该脚本摘自:Terpstra J.H.(美)/王建桥等译《 Hardening Linux中文版 》.北京.清华大学出版社,2006.2.
#!/bin/sh
echo -e "\n\nLoading NAT firewall.\n"
IPTABLES=/usr/sbin/iptables
EXTIF="eth0"
INTIFA="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interfaces: $INTIFA"
echo -en " loading modules: "
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en "ip_tables, "
/sbin/insmod ip_tables
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp
echo -en "iptable_nat, "
/sbin/insmod iptable_nat
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp
echo ". Done loading modules. "
echo " Clear existing rules, then setting default policy.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INTIFA -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
#Enable incoming traffic for SSH, SMTP, DNS(tcp), HTTP, HTTPS
for i in 22 25 53 80 443
do
$IPTABLES -A INPUT -I $EXTIF -p tcp --dport $i -j ACCEPT
done
#Allow DNS(udp)
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT
echo " Allow all connections OUT and only existing and specified ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIFA -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIFA -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo " Enabling Ip_forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo -e "\nNAT firewall done.\n"
阅读(1532) | 评论(0) | 转发(0) |
