMZ_IFACE} -j DMZIN

        echo -n "DMZIN "
        echo
        echo -n "DMZ for LAN and localhost Forwarding to INETIN..."
        ${IPTABLES} -A FORWARD -i ${DMZ_IFACE} -o ${LAN_IFACE} -j DMZOUT
        ${IPTABLES} -A FORWARD -i ${DMZ_IFACE} -o ${INET_IFACE} -j ACCEPT
        ${IPTABLES} -A DMZOUT -o ${LAN_IFACE} -j INETIN
        echo "done"
        echo -n "done"
fi

# ------------------------------------------------------------------------


# Local traffic to internet or crossing subnets
# This should cover what we need if we don't use masquerading
# Unfortunately, MAC address matching isn't bidirectional (for
#   obvious reasons), so IP based matching is done here
echo -n "Local Traffic Rules: "
if [ "$INTERNAL_LAN" != "" ] ; then
        for subnet in ${INTERNAL_LAN} ; do
                ${IPTABLES} -t filter -A INPUT -s ${subnet} -j ACCEPT
                ${IPTABLES} -t filter -A FORWARD -s ${subnet} -o ! ${INET_IFACE} -i ! ${INET_IFACE} -j ACCEPT
                echo -n "${subnet}:ACCEPT "
        done
fi

# 127.0.0.0/8 used to need an entry in INTERNAL_LAN, but routing of that isn't needed
# so an allow is placed on INPUT so that the computer can talk to itself
${IPTABLES} -t filter -A INPUT -i ${LOOP_IFACE} -j ACCEPT
echo -n "loopback:ACCEPT "

# DHCP server magic
# Allow broadcasts from LAN to UDP port 67 (DHCP server)
if [ "$DHCP_SERVER" = "TRUE" ] ; then
        for dev in ${LAN_IFACE} ; do
                ${IPTABLES} -t filter -A INPUT -i $dev -p udp --dport 67 -j ACCEPT
        done
        echo -n "dhcp:ACCEPT"
fi
echo #newline from local traffic rules



if [ "$PROXY" != "" ] ; then
        echo -n "Setting up Transparent Proxy to ${PROXY}: "
        for subnet in ${INTERNAL_LAN} ; do
                        echo "$PROXY" | {
                                IFS=':' read host port
                                if [ "$host" = "localhost" ] || [ "$host" = "127.0.0.1" ] ; then
                                        ${IPTABLES} -t nat -A PREROUTING -s ${subnet} -p tcp --dport 80 -j REDIRECT --to-port ${port}
                                        echo -n "${subnet}ROXY "
                                else
                                        ${IPTABLES} -t nat -A PREROUTING -s ${subnet} -p tcp --dport 80 -j DNAT --to ${host}:${port}
                                        echo -n "${subnet}ROXY "
                                fi
                        }
        done
        echo
fi

if [ "$ALLOW_OUT_TCP" != "" ] ; then
        echo -n "Internet censorship TCP allows: "
        for rule in ${ALLOW_OUT_TCP} ; do
                echo "$rule" | {
                        IFS=':' read intip destip dport
                        ${IPTABLES} -t filter -A FORWARD -s ${intip} -d ${destip} -p tcp --dport ${dport} -o ${INET_IFACE} -j ACCEPT
                        echo -n "${intip}:${destip} "
                }
        done
        echo
fi

# Set up basic NAT if the user wants it
if [ "$MASQ_LAN" != "" ] ; then
        echo -n "Setting up masquerading: "
        if [ "$MAC_MASQ" = "" ] ; then
                for subnet in ${MASQ_LAN} ; do
                        ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
                        echo -n "${subnet}:MASQUERADE "
                done
        else       
                for address in ${MAC_MASQ} ; do
                        ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE
                        echo -n "${address}:MASQUERADE "
                done
        fi
        echo
fi
if [ "$SNAT_LAN" != "" ] ; then #Static NAT used
        echo -n "Setting up static NAT: "
        if [ "$MAC_SNAT" = "" ] ; then
                for rule in ${SNAT_LAN} ; do
                        echo "$rule" | {
                                IFS=':' read host destip
                                ${IPTABLES} -t nat -A POSTROUTING -s ${host} -o ${INET_IFACE} -j SNAT --to-source ${destip}
                                echo -n "${host}:SNAT "
                        }
                done
        else
                for rule in ${MAC_SNAT} ; do
                        echo "$rule" | {
                                IFS=':' read address destip       
                                ${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j SNAT --to-source ${destip}
                                echo -n "${address}:SNAT "
                        }
                done
        fi  
        echo
fi

#TCP Port-Forwards
if [ "$TCP_FW" != "" ] ; then
        echo -n "TCP Port Forwards: "
        for rule in ${TCP_FW} ; do
                echo "$rule" | {
                        IFS=':&gt;&lt;' read srcport destport host shost
                                echo "$srcport" | {
                                        IFS='-' read fsp lsp
                                        if [ "$shost" = "" ] ; then
                                                if [ "$lsp" != "" ] ; then
                                                        echo "$destport" | {
                                                                IFS='-' read fdp ldp
                                                                ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
                                                        }
                                                else
                                                        ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p tcp --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
                                                fi
                                        else
                                                if [ "$lsp" != "" ] ; then
                                                        echo "$destport" | {
                                                                IFS='-' read fdp ldp
                                                                ${IPTABLES} -t nat -A PREROUTING -p tcp -d ${shost} --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
                                                        }
                                                else
                                                        ${IPTABLES} -t nat -A PREROUTING -p tcp -d ${shost} --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
                                                fi
                                        fi
                                        echo -n "${rule} "
                                }
                }
        done
        echo
fi

#UDP Port Forwards
if [ "$UDP_FW" != "" ] ; then
        echo -n "UDP Port Forwards: "
        for rule in ${UDP_FW} ; do
                echo "$rule" | {
                        IFS=':&gt;&lt;' read srcport destport host shost
                                echo "$srcport" | {
                                        IFS='-' read fsp lsp
                                        if [ "$shost" = "" ] ; then
                                                if [ "$lsp" != "" ] ; then
                                                        echo "$destport" | {
                                                                IFS='-' read fdp ldp
                                                                ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
                                                        }
                                                else
                                                        ${IPTABLES} -t nat -A PREROUTING -i ${INET_IFACE} -p udp --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
                                                fi
                                        else
                                                if [ "$lsp" != "" ] ; then
                                                        echo "$destport" | {
                                                                IFS='-' read fdp ldp
                                                                ${IPTABLES} -t nat -A PREROUTING -p udp -d ${shost} --dport ${fsp}:${lsp} -j DNAT --to-destination ${host}:${destport}
                                                        }
                                                else
                                                        ${IPTABLES} -t nat -A PREROUTING -p udp -d ${shost} --dport ${srcport} -j DNAT --to-destination ${host}:${destport}
                                                fi
                                        fi
                                        echo -n "${rule} "
                                }
                }
        done
        echo
fi



# =================================================
# -------------------ICMP rules--------------------
# =================================================

if [ "$BAD_ICMP" != "" ] ; then
        echo -n "${DROP}ing ICMP messages specified in BAD_ICMP..."
        for message in ${BAD_ICMP} ; do
                ${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ${message} -j ${DROP}
                echo -n "${message} "
        done
        echo
fi

# Flood "security"
# You'll still respond to these if they comply with the limits (set in config)
# There is a more elegant way to set this using sysctl, however this has the
#         advantage that the kernel ICMP stack never has to process it, lessening
#        the chance of a very serious flood overloading your kernel.
# This is just a packet limit, you still get the packets on the interface and
#    still may experience lag if the flood is heavy enough
echo -n "Flood limiting: "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit ${PING_FLOOD} -j ACCEPT
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -j ${DROP}
echo -n "ICMP-PING "
echo

echo -n "Allowing the rest of the ICMP messages in..."
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT
echo "done"



# ================================================================
# ------------Allow stuff we have chosen to allow in--------------
# ================================================================


# Hostwise allows
if [ "$ALLOW_HOSTWISE_TCP" != "" ] ; then
        echo -n "Hostwise TCP Allows: "
        for rule in ${ALLOW_HOSTWISE_TCP} ; do
                echo "$rule" | {
                        IFS='&gt;&lt;' read shost port dhost
                                echo "$port" | {
                                        IFS='-' read fsp lsp
                                        if [ "$dhost" == "" ] ; then       
                                                if [ "$lsp" != "" ] ; then
                                                        ${IPTABLES} -t filter -A INETIN -p tcp -s ${shost} --dport ${fsp}:${lsp} -j TCPACCEPT
                                                else
                                                        ${IPTABLES} -t filter -A INETIN -p tcp -s ${shost} --dport ${port} -j TCPACCEPT
                                                fi
                                        else
                                                if [ "$lsp" != "" ] ; then
                                                        ${IPTABLES} -t filter -A INETIN -p tcp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j TCPACCEPT
                                                else
                                                        ${IPTABLES} -t filter -A INETIN -p tcp -s ${shost} -d ${dhost} --dport ${port} -j TCPACCEPT
                                                fi
                                        fi
                                               echo -n "${rule} "
                                }
                }
        done
        echo
fi

if [ "$ALLOW_HOSTWISE_UDP" != "" ] ; then
        echo -n "Hostwise UDP Allows: "
        for rule in ${ALLOW_HOSTWISE_UDP} ; do
                echo "$rule" | {
                        IFS='&gt;&lt;' read shost port dhost
                                echo "$port" | {
                                        IFS='-' read fsp lsp
                                        if [ "$dhost" == "" ] ; then       
                                                if [ "$lsp" != "" ] ; then
                                                        ${IPTABLES} -t filter -A INETIN -p udp -s ${shost} --dport ${fsp}:${lsp} -j UDPACCEPT
                                                else
                                                        ${IPTABLES} -t filter -A INETIN -p udp -s ${shost} --dport ${port} -j UDPACCEPT
                                                fi
                                        else
                                                if [ "$lsp" != "" ] ; then
                                                        ${IPTABLES} -t filter -A INETIN -p udp -s ${shost} -d ${dhost} --dport ${fsp}:${lsp} -j UDPACCEPT
                                                else
                                                        ${IPTABLES} -t filter -A INETIN -p udp -s ${shost} -d ${dhost} --dport ${port} -j UDPACCEPT
                                                fi
                                        fi
                                               echo -n "${rule} "
                                }
                }
        done
        echo
fi

if [ "$ALLOW_HOSTWISE_PROTO" != "" ] ; then
        echo -n "Hostwise IP Protocol Allows: "
        for rule in ${ALLOW_HOSTWISE_PROTO} ; do
                echo "$rule" | {
                        IFS='&gt;&lt;' read shost proto dhost
                                if [ "$dhost" == "" ] ; then       
                                        ${IPTABLES} -t filter -A INETIN -p ${proto} -s ${shost} -j ACCEPT
                                else
                                        ${IPTABLES} -t filter -A INETIN -p ${proto} -s ${shost} -d ${dhost} -j ACCEPT
                                fi
                                echo -n "${rule} "
                }
        done
        echo
fi

echo -n "Allowing established outbound connections back in..."
${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED -j ACCEPT
echo "done"

# RELATED on high ports only for security
echo -n "Allowing related inbound connections..."
${IPTABLES} -t filter -A INETIN -p tcp --dport 1024:65535 -m state --state RELATED -j TCPACCEPT
${IPTABLES} -t filter -A INETIN -p udp --dport 1024:65535 -m state --state RELATED -j UDPACCEPT
echo "done"


# =================================================
# ----------------Packet Mangling------------------
# =================================================


# TTL mangling
# This is probably just for the paranoid, but hey, isn't that what
#        all security guys are?
if [ "$TTL_SAFE" != "" ] ; then
        ${IPTABLES} -t mangle -A PREROUTING -i ${INET_IFACE} -j TTL --ttl-set ${TTL_SAFE}
fi

# Type of Service mangle optimizations (the ACTIVE FTP one will only work for uploads)
# Most routers tend to ignore these, it's probably better to use
#        QoS.  A packet scheduler like HTB is much more efficient
#        at assuring bandwidth availability at the local end than
#        ToS is.
if [ "$MANGLE_TOS_OPTIMIZE" = "TRUE" ] ; then
        echo -n "Optimizing traffic: "
        ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
        echo -n "telnet "
        ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
        echo -n "ssh "
        ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
        echo -n "ftp-data "
        ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
        echo -n "ftp-control "
        ${IPTABLES} -t mangle -A OUTPUT -p udp --dport 4000:7000 -j TOS --set-tos Minimize-Delay
        echo -n "diablo2 "
        echo
fi

# What to do on those INET chains when we hit the end
echo -n "Setting up INET policies: "
# Drop if we cant find a valid inbound rule.
${IPTABLES} -t filter -A INETIN -j ${DROP}
echo -n "INETIN:${DROP} "
# We can send what we want to the internet
${IPTABLES} -t filter -A INETOUT -j ACCEPT
echo -n "INETOUT:ACCEPT "
echo

# All done!
echo "Done loading the firewall!"

以上是我下载的一个Script.
可是我想把我内网的web ftp两个服务器的映射到外网,我应该修改哪里呀?
我看了半天,也不知道应该修改哪里.请高手指点?
web server IP: 192.168.1.2
ftp server IP: 192.168.1.3
[/code]
您需要登录后才可以回帖 登录 | 注册

本版积分规则

GMT+8, 2024-11-17 06:00 , Processed in 0.037001 second(s), 16 queries .

© 2021 Powered by Discuz! X3.5.

快速回复 返回顶部 返回列表