|
|
#!/bin/sh
clear
##########################################################################
# Copyright (c) 2001 Patrik Hildingsson [email protected] #
# Thanks goes to obsid & Christian Benvenuti for helping me out here #
##########################################################################
## Variables
IRC="y" # y/n, Enable for DCC connection-track
EGG="n" # y/n, Enable for Eggdrop HUB-bot on your net
DMZ="y"
STATIC_IP="y" # y/n, Enable to use DMZ
IPTABLES="/sbin/iptables"
INTERNAL="eth0" # Internal Interface
EXTERNAL="eth1" # External Interface
EXT_IP="192.168.1.254" # IP address of the External Interface.
LOOPBACK="lo" # Loopback Interface
DMZ_IF="eth2" ## DMZ Interface
DMZ_IP="192.168.0.254" ##DMZ Ip
DMZ_HTTP_IP="192.168.0.2" #DMZ HTTP IP
DMZ_FTP_IP="192.168.0.2"
DMZ_NET="192.168.0.0/24" ## DMZ NET
INTERNAL_NET="192.168.2.0/24" ## Internal Net
INTERNAL_IP="192.168.2.254"
PROXY_PORT="8080" ## Optional Proxyport
FTP_PORT="21" # FTP port/s (MAX  that we want to track
# Separate with a comma. F.e. "21,6921,2121"
# Requires ipt_conntrack_ftp.o
MASQ_REDIRECT_HOST="192.168.1.21/32 192.168.1.22/32 192.168.1.23/32" ##Hosts that will be SNATed/Masqueraded AND redirected
TRUST_EXT="194.17.248.0/24" ## External Hosts that we trust for (ICMP Echo Request AND ssh)
GATEWAY="192.168.1.1" ## Our Gateway
VERSION="4.2d-1SUPER"
#### Please review firewallsettings below for your depends and needs ####
#### EDIT BELOW SETTINGS ONLY IF YOU KNOW WHAT YOU'RE DOING #####
echo "Starting Firewall version" $VERSION
## Check if iptables and filter/nat/mangle-tables are compiled as module
## or direct into kernel. If module, then we load it.
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]; then
/sbin/modprobe ip_tables
else
echo "Assuming IPTables compiled into kernel"
fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.o ]; then
/sbin/modprobe iptable_filter
else
echo "Assuming IPtable_filter compiled into kernel"
fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_nat.o ]; then
/sbin/modprobe iptable_nat
else
echo "Assuming IPtable_nat compiled into kernel"
fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_mangle.o ]; then
/sbin/modprobe iptable_mangle
else
echo "Assuming IPtable_mangle compiled into kernel"
fi
## Check ip_conntrack_ftp exists
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then
EXIST="`lsmod 2>&1 | grep 'ip_conntrack_ftp' | cut -d "(" -f1 | cut -d " " -f1`"
if [ "$EXIST" = "ip_conntrack_ftp" ]; then
echo "Reloading FTP connection-track on port/s $FTP_PORT"
/sbin/rmmod ip_conntrack_ftp
/sbin/modprobe ip_conntrack_ftp ports=$FTP_PORT 2>&1
else
echo "Loading FTP connection-track on port/s $FTP_PORT"
/sbin/modprobe ip_conntrack_ftp ports=$FTP_PORT 2>&1
fi
else
echo "Please compile ip_conntrack_ftp as module for multiple FTP port connection-track!"
sleep 3
fi
## Check ip_conntrack_irc exists
if [ "$IRC" = "y" ]; then
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then
EXIST="`lsmod 2>&1 | grep 'ip_conntrack_irc' | cut -d "(" -f1 | cut -d " " -f1`"
if [ "$EXIST" = "ip_conntrack_irc" ]; then
echo "Reloading IRC connection-track"
/sbin/rmmod ip_conntrack_irc
/sbin/modprobe ip_conntrack_irc 2>&1
else
echo "Loading IRC connection-track"
/sbin/modprobe ip_conntrack_irc 2>&1
fi
else
echo "Please compile ip_conntrack_irc as module for IRC DCC connection-track!"
sleep 3
fi
else
/sbin/rmmod ip_conntrack_irc 1>/dev/null 2>/dev/null
#just to make sure there's no module left
fi
## Check ip_conntrack_egg exists
if [ "$EGG" = "y" ]; then
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_egg.o ]; then
EXIST="`lsmod 2>&1 | grep 'ip_conntrack_egg' | cut -d "(" -f1 | cut -d " " -f1`"
if [ "$EXIST" = "ip_conntrack_egg" ]; then
echo "Reloading Eggdrop HUB-bot connection-track"
/sbin/rmmod ip_conntrack_egg
/sbin/modprobe ip_conntrack_egg 2>&1
else
echo "Loading Eggdrop HUB-bot connection-track"
/sbin/modprobe ip_conntrack_egg 2>&1
fi
else
echo "Please compile ip_conntrack_egg as module for Eggdrop HUB-bot connection-track!"
sleep 3
fi
else
/sbin/rmmod ip_conntrack_egg 1>/dev/null 2>/dev/null
#just to make sure there's no module left
fi
## Check iptables compatible with kernel ##
ORIGPATH=$PATH
export PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
#FOO=`$IPTABLES -L -n 2>&1 | grep Incompatible`
FOO=`$IPTABLES --version 2>&1 | grep 'iptables v1.2'`
if [ ! "$FOO" = "iptables v1.2" ];
then
echo "IPtables v1.2 required OR kernel not configured for iptables. Aborting!"
echo "Get IPtables 1.2 from hhtp://netfilter.kernelnotes.org and Linux Kernel 2.4.x from http://ftp.kernel.org"
export PATH=$ORIGPATH
exit
fi
## Attempt to Flush All Rules in Filter Table
$IPTABLES -F
## Flush Built-in Rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
## Flush Rules/Delete User Chains in Mangle Table
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
## Delete all user-defined chains, reduces dumb warnings if you run
## this script more than once.
$IPTABLES -X
## Set Default Policies
$IPTABLES -P INPUT DROP ## Highly Recommended
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
## More variables further down near the NAT rules.
## NOTE: "Special Chains" First, Regular INPUT/OUTPUT chains will follow.
###############################################################################
## Special Chains
###############################################################################
###############################################################################
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.
$IPTABLES -N KEEP_STATE
$IPTABLES -F KEEP_STATE
## DROP packets associated with an "INVALID" connection.
$IPTABLES -A KEEP_STATE -m state --state INVALID -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "INVALID STATE:"
$IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP
## UNCLEAN match target, somewhat experimental at this point. #
## Needs to be patched into standard kernels from development netfilter #
$IPTABLES -A KEEP_STATE -m unclean -j DROP
## ACCEPT certain packets which are starting a new connection or are
## related to an established connection.
$IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
## ACCEPT packets whose input interface is anything but the external interface.
$IPTABLES -A KEEP_STATE -i ! $EXTERNAL -m state --state NEW -j ACCEPT
##------------------------------------------------------------------------##
## At this point ACCEPT packets trying to start a new connection whose
## input interface is the external interface and the destination is the DMZ.
## This suggests, of course, that you run services on your DMZ that you
## want to be accessible from the outside.
if [ "$DMZ" = "y" ]; then
$IPTABLES -A KEEP_STATE -i $EXTERNAL -o $DMZ_IF -m state --state NEW -j ACCEPT
fi
##------------------------------------------------------------------------##
###############################################################################
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.
## We set some limits here to limit the amount of crap that gets sent to the logs.
## Keep in mind that these rules should never match normal traffic, they're
## are designed to capture obviously messed up packets... but there's alot of
## wierd shit out there, so who knows.
## Log facility/priority for these are kern.debug, please adjust for your taste. See
## the iptables and syslog.conf man pages for logging details.
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
## NMAP FIN/URG/PSH
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "NMAP-XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
## Xmas Tree
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "Merry XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
## Another Xmas Tree
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "XMAS-PSH:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
## Null Scan(possibly)
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "NULL_SCAN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
## SYN/RST
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## SYN/FIN -- Scan(possibly)
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
##------------------------------------------------------------------------##
## TCP Option Check
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix \
"Bogus TCP FLAG 64"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix \
"Bogus TCP FLAG 128"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP
##------------------------------------------------------------------------##
## Make some types of port scans annoyingly slow, also provides some protection
## against certain DoS attacks. The rule in chain KEEP_STATE referring to the
## INVALID state should catch most TCP packets with the RST or FIN bits set that
## aren't associate with an established connection. Still, these will limit the
## amount of stuff that is accepted through our open ports(if any). I suggest you
## test these for your configuration before you uncomment them, as they could cause
## problems.
# $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT
###############################################################################
## Special Chain DENY_PORTS
## This chain will DROP/LOG packets based on port number
$IPTABLES -N DENY_PORTS
$IPTABLES -F DENY_PORTS
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A DENY_PORTS -p tcp --dport 137:139 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 137:139 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 1433 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 1433 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 2049 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 2049 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 5432 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 5432 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 5999:6063 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 5999:6063 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 5900:5910 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 5900:5910 -j DROP
## (Possibly) Evil Stuff ##
## Possible rpc.statd exploit shell
$IPTABLES -A DENY_PORTS -p tcp --dport 9704 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "rpc.statd(9704) Shell:"
$IPTABLES -A DENY_PORTS -p tcp --dport 9704 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 9704 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "rpc.statd(9704) Shell:"
$IPTABLES -A DENY_PORTS -p tcp --sport 9704 -j DROP
## NetBus and NetBus Pro
$IPTABLES -A DENY_PORTS -p tcp --dport 20034 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "NetBus Pro:"
$IPTABLES -A DENY_PORTS -p tcp --dport 20034 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "NetBus:"
$IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -j DROP
## Trinoo
$IPTABLES -A DENY_PORTS -p tcp --sport 27665 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p tcp --dport 27665 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p tcp --sport 27665 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 27665 -j DROP
$IPTABLES -A DENY_PORTS -p udp --sport 27444 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p udp --dport 27444 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p udp --sport 27444 -j DROP
$IPTABLES -A DENY_PORTS -p udp --dport 27444 -j DROP
$IPTABLES -A DENY_PORTS -p udp --sport 31335 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p udp --dport 31335 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p udp --sport 31335 -j DROP
$IPTABLES -A DENY_PORTS -p udp --dport 31335 -j DROP
## Back Orifice
$IPTABLES -A DENY_PORTS -p tcp --dport 31337 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "BackOrifice-TCP:"
$IPTABLES -A DENY_PORTS -p udp --dport 31337 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "BackOrifice-UDP:"
$IPTABLES -A DENY_PORTS -p tcp --sport 31337 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "BackOrifice-TCP:"
$IPTABLES -A DENY_PORTS -p udp --sport 31337 -m limit --limit 5/minute \
-j LOG --log-level 7 --log-prefix "BackOrifice-UDP:"
$IPTABLES -A DENY_PORTS -p tcp --dport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p udp --dport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p udp --sport 31337 -j DROP
###############################################################################
## Special Chain SRC_EGRESS
## Rules to Provide Egress Filtering Based on Source IP Address.
$IPTABLES -N SRC_EGRESS
$IPTABLES -F SRC_EGRESS
##------------------------------------------------------------------------##
## DROP all reserved private IP addresses. Some of these may be legit
## for certain networks and configurations. For connection problems,
## traceroute is your friend.
## Class A Reserved
$IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "SRC_EGRESS:"
$IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -j DROP
## Class B Reserved
$IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "SRC_EGRESS:"
$IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -j DROP
## Class C Reserved
$IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "SRC_EGRESS:"
$IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -j DROP
## Class D Reserved
$IPTABLES -A SRC_EGRESS -s 224.0.0.0/3 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "SRC_EGRESS:"
$IPTABLES -A SRC_EGRESS -s 224.0.0.0/3 -j DROP
## Class E Reserved
$IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "SRC_EGRESS:"
$IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -j DROP
## Other Reserved Addresses ##
## Refuse and log addresses defined as reserved by the IANA
RESERVED_NET="
0.0.0.0/8 \
1.0.0.0/8 \
2.0.0.0/8 \
5.0.0.0/8 \
7.0.0.0/8 \
23.0.0.0/8 \
27.0.0.0/8 \
31.0.0.0/8 \
36.0.0.0/8 \
37.0.0.0/8 \
39.0.0.0/8 \
41.0.0.0/8 \
42.0.0.0/8 \
49.0.0.0/8 \
50.0.0.0/8 \
58.0.0.0/7 \
60.0.0.0/8 \
67.0.0.0/8 \
68.0.0.0/6 \
72.0.0.0/5 \
80.0.0.0/4 \
96.0.0.0/3 \
127.0.0.0/8 \
169.254.0.0/16 \
192.0.2.0/24 \
197.0.0.0/8 \
218.0.0.0/7 \
220.0.0.0/6"
for NET in $RESERVED_NET; do
$IPTABLES -A SRC_EGRESS -s $NET -j DROP
done
##------------------------------------------------------------------------##
###############################################################################
## Special Chain DST_EGRESS
## Rules to Provide Egress Filtering Based on Destination IP Address.
$IPTABLES -N DST_EGRESS
$IPTABLES -F DST_EGRESS
##------------------------------------------------------------------------##
## DROP all reserved private IP addresses. Some of these may be legit
## for certain networks and configurations. For connection problems,
## traceroute is your friend.
## Class A Reserved
$IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "DST_EGRESS:"
$IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -j DROP
## Class B Reserved
$IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "DST_EGRESS:"
$IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -j DROP
## Class C Reserved
$IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "DST_EGRESS:"
$IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -j DROP
## Class D Reserved
$IPTABLES -A DST_EGRESS -d 224.0.0.0/3 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "DST_EGRESS:"
$IPTABLES -A DST_EGRESS -d 224.0.0.0/3 -j DROP
## Class E Reserved
$IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "DST_EGRESS:"
$IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -j DROP
for NET in $RESERVED_NET; do
$IPTABLES -A DST_EGRESS -d $NET -j DROP
done
##------------------------------------------------------------------------##
###############################################################################
## Special Chain MANGLE_OUTPUT
## Mangle values of packets created locally. Only TOS values are mangled right
## now.
## TOS stuff: (type: iptables -m tos -h)
## Minimize-Delay 16 (0x10)
## Maximize-Throughput 8 (0x0
## Maximize-Reliability 4 (0x04)
## Minimize-Cost 2 (0x02)
## Normal-Service 0 (0x00)
$IPTABLES -t mangle -N MANGLE_OUTPUT
$IPTABLES -t mangle -F MANGLE_OUTPUT
##------------------------------------------------------------------------------##
## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
## - To view mangle table, type: iptables -L -t mangle
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 23 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
##------------------------------------------------------------------------------##
###############################################################################
## Special Chain MANGLE_PREROUTING
## Rules to mangle TOS values of packets routed through the firewall. Only TOS
## values are mangled right now.
## TOS stuff: (type: iptables -m tos -h)
## Minimize-Delay 16 (0x10)
## Maximize-Throughput 8 (0x0
## Maximize-Reliability 4 (0x04)
## Minimize-Cost 2 (0x02)
## Normal-Service 0 (0x00)
$IPTABLES -t mangle -N MANGLE_PREROUTING
$IPTABLES -t mangle -F MANGLE_PREROUTING
##-------------------------------------------------------------------------------##
## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
## - To view mangle table, type: iptables -L -t mangle
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j TOS --set-tos 8
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 23 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j TOS --set-tos 8
##-------------------------------------------------------------------------------##
###############################################################################
## Special Chain ALLOW_EXTERNAL_PORTS
## Rules to allow packets destined for the external interface based on port
## number.
$IPTABLES -N ALLOW_PORTS-EXTERNAL
$IPTABLES -F ALLOW_PORTS-EXTERNAL
##------------------------------------------------------------------------##
## ALLOW foreign machines to access certain services.(Examples)
## FTP
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 20 -j ACCEPT
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 21 -j ACCEPT
## SSH from trusted hosts (could be set to 0/0)
$IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -s $TRUST_EXT -p tcp --dport 22 -j ACCEPT
## SMTP
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 25 -j ACCEPT
## DNS
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 53 -j ACCEPT
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p udp --dport 53 -j ACCEPT
## FINGER
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 79 -j ACCEPT
## WWW
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 80 -j ACCEPT
## POP3
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 110 -j ACCEPT
## AUTH
$IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 113 -j ACCEPT
## NEWS
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 119 -j ACCEPT
## LDAP
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 389 -j ACCEPT
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p udp --dport 389 -j ACCEPT
## WWW-SSL
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 443 -j ACCEPT
## IRCD
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 6667 -j ACCEPT
##------------------------------------------------------------------------##
###############################################################################
## Special Chain ALLOW_PORTS-DMZ
## Rules to allow packets destined for the DMZ interface based on port
## number.
if [ "$DMZ" = "y" ]; then
$IPTABLES -N ALLOW_PORTS-DMZ
$IPTABLES -F ALLOW_PORTS-DMZ
##------------------------------------------------------------------------##
## ALLOW foreign machines to access certain services.(Examples)
## FTP
$IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 20 -j ACCEPT
$IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 21 -j ACCEPT
## SSH from trusted hosts (could be set to 0/0)
$IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 22 -j ACCEPT
## SMTP
# $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 25 -j ACCEPT
## DNS
# $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 53 -j ACCEPT
# $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p udp --dport 53 -j ACCEPT
## FINGER
# $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 79 -j ACCEPT
## WWW
$IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 80 -j ACCEPT
## POP3
# $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 110 -j ACCEPT
## AUTH
# $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 113 -j ACCEPT
## NEWS
# $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 119 -j ACCEPT
## LDAP
# $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 389 -j ACCEPT
# $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p udp --dport 389 -j ACCEPT
## WWW-SSL
$IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 443 -j ACCEPT
## IRCD
# $IPTABLES -A ALLOW_PORTS-DMZ -i $DMZ_IF -p tcp --dport 6667 -j ACCEPT
##------------------------------------------------------------------------##
fi
###############################################################################
## Firewall Input Chains
###############################################################################
###############################################################################
## New chain for input to the external interface
$IPTABLES -N EXTERNAL-input
$IPTABLES -F EXTERNAL-input
##------------------------------------------------------------------------##
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j CHECK_FLAGS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter incomming packets based on port number.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j DENY_PORTS
##------------------------------------------------------------------------##
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -j KEEP_STATE
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p all -j SRC_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Allow Gateway to send IGMP broadcasts to you ##
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p igmp -s $GATEWAY \
-d 224.0.0.1 -j ACCEPT
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p all -j DST_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Allow Packets On Certain External Ports
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -j ALLOW_PORTS-EXTERNAL
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## ICMP Stuff. We're going to allow some ICMP.
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## Echo Request (ping) -- Several Options:
## Accept Pings ##
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
## Accept Pings at the rate of one per second. ##
$IPTABLES -A EXTERNAL-input -i ! $EXTERNAL -p icmp --icmp-type 8 -m limit \
--limit 1/second -j ACCEPT
## Accept Pings at the rate of one per second from external hosts ##
for TRUST_EXT_PING in $TRUST_EXT; do
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -s $TRUST_EXT_PING -p icmp --icmp-type 8 -m limit \
--limit 1/second -j ACCEPT
done
## LOG all pings. ##
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit \
# --limit 5/minute -j LOG --log-level 1 --log-prefix "PING:"
## TTL Exceeded (traceroute)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
##------------------------------------------------------------------------##
###############################################################################
## New chain for input to the internal interface
$IPTABLES -N INTERNAL-input
$IPTABLES -F INTERNAL-input
## ACCEPT internal to internal traffic
$IPTABLES -A INTERNAL-input -i $INTERNAL -s $INTERNAL_NET -d 0/0 -j ACCEPT
## ACCEPT internal dhcp traffic
$IPTABLES -A INTERNAL-input -i $INTERNAL -p udp --sport 68 --dport 67 \
-s 0/0 -d 255.255.255.255 -j ACCEPT
## DROP anything not coming from the internal network
$IPTABLES -A INTERNAL-input -i $INTERNAL -s ! $INTERNAL_NET -d 0/0 -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "NOT INTERNAL:"
$IPTABLES -A INTERNAL-input -i $INTERNAL -s ! $INTERNAL_NET -d 0/0 -j DROP
##------------------------------------------------------------------------##
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A INTERNAL-input -i $INTERNAL -p tcp -j CHECK_FLAGS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses based on Destination IP address.
$IPTABLES -A INTERNAL-input -i $INTERNAL -p all -j DST_EGRESS
##------------------------------------------------------------------------##
###############################################################################
## New chain for input to the DMZ interface
if [ "$DMZ" = "y" ]; then
$IPTABLES -N DMZ-input
$IPTABLES -F DMZ-input
##------------------------------------------------------------------------##
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A DMZ-input -i $DMZ_IF -p tcp -j CHECK_FLAGS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses based on Destination IP address.
$IPTABLES -A DMZ-input -i $DMZ_IF -p all -j DST_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Allow Packets On Certain DMZ Interface Ports
$IPTABLES -A DMZ-input -i $DMZ_IF -j ALLOW_PORTS-DMZ
##------------------------------------------------------------------------##
## ACCEPT internal to internal traffic
$IPTABLES -A DMZ-input -i $DMZ_IF -s $DMZ_NET -d ! $INTERNAL_NET -j ACCEPT
$IPTABLES -A DMZ-input -i $DMZ_IF -s $DMZ_NET -d $INTERNAL_NET \
-m state --state RELATED,ESTABLISHED -j ACCEPT
## DROP all attempted NEW connections from the DMZ to the internal net
$IPTABLES -A DMZ-input -i $DMZ_IF -s $DMZ_NET -d $INTERNAL_NET \
-m state --state NEW,INVALID -j DROP
## DROP anything not coming from the DMZ network
$IPTABLES -A DMZ-input -i $DMZ_IF -s ! $DMZ_NET -d 0/0 -j DROP
fi
###############################################################################
## New chain for input to the loopback interface
$IPTABLES -N LO-input
$IPTABLES -F LO-input
## Accept packets to the loopback interface
$IPTABLES -A LO-input -i $LOOPBACK -j ACCEPT
###############################################################################
## Firewall Output Chains
###############################################################################
###############################################################################
## New chain for output from the external interface
$IPTABLES -N EXTERNAL-output
$IPTABLES -F EXTERNAL-output
## ACCEPT outgoing packets on the external interface
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -j ACCEPT
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -p all -j SRC_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -p all -j DST_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter outgoing packets based on port number.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -p tcp -j DENY_PORTS
##------------------------------------------------------------------------##
###############################################################################
## New chain for output across the internal interface
$IPTABLES -N INTERNAL-output
$IPTABLES -F INTERNAL-output
## ACCEPT all outbound traffic across the internal interfaces
$IPTABLES -A INTERNAL-output -o $INTERNAL -d $INTERNAL_NET -j ACCEPT
$IPTABLES -A INTERNAL-output -o $INTERNAL -j KEEP_STATE
if [ "$DMZ" = "y" ]; then
$IPTABLES -A INTERNAL-output -o $INTERNAL -d $INTERNAL_NET \
-s ! $DMZ_NET -j ACCEPT
$IPTABLES -A INTERNAL-output -o $INTERNAL -s $DMZ_NET -d $INTERNAL_NET \
-m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INTERNAL-output -o $INTERNAL -s $DMZ_NET -d $INTERNAL_NET \
-m state --state NEW -j DROP
else
$IPTABLES -A INTERNAL-output -o $INTERNAL -d $INTERNAL_NET \
-j ACCEPT
fi
$IPTABLES -A INTERNAL-output -o $INTERNAL -j KEEP_STATE
###############################################################################
## New chain for output across the DMZ interface
if [ "$DMZ" = "y" ]; then
$IPTABLES -N DMZ-output
$IPTABLES -F DMZ-output
## ACCEPT all outbound traffic across the internal interfaces
$IPTABLES -A DMZ-output -o $DMZ_IF -d $DMZ_NET -j ACCEPT
$IPTABLES -A DMZ-output -o $DMZ_IF -j KEEP_STATE
fi
###############################################################################
## New chain for output across the loopback device
$IPTABLES -N LO-output
$IPTABLES -F LO-output
## ACCEPT all traffic across loopback device
$IPTABLES -A LO-output -o $LOOPBACK -j ACCEPT
###############################################################################
## Main Stuff
###############################################################################
## Jumping to our INPUT chains.
$IPTABLES -A INPUT -i $INTERNAL -j INTERNAL-input
$IPTABLES -A INPUT -i $LOOPBACK -j LO-input
$IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input
if [ "$DMZ" = "y" ]; then
$IPTABLES -A INPUT -i $DMZ_IF -j DMZ-input
fi
## Sort of a Catch-all
$IPTABLES -A INPUT -i $EXTERNAL -m state --state INVALID,NEW -m limit \
--limit 5/minute -j LOG --log-level 7 --log-prefix "INVALID-NEW:"
$IPTABLES -A INPUT -i $EXTERNAL -m state --state INVALID,NEW -j DROP
## Jump to our OUTPUT chains.
$IPTABLES -A OUTPUT -o $INTERNAL -j INTERNAL-output
$IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A OUTPUT -o $LOOPBACK -j LO-output
if [ "$DMZ" = "y" ]; then
$IPTABLES -A OUTPUT -o $DMZ_IF -j DMZ-output
fi
$IPTABLES -A OUTPUT -j KEEP_STATE
## Jump to our FORWARD chains.
$IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-input
$IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A FORWARD -i $INTERNAL -j INTERNAL-input
$IPTABLES -A FORWARD -o $INTERNAL -j INTERNAL-output
if [ "$DMZ" = "y" ]; then
$IPTABLES -A FORWARD -i $DMZ_IF -j DMZ-input
$IPTABLES -A FORWARD -o $DMZ_IF -j DMZ-output
fi
# $IPTABLES -A FORWARD -j KEEP_STATE
## Jump to mangle table rules
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -j MANGLE_OUTPUT
$IPTABLES -t mangle -A PREROUTING -i $EXTERNAL -j MANGLE_PREROUTING
### END FIREWALL RULES ###
###############################################################################
## IPTABLES Network Address Translation(NAT) Rules
###############################################################################
#INTERNAL_NET="192.168.0.0/24"
EXT_IP="192.168.1.254" # IP address of the External Interface.
## Flush the NAT table.
$IPTABLES -F -t nat
##------------------------------------------------------------------------##
## Destination NAT -- (DNAT)
##------------------------------------------------------------------------##
## "Redirect" packets headed for certain ports on our external interface to other
## machines on the network.
##FTP
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 20 \
-j DNAT --to 192.168.0.2:20
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 21 \
-j DNAT --to 192.168.0.2:21
## SSH
# $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 22 \
# -j DNAT --to 192.168.0.21:22
## WWW
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 80 \
-j DNAT --to 192.168.0.2:80
## WWW-SSL
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 433 \
-j DNAT --to 192.168.0.2:433
##------------------------------------------------------------------------##
## Redirecting
##------------------------------------------------------------------------##
#WWW
for HOST in $MASQ_REDIRECT_HOST; do
$IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp -s $HOST \
-d ! $INTERNAL_NET --dport 80 -j ACCEPT
done
$IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp \
-d ! $INTERNAL_NET --dport 80 -j REDIRECT --to-ports $PROXY_PORT
# for HOST in $MASQ_REDIRECT_HOST; do
# $IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp -s $HOST \
# --dport 80 -j REDIRECT --to-ports $PROXY_PORT
# done
#HTTP-SSL
for HOST in $MASQ_REDIRECT_HOST; do
$IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp -s $HOST \
-d ! $INTERNAL_NET --dport 443 -j ACCEPT
done
$IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp \
-d ! $INTERNAL_NET --dport 443 -j REDIRECT --to-ports $PROXY_PORT
# for HOST in $MASQ_REDIRECT_HOST; do
# $IPTABLES -i $INTERNAL -t nat -A PREROUTING -p tcp -s $HOST \
# --dport 443 -j REDIRECT --to-ports $PROXY_PORT
# done
##------------------------------------------------------------------------##
## Source NAT -- (SNAT/Masquerading)
##------------------------------------------------------------------------##
## Source NAT allows us to "masquerade" our internal machines behind our
## firewall.
if [ "$STATIC_IP" = "y" ]; then
## Static IP address ##
## Change source address of outgoing packets on external
## interface to our IP address.
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to $EXT_IP
else
## Dynamic IP address ##
for HOST in $MASQ_REDIRECT_HOST; do
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $HOST \
-j MASQUERADE
done
fi
### END NAT RULES ###
###############################################################################
## Additional Kernel Configuration
###############################################################################
## Adjust for your requirements/preferences.
## Please make sure you understand what these things are doing before you
## uncomment them. A good place to start would be some of the resources
## listed at the top of this script as well as the documentation that comes
## with the linux kernel source.
## For Example: linux/Documentation/filesystems/proc.txt
## linux/Documentation/networking/ip-sysctl.txt
## - Disable source routing of packets
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i;
done
fi
## - Enable rp_filter
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i;
done
fi
## - Ignore any broadcast icmp echo requests
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
## - Ignore all icmp echo requests on all interfaces
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
fi
## - Local port range for TCP/UDP connections
if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
fi
## - Log packets with impossible addresses to kernel log.
if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
fi
## - Don't send ICMP redirects - needed for transparent proxy
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
fi
## - Don't accept ICMP redirects
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
fi
## - Don't accept ICMP redirects
## (You may only want to disable on the external interface)
if [ -e /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects
fi
## Additional options for dialup connections with a dynamic ip address
## See: linux/Documentation/networking/ip_dynaddr.txt
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi
## - Enable IP Forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
else
echo "Uh oh: /proc/sys/net/ipv4/ip_forward doesn't exist"
echo "(That may be a problem)"
fi
## EOF |
|
IP卡
狗仔卡
发表于 2004-4-14 14:45:02
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡