重慶分公司
NATiptables防火墻(script)(轉)
NAT iptables防火墻(script)(轉)[@more@]#!/bin/sh
當前標題:NATiptables防火墻(script)(轉)
當前網址:http://www.xueling.net.cn/article/ghgsci.html
創新新互聯,憑借10多年的成都做網站、網站建設、外貿營銷網站建設經驗,本著真心·誠心服務的企業理念服務于成都中小企業設計網站有數千家案例。做網站建設,選成都創新互聯公司。
# make me executable (chmod a+x rc.firewall ) and run me on boot## djweis@sjdjweis.com# iptables firewall script# this script is meant to be run once per boot# the rules will be double added if you try to run it twice# if you need to add another rule during runtime, change the# -A to a -I to add it to the top of the list of rules# if you use -A it will go at the end after the reject rule :-(## interface definitionsBAD_IFACE=eth0DMZ_IFACE=eth2DMZ_ADDR=x.x.x.96/28GOOD_IFACE=eth3GOOD_ADDR=192.168.1.0/24MASQ_SERVER=x.x.x.98FTP_SERVER=x.x.x.100MAIL_SERVER=x.x.x.99MAIL_SERVER_INTERNAL=192.168.1.3# testing#set -xip route del x.x.x.96/28 dev $BAD_IFACEip route del x.x.x.96/28 dev $DMZ_IFACEip route add x.x.x.97 dev $BAD_IFACEip route add x.x.x.96/28 dev $DMZ_IFACE# we need proxy arp for the dmz networkecho 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arpecho 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp# turn on ip forwardingecho 1 > /proc/sys/net/ipv4/ip_forward# turn on antispoofing protectionfor f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done# flush all rules in the filter table#iptables -F# flush built in rulesiptables -F INPUTiptables -F OUTPUTiptables -F FORWARD# deny everything for nowiptables -A INPUT -j DROPiptables -A FORWARD -j DROPiptables -A OUTPUT -j DROP# make the chains to define packet directions# bad is the internet, dmz is our dmz, good is our masqed networkiptables -N good-dmziptables -N bad-dmziptables -N good-badiptables -N dmz-goodiptables -N dmz-badiptables -N bad-goodiptables -N icmp-acc# accept related packetsiptables -A FORWARD -m state --state INVALID -j DROPiptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT# internal client masqingiptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER# mail server masqingiptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443# to allow the above to work you need something like# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT# set which addresses jump to which chainsiptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmziptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-badiptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-badiptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-goodiptables -A FORWARD -o $DMZ_IFACE -j bad-dmziptables -A FORWARD -o $GOOD_IFACE -j bad-good# drop anything that doesn't fit theseiptables -A FORWARD -j LOG --log-prefix "chain-jump "iptables -A FORWARD -j DROP# icmp acceptanceiptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPTiptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPTiptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPTiptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPTiptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "iptables -A icmp-acc -j DROP# from internal to dmziptables -A good-dmz -p tcp --dport smtp -j ACCEPTiptables -A good-dmz -p tcp --dport pop3 -j ACCEPTiptables -A good-dmz -p udp --dport domain -j ACCEPTiptables -A good-dmz -p tcp --dport domain -j ACCEPTiptables -A good-dmz -p tcp --dport www -j ACCEPTiptables -A good-dmz -p tcp --dport https -j ACCEPTiptables -A good-dmz -p tcp --dport ssh -j ACCEPTiptables -A good-dmz -p tcp --dport telnet -j ACCEPTiptables -A good-dmz -p tcp --dport auth -j ACCEPTiptables -A good-dmz -p tcp --dport ftp -j ACCEPTiptables -A good-dmz -p tcp --dport 1521 -j ACCEPTiptables -A good-dmz -p icmp -j icmp-acciptables -A good-dmz -j LOG --log-prefix "good-dmz "iptables -A good-dmz -j DROP# from external to dmziptables -A bad-dmz -p tcp --dport smtp -j ACCEPTiptables -A bad-dmz -p udp --dport domain -j ACCEPTiptables -A bad-dmz -p tcp --dport domain -j ACCEPTiptables -A bad-dmz -p udp --sport domain -j ACCEPTiptables -A bad-dmz -p tcp --sport domain -j ACCEPTiptables -A bad-dmz -p tcp --dport www -j ACCEPTiptables -A bad-dmz -p tcp --dport https -j ACCEPTiptables -A bad-dmz -p tcp --dport ssh -j ACCEPTiptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPTiptables -A bad-dmz -p icmp -j icmp-acciptables -A bad-dmz -j LOG --log-prefix "bad-dmz "iptables -A bad-dmz -j DROP# from internal to externaliptables -A good-bad -j ACCEPT# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER#iptables -A good-bad -p tcp -j MASQ#iptables -A good-bad -p udp -j MASQ#iptables -A good-bad -p icmp -j MASQ#ipchains -A good-bad -p tcp --dport www -j MASQ#ipchains -A good-bad -p tcp --dport ssh -j MASQ#ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ#ipchains -A good-bad -p tcp --dport ftp -j MASQ#ipchains -A good-bad -p icmp --icmp-type ping -j MASQ#ipchains -A good-bad -j REJECT -l# from dmz to internal# iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPTiptables -A dmz-good -p tcp --dport smtp -j ACCEPTiptables -A dmz-good -p tcp --sport smtp -j ACCEPTiptables -A dmz-good -p udp --sport domain -j ACCEPTiptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPTiptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPTiptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPTiptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPTiptables -A dmz-good -p icmp -j icmp-acciptables -A dmz-good -j LOG --log-prefix "dmz-good "iptables -A dmz-good -j DROP# from dmz to externaliptables -A dmz-bad -p tcp --dport smtp -j ACCEPTiptables -A dmz-bad -p tcp --sport smtp -j ACCEPTiptables -A dmz-bad -p udp --dport domain -j ACCEPTiptables -A dmz-bad -p tcp --dport domain -j ACCEPTiptables -A dmz-bad -p tcp --dport www -j ACCEPTiptables -A dmz-bad -p tcp --dport https -j ACCEPTiptables -A dmz-bad -p tcp --dport ssh -j ACCEPTiptables -A dmz-bad -p tcp --dport ftp -j ACCEPTiptables -A dmz-bad -p tcp --dport whois -j ACCEPTiptables -A dmz-bad -p tcp --dport telnet -j ACCEPTiptables -A dmz-bad -p udp --dport ntp -j ACCEPT# ipchains -A good-bad -p udp --dport 33434:33500 -j MASQiptables -A dmz-bad -p icmp -j icmp-acciptables -A dmz-bad -j LOG --log-prefix "dmz-bad "iptables -A dmz-bad -j DROP# from external to internaliptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPTiptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPTiptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPTiptables -A bad-good -j LOG --log-prefix "bad-good "iptables -A bad-good -j REJECT# rules for this machine itselfiptables -N bad-ifiptables -N dmz-ifiptables -N good-if# set up the jumps to each chainiptables -A INPUT -i $BAD_IFACE -j bad-ifiptables -A INPUT -i $DMZ_IFACE -j dmz-ifiptables -A INPUT -i $GOOD_IFACE -j good-if# external ifaceiptables -A bad-if -p icmp -j icmp-acciptables -A bad-if -j ACCEPT#ipchains -A bad-if -i ! ppp0 -j DENY -l#ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT#ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT#ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT#ipchains -A bad-if -j icmp-acc#ipchains -A bad-if -j DENY# dmz ifaceiptables -A bad-if -p icmp -j icmp-acciptables -A dmz-if -j ACCEPT# internal ifaceiptables -A good-if -p tcp --dport ssh -j ACCEPTiptables -A good-if -p ICMP --icmp-type ping -j ACCEPTiptables -A good-if -p ICMP --icmp-type pong -j ACCEPTiptables -A good-if -j icmp-acciptables -A good-if -j DROP# remove the complete blocksiptables -D INPUT 1iptables -D FORWARD 1iptables -D OUTPUT當前標題:NATiptables防火墻(script)(轉)
當前網址:http://www.xueling.net.cn/article/ghgsci.html