防火墙脚本:
- #!/bin/sh
- #
- #Firewall version 1.0
- #
- #Mob.Server.Firewall - Initial SIMPLE IP Firewall script for Linux 2.6.x and iptables
- #
- # This script is only for the SuZhou Telcom.
- #
- # Copyright (C) 2008 By Steven.K.C Stevenchen8521@tom.com
- #
- ###########################################################################
- # 1. Configuration options.
- # 1.1 Internet Configuration.
- #
- INET_IP="58.x.x.x"
- INET_IFACE="eth0"
- INET_BROADCAST="58.x.x.x"
- # 1.2 Local Area Network configuration.
- # your LAN's IP range and localhost IP. /24 means to only use the first 24
- # bits of the 32 bit IP address. the same as netmask 255.255.255.0
- #
- LAN_IP="192.168.8.99"
- LAN_IP_RANGE="192.168.8.0/24"
- LAN_IFACE="eth1"
- # 1.3 Localhost Configuration.
- #
- LO_IFACE="lo"
- LO_IP="127.0.0.1"
- # 1.4 Our other networks
- #BEI JING
- BJ_1="218.30.x.x/27"
- # 1.5 IPTables Command configuration.
- #
- IPTABLES="iptables"
- # 1.6 Other Configuration.
- #
- # None
- case "$1" in
- start)
- # Clear the Iptables
- $IPTABLES -P INPUT ACCEPT
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -P FORWARD ACCEPT
- $IPTABLES -F
- $IPTABLES -t nat -F
- $IPTABLES -t mangle -F
- $IPTABLES -X
- $IPTABLES -t nat -X
- $IPTABLES -t mangle -X
- ###########################################################################
- # 2. Module loading.
- # Needed to initially load modules
- #
- /sbin/depmod -a
- # 2.1 Required modules
- #
- /sbin/modprobe ip_tables
- /sbin/modprobe ip_conntrack
- /sbin/modprobe iptable_filter
- /sbin/modprobe iptable_mangle
- #/sbin/modprobe iptable_nat
- /sbin/modprobe ipt_LOG
- /sbin/modprobe ipt_limit
- /sbin/modprobe ipt_state
- # 2.2 Non-Required modules
- #
- #/sbin/modprobe ipt_owner
- #/sbin/modprobe ipt_REJECT
- #/sbin/modprobe ipt_MASQUERADE
- #/sbin/modprobe ip_conntrack_ftp
- #/sbin/modprobe ip_conntrack_irc
- #/sbin/modprobe ip_nat_ftp
- #/sbin/modprobe ip_nat_irc
- ###########################################################################
- # 3. /proc set up.
- # 3.1 Required proc configuration
- #
- #echo "1" > /proc/sys/net/ipv4/ip_forward #open ip_forward
- #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
- #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
- #echo "1" > /proc/sys/net/ipv4/ip_dynaddr
- ###########################################################################
- # 4. rules set up.
- # 4.1 Filter table
- # 4.1.1 Set policies
- #
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT DROP
- $IPTABLES -P FORWARD DROP
- # 4.1.2 Create userspecified chains
- # Create chain for bad tcp packets
- #
- $IPTABLES -N bad_tcp_packets
- # Create separate chains for ICMP, TCP and UDP to traverse
- #
- $IPTABLES -N allowed
- $IPTABLES -N tcp_packets
- $IPTABLES -N udp_packets
- $IPTABLES -N icmp_packets
- # 4.1.3 Create content in userspecified chains
- #
- ## bad_tcp_packets chain
- #
- $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
- $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
- $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
- #
- # allowed chain
- #
- $IPTABLES -A allowed -p TCP --syn -j ACCEPT
- $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A allowed -p TCP -j DROP
- #
- # TCP rules
- #
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
- $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
- $IPTABLES -A tcp_packets -p TCP -s 59.x.x.x/32 --dport 22-j allowed
- $IPTABLES -A tcp_packets -p TCP -s $LAN_IP_RANGE --dport 22 -j allowed
- #
- # UDP ports
- #
- $IPTABLES -A udp_packets -p UDP -s 125.x.x.x/32 --destination-port 161 -j ACCEPT
- #
- # In Microsoft Networks you will be swamped by broadcasts. These lines
- # will prevent them from showing up in the logs.
- #
- #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
- #--destination-port 135:139 -j DROP
- #
- # If we get DHCP requests from the Outside of our network, our logs will
- # be swamped as well. This rule will block them from getting logged.
- #
- #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
- #--destination-port 67:68 -j DROP
- #
- # ICMP rules
- #
- #$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
- #$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s 59.x.x.x/32 -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s $LAN_IP_RANGE -j ACCEPT
- $IPTABLES -A icmp_packets -p ICMP -s $BJ_1 -j ACCEPT
