QQ登录

只需一步,快速开始

 找回密码
 注册

QQ登录

只需一步,快速开始

查看: 805|回复: 5

iptables 防火墙一款

[复制链接]
发表于 2004-4-14 14:45:02 | 显示全部楼层 |阅读模式
#!/bin/sh
clear
##########################################################################
# Copyright (c) 2001 Patrik Hildingsson [email protected]                       #
# Thanks goes to obsid & Christian Benvenuti for helping me out here     #
##########################################################################

## Variables
IRC="y"                                # y/n, Enable for DCC connection-track
EGG="n"                                # y/n, Enable for Eggdrop HUB-bot on your net
DMZ="y"
STATIC_IP="y"                                # y/n, Enable to use DMZ
IPTABLES="/sbin/iptables"
INTERNAL="eth0"                        # Internal Interface
EXTERNAL="eth1"                        # External Interface
EXT_IP="192.168.1.254"               # IP address of the External Interface.

LOOPBACK="lo"                               # Loopback Interface
DMZ_IF="eth2"                     ## DMZ Interface
DMZ_IP="192.168.0.254"       ##DMZ Ip
DMZ_HTTP_IP="192.168.0.2"    #DMZ HTTP IP
DMZ_FTP_IP="192.168.0.2"
DMZ_NET="192.168.0.0/24"         ## DMZ NET

INTERNAL_NET="192.168.2.0/24"         ## Internal Net
INTERNAL_IP="192.168.2.254"
PROXY_PORT="8080"                 ## Optional Proxyport
FTP_PORT="21"                        # FTP port/s (MAX that we want to track
                                # Separate with a comma. F.e. "21,6921,2121"
                                # Requires ipt_conntrack_ftp.o
MASQ_REDIRECT_HOST="192.168.1.21/32 192.168.1.22/32 192.168.1.23/32" ##Hosts that will be SNATed/Masqueraded AND redirected
TRUST_EXT="194.17.248.0/24"         ## External Hosts that we trust for (ICMP Echo Request AND ssh)
GATEWAY="192.168.1.1"                 ## Our Gateway
VERSION="4.2d-1SUPER"

#### Please review firewallsettings below for your depends and needs ####
#### EDIT BELOW SETTINGS ONLY IF YOU KNOW WHAT YOU'RE DOING #####

echo "Starting Firewall version" $VERSION
## Check if iptables and filter/nat/mangle-tables are compiled as module
## or direct into kernel. If module, then we load it.

if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]; then
        /sbin/modprobe ip_tables
   else
        echo "Assuming IPTables compiled into kernel"
fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.o ]; then
        /sbin/modprobe iptable_filter
   else
        echo "Assuming IPtable_filter compiled into kernel"
fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_nat.o ]; then
        /sbin/modprobe iptable_nat
   else
        echo "Assuming IPtable_nat compiled into kernel"
fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_mangle.o ]; then
        /sbin/modprobe iptable_mangle
   else
        echo "Assuming IPtable_mangle compiled into kernel"
fi

## Check ip_conntrack_ftp exists
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then
   EXIST="`lsmod 2>&1 | grep 'ip_conntrack_ftp' | cut -d "(" -f1 | cut -d " " -f1`"
           if [ "$EXIST" = "ip_conntrack_ftp" ]; then
                echo "Reloading FTP connection-track on port/s $FTP_PORT"
                /sbin/rmmod ip_conntrack_ftp
                   /sbin/modprobe ip_conntrack_ftp ports=$FTP_PORT 2>&1
        else
                echo "Loading FTP connection-track on port/s $FTP_PORT"
                   /sbin/modprobe ip_conntrack_ftp ports=$FTP_PORT 2>&1
        fi
        else
                echo "Please compile ip_conntrack_ftp as module for multiple FTP port connection-track!"
                sleep 3
fi

## Check ip_conntrack_irc exists
if [ "$IRC" = "y" ]; then
  if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then
     EXIST="`lsmod 2>&1 | grep 'ip_conntrack_irc' | cut -d "(" -f1 | cut -d " " -f1`"
           if [ "$EXIST" = "ip_conntrack_irc" ]; then
                echo "Reloading IRC connection-track"
                /sbin/rmmod ip_conntrack_irc
                   /sbin/modprobe ip_conntrack_irc 2>&1
        else
                echo "Loading IRC connection-track"
                   /sbin/modprobe ip_conntrack_irc 2>&1
        fi
        else
                echo "Please compile ip_conntrack_irc as module for IRC DCC connection-track!"
                sleep 3
  fi
  else
        /sbin/rmmod ip_conntrack_irc 1>/dev/null 2>/dev/null
        #just to make sure there's no module left
fi

## Check ip_conntrack_egg exists
if [ "$EGG" = "y" ]; then
  if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_egg.o ]; then
     EXIST="`lsmod 2>&1 | grep 'ip_conntrack_egg' | cut -d "(" -f1 | cut -d " " -f1`"
           if [ "$EXIST" = "ip_conntrack_egg" ]; then
                echo "Reloading Eggdrop HUB-bot connection-track"
                /sbin/rmmod ip_conntrack_egg
                   /sbin/modprobe ip_conntrack_egg 2>&1
        else
                echo "Loading Eggdrop HUB-bot connection-track"
                   /sbin/modprobe ip_conntrack_egg 2>&1
        fi
        else
                echo "Please compile ip_conntrack_egg as module for Eggdrop HUB-bot connection-track!"
                sleep 3
   fi
   else
        /sbin/rmmod ip_conntrack_egg 1>/dev/null 2>/dev/null
        #just to make sure there's no module left
fi

## Check iptables compatible with kernel ##
ORIGPATH=$PATH
export PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
#FOO=`$IPTABLES -L -n 2>&1 | grep Incompatible`
FOO=`$IPTABLES --version 2>&1 | grep 'iptables v1.2'`
if [ ! "$FOO" = "iptables v1.2" ];
   then
    echo "IPtables v1.2 required OR kernel not configured for iptables. Aborting!"
    echo "Get IPtables 1.2 from hhtp://netfilter.kernelnotes.org and Linux Kernel 2.4.x from http://ftp.kernel.org"
    export PATH=$ORIGPATH
    exit
fi

## Attempt to Flush All Rules in Filter Table
$IPTABLES -F

## Flush Built-in Rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

## Flush Rules/Delete User Chains in Mangle Table
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X

## Delete all user-defined chains, reduces dumb warnings if you run
## this script more than once.
$IPTABLES -X

## Set Default Policies
$IPTABLES -P INPUT DROP                ## Highly Recommended
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

## More variables further down near the NAT rules.

## NOTE: "Special Chains" First, Regular INPUT/OUTPUT chains will follow.

###############################################################################
## Special Chains
###############################################################################

###############################################################################
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.

        $IPTABLES -N KEEP_STATE
        $IPTABLES -F KEEP_STATE

   ## DROP packets associated with an "INVALID" connection.
        $IPTABLES -A KEEP_STATE -m state --state INVALID -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "INVALID STATE:"
        $IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP

   ## UNCLEAN match target, somewhat experimental at this point. #
   ## Needs to be patched into standard kernels from development netfilter #
        $IPTABLES -A KEEP_STATE -m unclean -j DROP

   ## ACCEPT certain packets which are starting a new connection or are
   ## related to an established connection.
        $IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT

   ## ACCEPT packets whose input interface is anything but the external interface.
        $IPTABLES -A KEEP_STATE -i ! $EXTERNAL -m state --state NEW -j ACCEPT

   ##------------------------------------------------------------------------##
   ## At this point ACCEPT packets trying to start a new connection whose
   ## input interface is the external interface and the destination is the DMZ.
   ## This suggests, of course, that you run services on your DMZ that you
   ## want to be accessible from the outside.
if [ "$DMZ" = "y" ]; then
        $IPTABLES -A KEEP_STATE -i $EXTERNAL -o $DMZ_IF -m state --state NEW -j ACCEPT
fi
   ##------------------------------------------------------------------------##

###############################################################################
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.

  ## We set some limits here to limit the amount of crap that gets sent to the logs.
  ## Keep in mind that these rules should never match normal traffic, they're
  ## are designed to capture obviously messed up packets... but there's alot of
  ## wierd shit out there, so who knows.

  ## Log facility/priority for these are kern.debug, please adjust for your taste.  See
  ## the iptables and syslog.conf man pages for logging details.

        $IPTABLES -N CHECK_FLAGS
        $IPTABLES -F CHECK_FLAGS

   ## NMAP FIN/URG/PSH
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "NMAP-XMAS:"
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

   ## Xmas Tree
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "Merry XMAS:"
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP

   ## Another Xmas Tree
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "XMAS-PSH:"
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

   ## Null Scan(possibly)
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "NULL_SCAN:"
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP

   ## SYN/RST
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "SYN/RST:"
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

   ## SYN/FIN -- Scan(possibly)
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "SYN/FIN:"
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

##------------------------------------------------------------------------##
   ## TCP Option Check  
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix \
                        "Bogus TCP FLAG 64"
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP


        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix \
                        "Bogus TCP FLAG 128"
        $IPTABLES -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP

##------------------------------------------------------------------------##

   ## Make some types of port scans annoyingly slow, also provides some protection
   ## against certain DoS attacks. The rule in chain KEEP_STATE referring to the
   ## INVALID state should catch most TCP packets with the RST or FIN bits set that
   ## aren't associate with an established connection.  Still, these will limit the
   ## amount of stuff that is accepted through our open ports(if any).  I suggest you
   ## test these for your configuration before you uncomment them, as they could cause
   ## problems.

#        $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
#        $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
#        $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT


###############################################################################
## Special Chain DENY_PORTS
## This chain will DROP/LOG packets based on port number

        $IPTABLES -N DENY_PORTS
        $IPTABLES -F DENY_PORTS

   ## NFS, X, VNC, SMB, blah blah
        $IPTABLES -A DENY_PORTS -p tcp --dport 137:139 -j DROP
        $IPTABLES -A DENY_PORTS -p tcp --sport 137:139 -j DROP

        $IPTABLES -A DENY_PORTS -p tcp --dport 1433 -j DROP
        $IPTABLES -A DENY_PORTS -p tcp --sport 1433 -j DROP

        $IPTABLES -A DENY_PORTS -p tcp --dport 2049 -j DROP
        $IPTABLES -A DENY_PORTS -p tcp --sport 2049 -j DROP

        $IPTABLES -A DENY_PORTS -p tcp --dport 5432 -j DROP
        $IPTABLES -A DENY_PORTS -p tcp --sport 5432 -j DROP

        $IPTABLES -A DENY_PORTS -p tcp --dport 5999:6063 -j DROP
        $IPTABLES -A DENY_PORTS -p tcp --sport 5999:6063 -j DROP

        $IPTABLES -A DENY_PORTS -p tcp --dport 5900:5910 -j DROP
        $IPTABLES -A DENY_PORTS -p tcp --sport 5900:5910 -j DROP

   ## (Possibly) Evil Stuff ##

     ## Possible rpc.statd exploit shell
        $IPTABLES -A DENY_PORTS -p tcp --dport 9704 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "rpc.statd(9704) Shell:"
        $IPTABLES -A DENY_PORTS -p tcp --dport 9704 -j DROP

        $IPTABLES -A DENY_PORTS -p tcp --sport 9704 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "rpc.statd(9704) Shell:"
        $IPTABLES -A DENY_PORTS -p tcp --sport 9704 -j DROP

     ## NetBus and NetBus Pro
        $IPTABLES -A DENY_PORTS -p tcp --dport 20034 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "NetBus Pro:"
        $IPTABLES -A DENY_PORTS -p tcp --dport 20034 -j DROP
        $IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "NetBus:"
        $IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -j DROP

     ## Trinoo
        $IPTABLES -A DENY_PORTS -p tcp --sport 27665 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "Trinoo:"
        $IPTABLES -A DENY_PORTS -p tcp --dport 27665 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "Trinoo:"
        $IPTABLES -A DENY_PORTS -p tcp --sport 27665 -j DROP
        $IPTABLES -A DENY_PORTS -p tcp --dport 27665 -j DROP

        $IPTABLES -A DENY_PORTS -p udp --sport 27444 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "Trinoo:"
        $IPTABLES -A DENY_PORTS -p udp --dport 27444 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "Trinoo:"
        $IPTABLES -A DENY_PORTS -p udp --sport 27444 -j DROP
        $IPTABLES -A DENY_PORTS -p udp --dport 27444 -j DROP

        $IPTABLES -A DENY_PORTS -p udp --sport 31335 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "Trinoo:"
        $IPTABLES -A DENY_PORTS -p udp --dport 31335 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "Trinoo:"
        $IPTABLES -A DENY_PORTS -p udp --sport 31335 -j DROP
        $IPTABLES -A DENY_PORTS -p udp --dport 31335 -j DROP

     ## Back Orifice
        $IPTABLES -A DENY_PORTS -p tcp --dport 31337 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "BackOrifice-TCP:"
        $IPTABLES -A DENY_PORTS -p udp --dport 31337 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "BackOrifice-UDP:"

        $IPTABLES -A DENY_PORTS -p tcp --sport 31337 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "BackOrifice-TCP:"
        $IPTABLES -A DENY_PORTS -p udp --sport 31337 -m limit --limit 5/minute \
                -j LOG --log-level 7 --log-prefix "BackOrifice-UDP:"
        $IPTABLES -A DENY_PORTS -p tcp --dport 31337 -j DROP
        $IPTABLES -A DENY_PORTS -p udp --dport 31337 -j DROP

        $IPTABLES -A DENY_PORTS -p tcp --sport 31337 -j DROP
        $IPTABLES -A DENY_PORTS -p udp --sport 31337 -j DROP



###############################################################################
## Special Chain SRC_EGRESS
## Rules to Provide Egress Filtering Based on Source IP Address.

        $IPTABLES -N SRC_EGRESS
        $IPTABLES -F SRC_EGRESS

   ##------------------------------------------------------------------------##
   ## DROP all reserved private IP addresses.  Some of these may be legit
   ## for certain networks and configurations.  For connection problems,
   ## traceroute is your friend.

        ## Class A Reserved
        $IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "SRC_EGRESS:"
        $IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -j DROP
       
        ## Class B Reserved
        $IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "SRC_EGRESS:"
        $IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -j DROP

        ## Class C Reserved
        $IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "SRC_EGRESS:"
        $IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -j DROP

        ## Class D Reserved
        $IPTABLES -A SRC_EGRESS -s 224.0.0.0/3 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "SRC_EGRESS:"
        $IPTABLES -A SRC_EGRESS -s 224.0.0.0/3 -j DROP

        ## Class E Reserved
        $IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "SRC_EGRESS:"
        $IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -j DROP
   
   ## Other Reserved Addresses ##
     ##  Refuse and log addresses defined as reserved by the IANA
     RESERVED_NET="
        0.0.0.0/8 \
        1.0.0.0/8 \
        2.0.0.0/8 \
        5.0.0.0/8 \
        7.0.0.0/8 \
        23.0.0.0/8 \
        27.0.0.0/8 \
        31.0.0.0/8 \
        36.0.0.0/8 \
        37.0.0.0/8 \
        39.0.0.0/8 \
        41.0.0.0/8 \
        42.0.0.0/8 \
        49.0.0.0/8 \
        50.0.0.0/8 \
        58.0.0.0/7 \
        60.0.0.0/8 \
        67.0.0.0/8 \
        68.0.0.0/6 \
        72.0.0.0/5 \
        80.0.0.0/4 \
        96.0.0.0/3 \
        127.0.0.0/8 \
        169.254.0.0/16 \
        192.0.2.0/24 \
        197.0.0.0/8 \
        218.0.0.0/7 \
        220.0.0.0/6"

        for NET in $RESERVED_NET; do
            $IPTABLES -A SRC_EGRESS -s $NET -j DROP
        done

   ##------------------------------------------------------------------------##


###############################################################################
## Special Chain DST_EGRESS
## Rules to Provide Egress Filtering Based on Destination IP Address.

        $IPTABLES -N DST_EGRESS
        $IPTABLES -F DST_EGRESS

   ##------------------------------------------------------------------------##
   ## DROP all reserved private IP addresses.  Some of these may be legit
   ## for certain networks and configurations.  For connection problems,
   ## traceroute is your friend.

        ## Class A Reserved
        $IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "DST_EGRESS:"
        $IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -j DROP

        ## Class B Reserved
        $IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "DST_EGRESS:"
        $IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -j DROP

        ## Class C Reserved
        $IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "DST_EGRESS:"
        $IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -j DROP

        ## Class D Reserved
        $IPTABLES -A DST_EGRESS -d 224.0.0.0/3 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "DST_EGRESS:"
        $IPTABLES -A DST_EGRESS -d 224.0.0.0/3 -j DROP

        ## Class E Reserved
        $IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "DST_EGRESS:"
        $IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -j DROP
   
        for NET in $RESERVED_NET; do
            $IPTABLES -A DST_EGRESS -d $NET -j DROP
        done

   ##------------------------------------------------------------------------##


###############################################################################
## Special Chain MANGLE_OUTPUT
## Mangle values of packets created locally.  Only TOS values are mangled right
## now.

   ## TOS stuff: (type: iptables -m tos -h)
   ## Minimize-Delay 16 (0x10)
   ## Maximize-Throughput 8 (0x0
   ## Maximize-Reliability 4 (0x04)
   ## Minimize-Cost 2 (0x02)
   ## Normal-Service 0 (0x00)

        $IPTABLES -t mangle -N MANGLE_OUTPUT
        $IPTABLES -t mangle -F MANGLE_OUTPUT

   ##------------------------------------------------------------------------------##
   ##   - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
   ##   - To view mangle table, type: iptables -L -t mangle

        $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8
        $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS --set-tos 16
        $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS --set-tos 16
        $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 23 -j TOS --set-tos 16
        $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS --set-tos 16
        $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
        $IPTABLES -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS --set-tos 16
        $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
   ##------------------------------------------------------------------------------##


###############################################################################
## Special Chain MANGLE_PREROUTING
## Rules to mangle TOS values of packets routed through the firewall.  Only TOS
## values are mangled right now.

   ## TOS stuff: (type: iptables -m tos -h)
   ## Minimize-Delay 16 (0x10)
   ## Maximize-Throughput 8 (0x0
   ## Maximize-Reliability 4 (0x04)
   ## Minimize-Cost 2 (0x02)
   ## Normal-Service 0 (0x00)

        $IPTABLES -t mangle -N MANGLE_PREROUTING
        $IPTABLES -t mangle -F MANGLE_PREROUTING

   ##-------------------------------------------------------------------------------##
   ##   - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
   ##   - To view mangle table, type: iptables -L -t mangle

        $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j TOS --set-tos 8
        $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j TOS --set-tos 16
        $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j TOS --set-tos 16
        $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 23 -j TOS --set-tos 16
        $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j TOS --set-tos 16
        $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j TOS --set-tos 16
        $IPTABLES -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j TOS --set-tos 16
        $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j TOS --set-tos 8
   ##-------------------------------------------------------------------------------##


###############################################################################
## Special Chain ALLOW_EXTERNAL_PORTS
## Rules to allow packets destined for the external interface based on port
## number.

        $IPTABLES -N ALLOW_PORTS-EXTERNAL
        $IPTABLES -F ALLOW_PORTS-EXTERNAL

   ##------------------------------------------------------------------------##
   ## ALLOW foreign machines to access certain services.(Examples)

        ## FTP
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 20 -j ACCEPT
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 21 -j ACCEPT

        ## SSH from trusted hosts (could be set to 0/0)
        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -s $TRUST_EXT -p tcp --dport 22 -j ACCEPT

        ## SMTP
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 25 -j ACCEPT

        ## DNS
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 53 -j ACCEPT
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p udp --dport 53 -j ACCEPT

        ## FINGER
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 79 -j ACCEPT

        ## WWW
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 80 -j ACCEPT

        ## POP3
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 110 -j ACCEPT

        ## AUTH
        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 113 -j ACCEPT

        ## NEWS
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 119 -j ACCEPT

        ## LDAP
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 389 -j ACCEPT
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p udp --dport 389 -j ACCEPT

        ## WWW-SSL
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 443 -j ACCEPT

        ## IRCD
#        $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 6667 -j ACCEPT
  ##------------------------------------------------------------------------##

###############################################################################
## Special Chain ALLOW_PORTS-DMZ
## Rules to allow packets destined for the DMZ interface based on port
## number.  
if [ "$DMZ" = "y" ]; then

        $IPTABLES -N ALLOW_PORTS-DMZ
        $IPTABLES -F ALLOW_PORTS-DMZ

  ##------------------------------------------------------------------------##
        ## ALLOW foreign machines to access certain services.(Examples)

        ## FTP
       $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 20 -j ACCEPT
       $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 21 -j ACCEPT

        ## SSH from trusted hosts (could be set to 0/0)
        $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 22 -j ACCEPT

        ## SMTP
#       $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 25 -j ACCEPT

        ## DNS
#        $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 53 -j ACCEPT
#        $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p udp --dport 53 -j ACCEPT

        ## FINGER
#        $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 79 -j ACCEPT

        ## WWW
        $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 80 -j ACCEPT

        ## POP3
#        $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 110 -j ACCEPT

        ## AUTH
#        $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 113 -j ACCEPT

        ## NEWS
#        $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 119 -j ACCEPT

        ## LDAP
#        $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 389 -j ACCEPT
#        $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p udp --dport 389 -j ACCEPT

        ## WWW-SSL
        $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 443 -j ACCEPT

        ## IRCD
#        $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 6667 -j ACCEPT
  ##------------------------------------------------------------------------##
fi
###############################################################################
## Firewall Input Chains
###############################################################################

###############################################################################
## New chain for input to the external interface

        $IPTABLES -N EXTERNAL-input
        $IPTABLES -F EXTERNAL-input

   ##------------------------------------------------------------------------##
   ## Check TCP packets coming in on the external interface for wierd flags
        $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j CHECK_FLAGS
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## Filter incomming packets based on port number.
        $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j DENY_PORTS
   ##------------------------------------------------------------------------##

        $IPTABLES -A EXTERNAL-input -i $EXTERNAL -j KEEP_STATE

   ##------------------------------------------------------------------------##
   ## Filter out Reserved/Private IP addresses.
        $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p all -j SRC_EGRESS
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## Allow Gateway to send IGMP broadcasts to you ##
        $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p igmp -s $GATEWAY \
                -d 224.0.0.1 -j ACCEPT
   ##------------------------------------------------------------------------##


   ##------------------------------------------------------------------------##
   ## Filter out Reserved/Private IP addresses.
        $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p all -j DST_EGRESS
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## Allow Packets On Certain External Ports
        $IPTABLES -A EXTERNAL-input -i $EXTERNAL -j ALLOW_PORTS-EXTERNAL
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## ICMP Stuff.  We're going to allow some ICMP.

     ## Echo Reply (pong)
        $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT

     ## Destination Unreachable (blah)
        $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT

     ## Echo Request (ping) -- Several Options:
        ## Accept Pings ##
#        $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT

        ## Accept Pings at the rate of one per second. ##
        $IPTABLES -A EXTERNAL-input -i ! $EXTERNAL -p icmp --icmp-type 8 -m limit \
                --limit 1/second -j ACCEPT

        ## Accept Pings at the rate of one per second from external hosts ##
        for TRUST_EXT_PING in $TRUST_EXT; do
        $IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $TRUST_EXT_PING -p icmp --icmp-type 8 -m limit \
                --limit 1/second -j ACCEPT
        done


        ## LOG all pings. ##
#       $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit \
#                --limit 5/minute -j LOG --log-level 1 --log-prefix "PING:"

    ## TTL Exceeded (traceroute)
        $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
   ##------------------------------------------------------------------------##

###############################################################################
## New chain for input to the internal interface

        $IPTABLES -N INTERNAL-input
        $IPTABLES -F INTERNAL-input

   ## ACCEPT internal to internal traffic
        $IPTABLES -A INTERNAL-input -i $INTERNAL -s $INTERNAL_NET -d 0/0 -j ACCEPT

   ## ACCEPT internal dhcp traffic
        $IPTABLES -A INTERNAL-input -i $INTERNAL -p udp --sport 68 --dport 67 \
                -s 0/0 -d 255.255.255.255 -j ACCEPT

   ## DROP anything not coming from the internal network
        $IPTABLES -A INTERNAL-input -i $INTERNAL -s ! $INTERNAL_NET -d 0/0 -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "NOT INTERNAL:"

        $IPTABLES -A INTERNAL-input -i $INTERNAL -s ! $INTERNAL_NET -d 0/0 -j DROP

   ##------------------------------------------------------------------------##
   ## Check TCP packets coming in on the external interface for wierd flags
        $IPTABLES -A INTERNAL-input -i $INTERNAL -p tcp -j CHECK_FLAGS
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## Filter out Reserved/Private IP addresses based on Destination IP address.
        $IPTABLES -A INTERNAL-input -i $INTERNAL -p all -j DST_EGRESS
   ##------------------------------------------------------------------------##

###############################################################################
## New chain for input to the DMZ interface
if [ "$DMZ" = "y" ]; then

        $IPTABLES -N DMZ-input
        $IPTABLES -F DMZ-input

##------------------------------------------------------------------------##
## Check TCP packets coming in on the external interface for wierd flags
        $IPTABLES -A DMZ-input -i $DMZ_IF -p tcp -j CHECK_FLAGS
##------------------------------------------------------------------------##

##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses based on Destination IP address.
        $IPTABLES -A DMZ-input -i $DMZ_IF -p all -j DST_EGRESS
##------------------------------------------------------------------------##

##------------------------------------------------------------------------##
## Allow Packets On Certain DMZ Interface Ports
        $IPTABLES -A DMZ-input -i $DMZ_IF -j ALLOW_PORTS-DMZ
##------------------------------------------------------------------------##

## ACCEPT internal to internal traffic
        $IPTABLES -A DMZ-input -i $DMZ_IF -s $DMZ_NET -d ! $INTERNAL_NET -j ACCEPT

        $IPTABLES -A DMZ-input -i $DMZ_IF -s $DMZ_NET -d $INTERNAL_NET \
                -m state --state RELATED,ESTABLISHED -j ACCEPT

## DROP all attempted NEW connections from the DMZ to the internal net
        $IPTABLES -A DMZ-input -i $DMZ_IF -s $DMZ_NET -d $INTERNAL_NET \
                -m state --state NEW,INVALID -j DROP

## DROP anything not coming from the DMZ network
        $IPTABLES -A DMZ-input -i $DMZ_IF -s ! $DMZ_NET -d 0/0 -j DROP

fi
###############################################################################
## New chain for input to the loopback interface

        $IPTABLES -N LO-input
        $IPTABLES -F LO-input

## Accept packets to the loopback interface
        $IPTABLES -A LO-input -i $LOOPBACK -j ACCEPT


###############################################################################
## Firewall Output Chains
###############################################################################

###############################################################################
## New chain for output from the external interface

        $IPTABLES -N EXTERNAL-output
        $IPTABLES -F EXTERNAL-output

   ## ACCEPT outgoing packets on the external interface
        $IPTABLES -A EXTERNAL-output -o $EXTERNAL -j ACCEPT

   ##------------------------------------------------------------------------##
   ## Filter out Reserved/Private IP addresses.
        $IPTABLES -A EXTERNAL-output -o $EXTERNAL -p all -j SRC_EGRESS
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## Filter out Reserved/Private IP addresses.
        $IPTABLES -A EXTERNAL-output -o $EXTERNAL -p all -j DST_EGRESS
   ##------------------------------------------------------------------------##

   ##------------------------------------------------------------------------##
   ## Filter outgoing packets based on port number.
        $IPTABLES -A EXTERNAL-output -o $EXTERNAL -p tcp -j DENY_PORTS
   ##------------------------------------------------------------------------##


###############################################################################
## New chain for output across the internal interface

        $IPTABLES -N INTERNAL-output
        $IPTABLES -F INTERNAL-output

## ACCEPT all outbound traffic across the internal interfaces
        $IPTABLES -A INTERNAL-output -o $INTERNAL -d $INTERNAL_NET -j ACCEPT
        $IPTABLES -A INTERNAL-output -o $INTERNAL -j KEEP_STATE


if [ "$DMZ" = "y" ]; then
        $IPTABLES -A INTERNAL-output -o $INTERNAL -d $INTERNAL_NET \
                -s ! $DMZ_NET -j ACCEPT

        $IPTABLES -A INTERNAL-output -o $INTERNAL -s $DMZ_NET -d $INTERNAL_NET \
                -m state --state RELATED,ESTABLISHED -j ACCEPT

        $IPTABLES -A INTERNAL-output -o $INTERNAL -s $DMZ_NET -d $INTERNAL_NET \
                -m state --state NEW -j DROP

   else
        $IPTABLES -A INTERNAL-output -o $INTERNAL -d $INTERNAL_NET \
                -j ACCEPT
fi
        $IPTABLES -A INTERNAL-output -o $INTERNAL -j KEEP_STATE
###############################################################################
## New chain for output across the DMZ interface
if [ "$DMZ" = "y" ]; then
        $IPTABLES -N DMZ-output
        $IPTABLES -F DMZ-output

## ACCEPT all outbound traffic across the internal interfaces
        $IPTABLES -A DMZ-output -o $DMZ_IF -d $DMZ_NET -j ACCEPT
        $IPTABLES -A DMZ-output -o $DMZ_IF -j KEEP_STATE
fi

###############################################################################
## New chain for output across the loopback device

        $IPTABLES -N LO-output
        $IPTABLES -F LO-output

## ACCEPT all traffic across loopback device
        $IPTABLES -A LO-output -o $LOOPBACK -j ACCEPT


###############################################################################
## Main Stuff
###############################################################################

   ## Jumping to our INPUT chains.
        $IPTABLES -A INPUT -i $INTERNAL -j INTERNAL-input
        $IPTABLES -A INPUT -i $LOOPBACK -j LO-input

        $IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input
if [ "$DMZ" = "y" ]; then
        $IPTABLES -A INPUT -i $DMZ_IF -j DMZ-input
fi

        ## Sort of a Catch-all
        $IPTABLES -A INPUT -i $EXTERNAL -m state --state INVALID,NEW -m limit \
                --limit 5/minute -j LOG --log-level 7 --log-prefix "INVALID-NEW:"
        $IPTABLES -A INPUT -i $EXTERNAL -m state --state INVALID,NEW -j DROP

   ## Jump to our OUTPUT chains.
        $IPTABLES -A OUTPUT -o $INTERNAL -j INTERNAL-output
        $IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
        $IPTABLES -A OUTPUT -o $LOOPBACK -j LO-output
if [ "$DMZ" = "y" ]; then
        $IPTABLES -A OUTPUT -o $DMZ_IF -j DMZ-output
fi
        $IPTABLES -A OUTPUT -j KEEP_STATE

   ## Jump to our FORWARD chains.
        $IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-input
        $IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-output
        $IPTABLES -A FORWARD -i $INTERNAL -j INTERNAL-input
        $IPTABLES -A FORWARD -o $INTERNAL -j INTERNAL-output
if [ "$DMZ" = "y" ]; then
        $IPTABLES -A FORWARD -i $DMZ_IF -j DMZ-input
        $IPTABLES -A FORWARD -o $DMZ_IF -j DMZ-output
fi
#        $IPTABLES -A FORWARD -j KEEP_STATE

   ## Jump to mangle table rules
        $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -j MANGLE_OUTPUT
        $IPTABLES -t mangle -A PREROUTING -i $EXTERNAL -j MANGLE_PREROUTING


### END FIREWALL RULES ###



###############################################################################
## IPTABLES Network Address Translation(NAT) Rules
###############################################################################

#INTERNAL_NET="192.168.0.0/24"
EXT_IP="192.168.1.254"        # IP address of the External Interface.

## Flush the NAT table.
$IPTABLES -F -t nat


##------------------------------------------------------------------------##
## Destination NAT -- (DNAT)
##------------------------------------------------------------------------##

  ## "Redirect" packets headed for certain ports on our external interface to other
  ## machines on the network.
     ##FTP
       $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 20 \
                -j DNAT --to 192.168.0.2:20
        $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 21 \
                -j DNAT --to 192.168.0.2:21
     ## SSH
#        $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 22 \
#                -j DNAT --to 192.168.0.21:22

     ## WWW
        $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 80 \
                -j DNAT --to 192.168.0.2:80
     ## WWW-SSL
        $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 433 \
                -j DNAT --to 192.168.0.2:433

##------------------------------------------------------------------------##
## Redirecting
##------------------------------------------------------------------------##

#WWW
        for HOST in $MASQ_REDIRECT_HOST; do
             $IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp -s $HOST \
                -d ! $INTERNAL_NET --dport 80 -j ACCEPT
        done

        $IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp \
                -d ! $INTERNAL_NET --dport 80 -j REDIRECT --to-ports $PROXY_PORT

#        for HOST in $MASQ_REDIRECT_HOST; do
#            $IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp -s $HOST \
#                --dport 80 -j REDIRECT --to-ports $PROXY_PORT
#        done

#HTTP-SSL
        for HOST in $MASQ_REDIRECT_HOST; do
             $IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp -s $HOST \
                -d ! $INTERNAL_NET --dport 443 -j ACCEPT
        done

        $IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp \
                -d ! $INTERNAL_NET --dport 443 -j REDIRECT --to-ports $PROXY_PORT


#        for HOST in $MASQ_REDIRECT_HOST; do
#            $IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp -s $HOST \
#                --dport 443 -j REDIRECT --to-ports $PROXY_PORT
#       done

##------------------------------------------------------------------------##
## Source NAT -- (SNAT/Masquerading)
##------------------------------------------------------------------------##

  ## Source NAT allows us to "masquerade" our internal machines behind our
  ## firewall.
if [ "$STATIC_IP" = "y" ]; then
     ## Static IP address ##
        ## Change source address of outgoing packets on external
        ## interface to our IP address.
        $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to $EXT_IP
else
     ## Dynamic IP address ##
        for HOST in $MASQ_REDIRECT_HOST; do
            $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $HOST \
                -j MASQUERADE
        done
fi
### END NAT RULES ###


###############################################################################
## Additional Kernel Configuration
###############################################################################

  ## Adjust for your requirements/preferences.
  ## Please make sure you understand what these things are doing before you
  ## uncomment them. A good place to start would be some of the resources
  ## listed at the top of this script as well as the documentation that comes
  ## with the linux kernel source.
  ## For Example: linux/Documentation/filesystems/proc.txt
  ##              linux/Documentation/networking/ip-sysctl.txt

## - Disable source routing of packets
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
        for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
                echo 0 > $i;
        done
fi

## - Enable rp_filter
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
        for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
                echo 1 > $i;
        done
fi

## - Ignore any broadcast icmp echo requests
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi

## - Ignore all icmp echo requests on all interfaces
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then
        echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
fi

## - Local port range for TCP/UDP connections
if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
        echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
fi

## - Log packets with impossible addresses to kernel log.
if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
        echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
fi

## - Don't send ICMP redirects - needed for transparent proxy
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
        echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
fi

## - Don't accept ICMP redirects
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
fi

## - Don't accept ICMP redirects
## (You may only want to disable on the external interface)
if [ -e /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then
        echo 0 > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects
fi

## Additional options for dialup connections with a dynamic ip address
## See: linux/Documentation/networking/ip_dynaddr.txt
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
        echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi

## - Enable IP Forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
        echo 1 > /proc/sys/net/ipv4/ip_forward
else
        echo "Uh oh: /proc/sys/net/ipv4/ip_forward doesn't exist"
        echo "(That may be a problem)"
fi


## EOF
 楼主| 发表于 2004-4-14 14:54:49 | 显示全部楼层
配合squid使用绝对的没的说!
回复

使用道具 举报

 楼主| 发表于 2004-4-14 18:05:22 | 显示全部楼层
我使用这款防火墙发现了一个问题就是,外网的能访问内部的www服务。内网的不能(这个我可以在iptables的手册里找到答案)

但是有一个问题是,当我把外部的ftp 定向岛内网(server-u)之后,用户只能连上,但是不能登陆。这是什么问题呢!

请高人指点!!!
回复

使用道具 举报

 楼主| 发表于 2004-4-14 18:07:39 | 显示全部楼层
另外,这个dmz到底怎么个用法?
回复

使用道具 举报

发表于 2004-4-14 22:57:19 | 显示全部楼层
我试过只有满足下面三个条件才能访问ftp
1.客户端电脑不能在内网,用adsl的不能用路由
2.ftp 不能用被动模式,如要使用被动模式必须把主机防火墙1024以上端口全部开放(iptables中文howto上有介绍,公社有下)
3.主动模式下客户端电脑防火墙 ftp 端口及1024以上端口也必须开放,这是因为内网主机有一个20端口到客户端1024以上端口的连接,被动模式下未知,自己试吧
这是没有办法的办法,相信有高手可以解决这些问题,特别是内网访问
回复

使用道具 举报

 楼主| 发表于 2004-4-15 10:48:55 | 显示全部楼层
谢谢NightHK3,

等等看谁还有更好的办法?
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

GMT+8, 2024-11-8 20:32 , Processed in 0.051782 second(s), 16 queries .

© 2021 Powered by Discuz! X3.5.

快速回复 返回顶部 返回列表