Chinaunix首页 | 论坛 | 博客

温厚谦和

首页 |  博文目录 |  关于我

me09

  • 博客访问: 1496236
  • 博文数量: 408
  • 博客积分: 10036
  • 博客等级: 上将
  • 技术积分: 4440
  • 用 户 组: 普通用户
  • 注册时间: 2006-04-06 13:57
文章分类

全部博文(408)

文章存档

2011年(1)

2010年(2)

2009年(1)

2008年(3)

2007年(7)

2006年(394)

我的朋友
最近访客
推荐博文
相关博文
iptables实战应用

分类: LINUX

2006-07-27 13:19:12

#!/bin/bash
#
#2005.7.20
#
#
echo "Starting................."
echo ""
echo ""
echo ""
echo ""
echo "RunTime = `date |awk '{print $6" "$2" "$3" "$4}'`"
echo -e "\t\t\n\n"
echo -e "\033[1;031m \n"
echo "######################################################################"
echo "#       xxxxxxxx office  Firewall rule 2.0                           #"
echo "#                    E-mail:xxxx@xxxx.com                       #"
echo "######################################################################"
echo -e "\033[m \n"
echo ""
echo ""
#
echo -e "\033[1;034m \n"
echo "######################################################################"
echo "#         office  Network Internet Address:    ADSL                  #"
echo "#                                                                    #"
echo "#  Internal Network Address:                 192.168.100.0/24          #"
echo "#                                                                    #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
#
#
########################## Main Options  #####################
IPTABLES="/sbin/iptables"
INET_IFACE="ppp0"
LAN_IFACE="eth0"
LAN_IP="192.168.100.254"
INET_IP=`/sbin/ifconfig ppp0 |grep inet |grep -v "127.0.0.1" |awk '{print $2}' |head -n 1|awk -F: '{print $2}'`
ACCEPT_ALL_LAN="192.168.100.200/32 192.168.100.202/32"
ACCEPT_FTP_LAN=""
ACCEPT_OICQ_LAN=""
ACCEPT_ICQ_LAN=""
ACCEPT_IRC_LAN=""
ACCEPT_MSN_LAN=""
ACCEPT_GAME_LAN=""
ACCEPT_NBT_LAN=""
ACCEPT_ADMIN_LAN=""
ACCEPT_HTTP_LAN="192.168.100.0/24"
#ACCEPT_HTTP_LAN="192.168.100.1/32 192.168.100.2/32 192.168.100.10/32 192.168.100.11/32 192.168.100.12/32 192.168.100.13/32 192.168.100.14/32 192.168.100.15/32 192.168.100.16/32 192.168.100.17/32 192.168.100.18/32 192.168.100.19/32 192.168.100.20/32 192.168.100.21/32 192.168.100.22/32 192.168.100.23/32 192.168.100.24/32 192.168.100.25/32 192.168.100.26/32 192.168.100.27/32 192.168.100.28/32 192.168.100.29/32 192.168.100.30/32 192.168.100.31/32 192.168.100.32/32 192.168.100.33/32 192.168.100.34/32 192.168.100.35/32 192.168.100.36/32 192.168.100.37/32 192.168.100.38/32 192.168.100.39/32 192.168.100.40/32 192.168.100.41/32 192.168.100.42/32 192.168.100.43/32 192.168.100.44/32 192.168.100.45/32 192.168.100.46/32 192.168.100.47/32 192.168.100.48/32 192.168.100.49/32 192.168.100.50/32 192.168.100.51/32 192.168.100.52/32 192.168.100.53/32 192.168.100.54/32 192.168.100.55/32 192.168.100.56/32 192.168.100.57/32 192.168.100.58/32 192.168.100.59/32 192.168.100.80/32 192.168.100.81/32 192.168.100.82/32 192.168.100.83/32 192.168.100.84/32"
INTERNAL_LAN="192.168.100.0/24"
DEPOT_LAN="192.168.110.0/24"
GATEWAY_HOST="192.168.100.254"
DNS_SERVER3="202.96.209.5"
DNS_SERVER4="202.96.209.133"
DNS_SERVER="202.96.134.133"
DNS_SERVER2="202.96.128.68"
MANAGER_HOST="192.168.100.189"
TERMINAL_SERVER="192.168.100.99"
PRIVILEGE="192.168.100.99"
VPN_SERVER="192.168.100.99"
###################   End Options   ###########

##############  Load modules
modprobe ip_tables             > /dev/null 2>&1
modprobe ip_conntrack          > /dev/null 2>&1
modprobe iptable_nat           > /dev/null 2>&1
modprobe ip_nat_ftp            > /dev/null 2>&1
modprobe ip_conntrack_ftp      > /dev/null 2>&1
modprobe ip_conntrack_irc      > /dev/null 2>&1
modprobe ip_conntrack_h323     > /dev/null 2>&1
modprobe ip_nat_h323           > /dev/null 2>&1
modprobe ip_conntrack_irc      > /dev/null 2>&1
modprobe ip_nat_irc            > /dev/null 2>&1
modprobe ip_conntrack_mms      > /dev/null 2>&1
modprobe ip_nat_mms            > /dev/null 2>&1
modprobe ip_conntrack_pptp     > /dev/null 2>&1
modprobe ip_nat_pptp           > /dev/null 2>&1
modprobe ip_conntrack_proto_gre > /dev/null 2>&1
modprobe ip_nat_proto_gre      > /dev/null 2>&1
modprobe ip_conntrack_quake3   > /dev/null 2>&1
modprobe ip_nat_quake3         > /dev/null 2>&1
##############################################
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
#echo 1 > /proc/sys/net/ipv4/ip_dynaddr
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Reduce DoS'ing ability by reducing timeouts
echo   30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo    0 > /proc/sys/net/ipv4/tcp_window_scaling
echo    0 > /proc/sys/net/ipv4/tcp_timestamps
echo    0 > /proc/sys/net/ipv4/tcp_sack
echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog

start(){
echo ""
echo -e "\033[1;032m Flush all chains......                           [OK] \033[m"
  $IPTABLES -F
  $IPTABLES -X
  $IPTABLES -Z
  $IPTABLES -F -t nat
  $IPTABLES -X -t nat
  $IPTABLES -Z -t nat
  $IPTABLES -P INPUT   DROP
  $IPTABLES -P OUTPUT  ACCEPT
  $IPTABLES -P FORWARD DROP
  $IPTABLES -t filter -F LOG_ACCEPT  > /dev/null 2>&1
  $IPTABLES -t filter -X LOG_ACCEPT  > /dev/null 2>&1
  $IPTABLES -t filter -N LOG_ACCEPT
  $IPTABLES -t filter -F LOG_DROP  > /dev/null 2>&1
  $IPTABLES -t filter -X LOG_DROP  > /dev/null 2>&1
  $IPTABLES -t filter -N LOG_DROP
  $IPTABLES -t filter -F LOG_HK  > /dev/null 2>&1
  $IPTABLES -t filter -X LOG_HK  > /dev/null 2>&1
  $IPTABLES -t filter -N LOG_HK
echo ""
echo ""
echo "######################################################################"
echo "#              Internal Access to Internet  servers                  #"
echo "#                                                                    #"
echo "#       Supply WEB FTP MAIL Services for Internal users              #"
echo "######################################################################"
echo ""
echo ""

#  $IPTABLES -A LOG_DROP -j LOG --log-tcp-options --log-ip-options --log-prefix 'IPTABLES DROP:'
#  $IPTABLES -A LOG_DROP -j DROP
#  $IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG_DROP
#  $IPTABLES -A LOG_ACCEPT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT] : '
#  $IPTABLES -A LOG_ACCEPT -j ACCEPT
#  $IPTABLES -A LOG_HK -j LOG --log-tcp-options --log-ip-options --log-prefix '[HK access computer center] : '
#  $IPTABLES -A LOG_HK -j ACCEPT
echo ""
echo ""
echo -e "\033[1;032m  Stop Port Scanner......                         [OK] \033[m"
#  $IPTABLES -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP         # NMAP FIN/URG/PSH
#  $IPTABLES -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL ALL -j DROP                 # Xmas Tree
#  $IPTABLES -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Another Xmas Tree
#  $IPTABLES -A INPUT -i $INET_IFACE -p tcp --tcp-flags ALL NONE -j DROP                # Null Scan(possibly)
#  $IPTABLES -A INPUT -i $INET_IFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP         # SYN/RST
#  $IPTABLES -A INPUT -i $INET_IFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP         # SYN/FIN -- Scan(possibly)
  $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
  $IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
  $IPTABLES -A INPUT -s $DNS_SERVER -j ACCEPT
  $IPTABLES -A INPUT -s $DNS_SERVER2 -j ACCEPT
  $IPTABLES -A INPUT -s $DNS_SERVER3 -j ACCEPT
  $IPTABLES -A INPUT -s $DNS_SERVER4 -j ACCEPT
  $IPTABLES -A INPUT -s 127.0.0.1/32 -j ACCEPT
  $IPTABLES -A INPUT -i ipsec+ -j ACCEPT
  $IPTABLES -A INPUT -p tcp -i $INET_IFACE --dport 113 -j ACCEPT
  $IPTABLES -A INPUT -p 47 -i $INET_IFACE -j ACCEPT
  $IPTABLES -A INPUT -p 50 -i $INET_IFACE -j ACCEPT
  $IPTABLES -A INPUT -p 51 -i $INET_IFACE -j ACCEPT
  $IPTABLES -A INPUT -p udp -i $INET_IFACE --sport 500 --dport 500 -j ACCEPT
##########################################################
   $IPTABLES -A INPUT -i $LAN_IFACE -p tcp --dport 53 -j ACCEPT
   $IPTABLES -A INPUT -i $LAN_IFACE -p udp --dport 53 -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
   $IPTABLES -A INPUT -s $PRIVILEGE -j ACCEPT
  $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $INTERNAL_LAN -j MASQUERADE
#  $IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE -d $INET_IP --dport 3389 -j DNAT --to $TERMINAL_SERVER
  $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
  $IPTABLES -A FORWARD -p tcp -i $INET_IFACE -d $TERMINAL_SERVER --dport 3389 -j ACCEPT
  #$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE -d $INET_IP --dport 5013 -j DNAT --to $TERMINAL_SERVER
  #$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -d $TERMINAL_SERVER --dport 5013 -j ACCEPT

######DNS SERVER #####
  $IPTABLES -A FORWARD -s $DNS_SERVER -j ACCEPT
  $IPTABLES -A FORWARD -s $DNS_SERVER2 -j ACCEPT
  $IPTABLES -A FORWARD -s $DNS_SERVER3 -j ACCEPT
  $IPTABLES -A FORWARD -s $DNS_SERVER4 -j ACCEPT
  $IPTABLES -A FORWARD -s $DEPOT_LAN -j ACCEPT
  $IPTABLES -A FORWARD -d $DEPOT_LAN -j ACCEPT
  $IPTABLES -A FORWARD -d $DNS_SERVER -j ACCEPT
  $IPTABLES -A FORWARD -d $DNS_SERVER2 -j ACCEPT
  $IPTABLES -A FORWARD -d $DNS_SERVER3 -j ACCEPT
  $IPTABLES -A FORWARD -d $DNS_SERVER4 -j ACCEPT
######END DNS SERVER ######
  $IPTABLES -A FORWARD -s $MANAGER_HOST -j ACCEPT   # Privilege host
echo -e "\033[1;032m  Load Statefull check......                      [OK] \033[m"
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."

echo -e "\033[1;032m \n"
################################################# ACCEPT all hosts
if [ "$ACCEPT_ALL_LAN" != "" ] ; then
  for LAN in ${ACCEPT_ALL_LAN} ; do
  $IPTABLES -A FORWARD -s ${LAN}  -j ACCEPT
#  $IPTABLES -A FORWARD -i $LAN_IFACE  -s ${LAN}  -j ACCEPT
#  $IPTABLES -A FORWARD -p tcp  -i ppp+  -s ${LAN}  -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT all                      [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
################################################# common rules
  $IPTABLES -A FORWARD -p tcp -m string --string "BitTorrent" -j LOG --log-prefix 'IPTABLES FORWARD bt download:'
  $IPTABLES -A FORWARD -p tcp -m string --string "BitTorrent" -j DROP
#  $IPTABLES -A FORWARD -p tcp -m string --string "QQ" -j DROP

  $IPTABLES -A FORWARD -p icmp -i $LAN_IFACE -j ACCEPT
  $IPTABLES -A FORWARD -p icmp -i ipsec+ -j ACCEPT
#  $IPTABLES -A FORWARD -p tcp -i $INET_IFACE  --dport 113 -j ACCEPT
  $IPTABLES -A FORWARD -i ipsec+ -j ACCEPT
  $IPTABLES -A FORWARD -d pop-ent.21cn.com -j ACCEPT
  $IPTABLES -A FORWARD -d smtp-ent.21cn.com -j ACCEPT
################# lock POPO chat #############################
 $IPTABLES -A FORWARD -d 202.108.42.176 -j DROP
 $IPTABLES -A FORWARD -d 202.108.42.0/24 -j DROP
 $IPTABLES -A FORWARD -d  221.231.129.0/24 -j DROP
 $IPTABLES -A FORWARD -d  61.152.101.0/24 -j DROP
 $IPTABLES -A FORWARD -d  61.152.97.0/24 -j DROP
################# lock ourgame chat #############################
 $IPTABLES -A FORWARD -d 202.108.36.77 -j DROP
 $IPTABLES -A FORWARD -d 202.108.36.0/24 -j DROP
################# lock yahoo chat #############################
 $IPTABLES -A FORWARD -d 216.155.193.225 -j DROP
 $IPTABLES -A FORWARD -d 216.155.193.160 -j DROP
 $IPTABLES -A FORWARD -d 216.155.193.133 -j DROP
 $IPTABLES -A FORWARD -d 216.155.193.143 -j DROP
 $IPTABLES -A FORWARD -d 216.155.193.153 -j DROP
 $IPTABLES -A FORWARD -d 216.155.194.122 -j DROP
 $IPTABLES -A FORWARD -d 216.155.193.0/24 -j DROP
 $IPTABLES -A FORWARD -d 61.145.112.212 -j DROP
 $IPTABLES -A FORWARD -d 61.145.112.210 -j DROP
 $IPTABLES -A FORWARD -d 80.67.74.118 -j DROP
 $IPTABLES -A FORWARD -d 216.109.116.191 -j DROP
 $IPTABLES -A FORWARD -d 216.136.173.169 -j DROP
################# lock msn chat #############################
 $IPTABLES -A FORWARD -d 207.46.104.0/24 -j DROP
 $IPTABLES -A FORWARD -d 207.46.105.0/24 -j DROP
 $IPTABLES -A FORWARD -d 207.46.106.0/24 -j DROP
 $IPTABLES -A FORWARD -d 207.46.107.0/24 -j DROP
 $IPTABLES -A FORWARD -d 207.46.108.0/24 -j DROP
 $IPTABLES -A FORWARD -d 207.46.109.0/24 -j DROP
 $IPTABLES -A FORWARD -d 207.46.110.0/24 -j DROP

################# lock QQ chat #############################
 $IPTABLES -A FORWARD -d 202.103.149.40 -j DROP
 $IPTABLES -A FORWARD -d 61.135.157.0/24 -j DROP
 $IPTABLES -A FORWARD -d 61.144.238.0/24 -j DROP
 $IPTABLES -A FORWARD -d 61.144.238.145 -j DROP
 $IPTABLES -A FORWARD -d 61.144.238.146 -j DROP
 $IPTABLES -A FORWARD -d 61.144.238.156 -j DROP
 $IPTABLES -A FORWARD -d 61.144.238.150 -j DROP
 $IPTABLES -A FORWARD -d 61.144.238.155 -j DROP
 $IPTABLES -A FORWARD -d 61.144.238.149 -j DROP
 $IPTABLES -A FORWARD -d 61.141.194.0/24 -j DROP
 $IPTABLES -A FORWARD -d 61.141.194.203 -j DROP
 $IPTABLES -A FORWARD -d 61.141.194.200 -j DROP
 $IPTABLES -A FORWARD -d 61.141.194.224 -j DROP
 $IPTABLES -A FORWARD -d 61.141.194.227 -j DROP
 $IPTABLES -A FORWARD -d  61.152.101.0/24 -j DROP
 $IPTABLES -A FORWARD -d  61.152.100.0/24 -j DROP

 $IPTABLES -A FORWARD -d 202.104.129.0/24 -j DROP
 $IPTABLES -A FORWARD -d 202.104.129.251 -j DROP
 $IPTABLES -A FORWARD -d 202.104.129.252 -j DROP
 $IPTABLES -A FORWARD -d 202.104.129.253 -j DROP
 $IPTABLES -A FORWARD -d 202.104.129.254 -j DROP
 $IPTABLES -A FORWARD -d 202.96.170.0/24 -j DROP
 $IPTABLES -A FORWARD -d 202.96.170.166 -j DROP
 $IPTABLES -A FORWARD -d 202.96.170.163 -j DROP
 $IPTABLES -A FORWARD -d 202.96.170.164 -j DROP
 $IPTABLES -A FORWARD -d 219.133.45.0/24 -j DROP
 $IPTABLES -A FORWARD -d 219.133.45.15 -j DROP
 $IPTABLES -A FORWARD -d 219.133.40.0/24 -j DROP
 $IPTABLES -A FORWARD -d 219.133.60.0/24 -j DROP
 $IPTABLES -A FORWARD -d 219.133.51.0/24 -j DROP
 $IPTABLES -A FORWARD -d 219.133.41.0/24 -j DROP
 $IPTABLES -A FORWARD -d 219.133.48.0/24 -j DROP
 $IPTABLES -A FORWARD -d 219.133.49.0/24 -j DROP
 $IPTABLES -A FORWARD -d 219.133.38.0/24 -j DROP
 $IPTABLES -A FORWARD -d 219.133.40.0/24 -j DROP
 $IPTABLES -A FORWARD -d 219.133.41.0/24 -j DROP
 $IPTABLES -A FORWARD -d 219.133.62.0/24 -j DROP
 $IPTABLES -A FORWARD -d 218.18.95.0/24 -j DROP
 $IPTABLES -A FORWARD -d 218.18.95.221 -j DROP
 $IPTABLES -A FORWARD -d 218.18.95.209 -j DROP
 $IPTABLES -A FORWARD -d 218.18.95.153 -j DROP
 $IPTABLES -A FORWARD -d 218.18.95.171 -j DROP
 $IPTABLES -A FORWARD -d 218.18.95.140 -j DROP
 $IPTABLES -A FORWARD -d 218.18.95.162 -j DROP
 $IPTABLES -A FORWARD -d 218.17.209.0/24 -j DROP
 $IPTABLES -A FORWARD -d 218.17.209.23 -j DROP
 $IPTABLES -A FORWARD -d 218.17.209.42 -j DROP
 $IPTABLES -A FORWARD -d 218.17.209.20 -j DROP
 $IPTABLES -A FORWARD -d 218.17.209.21 -j DROP
 $IPTABLES -A FORWARD -d 218.85.138.0/24 -j DROP
 $IPTABLES -A FORWARD -d 207.46.157.0/24 -j DROP
 $IPTABLES -A FORWARD -d 207.46.156.0/24 -j DROP

#  $IPTABLES -A FORWARD -p udp -i $LAN_IFACE  -s $INTERNAL_LAN --dport 8000 -j DROP
#  $IPTABLES -A FORWARD -p udp -i $LAN_IFACE  -s $INTERNAL_LAN2 --dport 8000 -j DROP
#  $IPTABLES -A FORWARD -p udp -i $LAN_IFACE  -s $INTERNAL_LAN3 --dport 8000 -j DROP
#  $IPTABLES -A FORWARD -p udp -i $LAN_IFACE  -s $INTERNAL_LAN4 --dport 8000 -j DROP
################# end of lock OQ server #########################
  $IPTABLES -A FORWARD -p tcp -m multiport -i $LAN_IFACE  -s $INTERNAL_LAN --dport 53,449 -j ACCEPT
  $IPTABLES -A FORWARD -p udp -m multiport -i $LAN_IFACE  -s $INTERNAL_LAN --dport 53,449 -j ACCEPT
  $IPTABLES -A FORWARD -p tcp -m multiport -i $LAN_IFACE  -s $INTERNAL_LAN --dport 25,110,143 -j ACCEPT
  $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  echo ""
echo -e "\033[1;032m  Load common rule  ......                         [OK] \033[m"
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"

################################################# ACCEPT http hosts
if [ "$ACCEPT_HTTP_LAN" != "" ] ; then
  for LAN in ${ACCEPT_HTTP_LAN} ; do
  $IPTABLES -A FORWARD -p tcp -m multiport -i $LAN_IFACE  -s ${LAN} --dport 80,443 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....   ACCEPT http                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
################################################# ACCEPT ftp hosts
if [ "$ACCEPT_FTP_LAN" != "" ] ; then
  for LAN in ${ACCEPT_FTP_LAN} ; do
  $IPTABLES -A FORWARD -p tcp -m multiport -i $LAN_IFACE  -s ${LAN} --dport 20,21 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....  ACCEPT ftp                    [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo -e "\033[1;032m \n"
################################################# ACCEPT network file share hosts
if [ "$ACCEPT_NBT_LAN" != "" ] ; then
  for LAN in ${ACCEPT_NBT_LAN} ; do
  $IPTABLES -A FORWARD -p udp -m multiport -i $LAN_IFACE  -s ${LAN} --dport 137,138,2049 -j ACCEPT
  $IPTABLES -A FORWARD -p tcp -m multiport -i $LAN_IFACE  -s ${LAN} --dport 139,445,2049 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT network file share        [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
################################################# ACCEPT admin hosts
if [ "$ACCEPT_ADMIN_LAN" != "" ] ; then
  for LAN in ${ACCEPT_ADMIN_LAN} ; do
 # $IPTABLES -A FORWARD -p tcp -i $LAN_IFACE  -s ${LAN} --dport 3389 -j ACCEPT #terminal service
  $IPTABLES -A FORWARD -p tcp -m multiport -i $LAN_IFACE  -s ${LAN} --dport 5631,2299 -j ACCEPT #PcAnywhere service
  $IPTABLES -A FORWARD -p udp -i $LAN_IFACE  -s ${LAN} --dport 5632 -j ACCEPT #PcAnywhere service
  $IPTABLES -A FORWARD -p tcp -i $LAN_IFACE  -s ${LAN} --dport 6000:6010 -j ACCEPT #x11 service
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT network admin               [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
################################################# ACCEPT oicq hosts
if [ "$ACCEPT_OICQ_LAN" != "" ] ; then
  for LAN in ${ACCEPT_OICQ_LAN} ; do
  $IPTABLES -A FORWARD -p udp -i $LAN_IFACE  -s ${LAN} --dport 8000 -j ACCEPT
  $IPTABLES -A FORWARD -p tcp -i $LAN_IFACE  -s ${LAN} --dport 8000 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel..... ACCEPT oicq                    [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo -e "\033[1;032m \n"
################################################# ACCEPT icq hosts
if [ "$ACCEPT_ICQ_LAN" != "" ] ; then
  for LAN in ${ACCEPT_ICQ_LAN} ; do
  $IPTABLES -A FORWARD -p udp -i $LAN_IFACE  -s ${LAN} --dport 4000 -j ACCEPT
  $IPTABLES -A FORWARD -p tcp -i $LAN_IFACE  -s ${LAN} --dport 3000:3014 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT icq                      [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
################################################# ACCEPT irc hosts
if [ "$ACCEPT_IRC_LAN" != "" ] ; then
  for LAN in ${ACCEPT_IRC_LAN} ; do
  $IPTABLES -A FORWARD -p tcp -i $LAN_IFACE  -s ${LAN} --dport 7000 -j ACCEPT
  $IPTABLES -A FORWARD -p tcp -i $LAN_IFACE  -s ${LAN} --dport 6660:6670 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT irc                      [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
################################################# ACCEPT msn hosts
if [ "$ACCEPT_MSN_LAN" != "" ] ; then
  for LAN in ${ACCEPT_MSN_LAN} ; do
  $IPTABLES -A FORWARD -p tcp -m multiport -i $LAN_IFACE  -s ${LAN} --dport 80,443,1863 -j ACCEPT #login service
  $IPTABLES -A FORWARD -p tcp  -i $LAN_IFACE  -s ${LAN} --dport 1503 -j ACCEPT #share and blankboard
#  $IPTABLES -A FORWARD -p tcp  -i $LAN_IFACE  -s ${LAN} --dport 3389 -j ACCEPT #remote assistant
  $IPTABLES -A FORWARD -p tcp  -i $LAN_IFACE  -s ${LAN} --dport 6891:6900 -j ACCEPT #file transport
  $IPTABLES -A FORWARD -p udp  -i $LAN_IFACE  -s ${LAN} --dport 5004:65535 -j ACCEPT #radio and audio
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT msn                      [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
################################################# ACCEPT game hosts
if [ "$ACCEPT_GAME_LAN" != "" ] ; then
  for LAN in ${ACCEPT_GAME_LAN} ; do
  $IPTABLES -A FORWARD -p tcp -i $LAN_IFACE  -s ${LAN} --dport 100:65535 -j ACCEPT
  $IPTABLES -A FORWARD -p udp -i $LAN_IFACE  -s ${LAN} --dport 100:65535 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT game                     [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"

########################### logrule #########################
#ACCESSLOG="NO"
ACCESSLOG="YES"
if [ "$ACCESSLOG" = "YES" ] ; then
#  $IPTABLES -I FORWARD -p tcp -m multiport --dport 445,135 -j LOG
$IPTABLES -I INPUT -p tcp -j LOG --log-prefix 'IPTABLES INPUT TCP ACCEPT:'
$IPTABLES -I INPUT -p udp -j LOG --log-prefix 'IPTABLES INPUT UDP ACCEPT:'
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j LOG --log-tcp-options --log-ip-options --log-prefix 'IPTABLES INPUT DROP:'
$IPTABLES -I FORWARD -p tcp -s 192.168.200.0/24 -j LOG --log-prefix 'IPTABLES FORWARD TCP ACCEPT:'
$IPTABLES -I FORWARD -p tcp -s 192.168.110.0/24 -j LOG --log-prefix 'IPTABLES FORWARD TCP ACCEPT:'
$IPTABLES -I FORWARD -p tcp -s 192.168.100.0/24 -j LOG --log-prefix 'IPTABLES FORWARD TCP ACCEPT:'
$IPTABLES -I FORWARD -p udp -s 192.168.100.0/24 -j LOG --log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
#$IPTABLES -I FORWARD -p udp -s 192.168.100.0/24 --dport 1:52 -j LOG --log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
#$IPTABLES -I FORWARD -p udp -s 192.168.100.0/24 --dport 54:136 -j LOG --log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
#$IPTABLES -I FORWARD -p udp -s 192.168.100.0/24 --dport 139:65535 -j LOG --log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG --log-tcp-options --log-ip-options --log-prefix 'IPTABLES FORWARD DROP:'
echo LOG illegal access ...............................          [OK]
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;031m \n"
echo -e "\033[1;031m \n"
echo "######################################################################"
echo "#                                                                    #"
echo "#      Load  office  Firewall Access rule Successfull !              #"
echo "#                                                                    #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
############################# Type of Service mangle optimizations
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p udp --dport 4000:7000 -j TOS --set-tos Minimize-Delay
}
stop(){
#####################   Flush everything
  $IPTABLES -F
  $IPTABLES -X
  $IPTABLES -Z
  $IPTABLES -F -t nat
  $IPTABLES -X -t nat
  $IPTABLES -Z -t nat
  $IPTABLES -P INPUT   ACCEPT
  $IPTABLES -P OUTPUT  ACCEPT
  $IPTABLES -P FORWARD ACCEPT
  $IPTABLES -t filter -F LOG_ACCEPT  > /dev/null 2>&1
  $IPTABLES -t filter -X LOG_ACCEPT  > /dev/null 2>&1
  $IPTABLES -t filter -F LOG_DROP    > /dev/null 2>&1
  $IPTABLES -t filter -X LOG_DROP    > /dev/null 2>&1
  $IPTABLES -t filter -F LOG_HK      > /dev/null 2>&1
  $IPTABLES -t filter -X LOG_HK      > /dev/null 2>&1
echo ""
echo -e "\033[1;031m \n"
echo ""
echo "######################################################################"
echo "#                                                                    #"
echo "#      Stop office  Firewall Access rule Successfull !               #"
echo "#                                                                    #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
}
#########################################################
case "$1" in
  start)
    start
    ;;
  stop)
    stop
    ;;
  restart)
    stop
    start
    ;;
  *)
    echo $"Usage:$0 {start|stop|restart|}"
    exit 1
esac
exit $?
阅读(3411) | 评论(5) | 转发(0) |
0

上一篇:linux下pptp服务器配置

下一篇:linux网关之流量控制(iptables Qos)

给主人留下些什么吧!~~

chinaunix网友2011-06-28 22:42:38

可以简写很多的

回复 | 举报
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6