Chinaunix首页 | 论坛 | 博客
  • 博客访问: 733645
  • 博文数量: 235
  • 博客积分: 4309
  • 博客等级: 中校
  • 技术积分: 2325
  • 用 户 组: 普通用户
  • 注册时间: 2011-01-17 11:25
个人简介

If you don\\\\\\\\\\\\\\\'t wanna do it, you find an EXCUSE; if you do, you\\\\\\\\\\\\\\\'ll find a WAY :-)

文章分类

全部博文(235)

文章存档

2014年(3)

2013年(2)

2012年(31)

2011年(199)

分类: LINUX

2011-01-17 21:06:10

#!/bin/bash
# iptables.sh - Initial SIMPLE IP Firewall script for Linux 2.6.x and iptables
#
# Copyright (C) 07/08/09
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 3 of the License.
#
# [========== GNU Lesser General Public License ==========]
#
# "Free software" is a matter of liberty,not price.To understand the
# concept,you should think of "free speech",not "free beer".
# "Free software" refers to the user's freedom to run,copy,distribute,
# study,change,and improve the software.
#
###############################################################################
#
#1.Configuration options.
#

#
#1.1 Internet Configuration.
#

#INET_IFACE="eth0"
#INET_IP="72.14.203.103"

#
#1.2 DHCP
#
#Information pertainning to DHCP over the Internet,if needed.
#
#Set DHCP variable to no if you don't get IP from DHCP.if you get
#DHCP over the Internet set this variable to yes,and setup the 
#proper IP address for the DHCP server in the DHCP_SERVER variable.
#

DHCP="no"
DHCP_SERVER="192.168.1.4"

#
#1.3 PPPoE
#
#Configuration options pertaining to PPPoE
#
#If you have problem with your PPPoE connection,such as large mails
#not getting through while small mail get through properly etc,you may
#set a rule in the PREROUTING chain of the mangle table which will
#clamp(resize)all routed packets to PMTU(Path Maximum Transmit Unit).
#

PPPOE_PMTU="no"

#
#1.3 Local Area Network configuration.
#
#your LAN's IP range and localhost IP./23 means to only use the first 23
#bits of the 32 bit IP address.the same as netmask 255.255.255.0
#

LAN_IP="192.168.1.4"
LAN_IP_RANGE="192.168.1.0/255.255.255.0"
LAN_IFACE="eth0"

#
#1.5 DMZ configuration.
#

#
#1.6 Localhost configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
#1.7 IPTables configuration.
#

IPTABLES="/sbin/iptables"

#
#1.8 Other configuration.
#

################################################################################
#
#2.Module loading.
#

#
#Needed to initially load modules
#

/sbin/depmod -a

#
#2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
#2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_conntrack_ftp
#/sbin/modprobe ipt_conntrack_irc
#/sbin/modprobe ipt_nat_ftp
#/sbin/modprobe ipt_nat_irc

################################################################################
#
#3.rules set up.
#

#
#3.1 Filter table
#

#
#3.1.1 Set policies
#
echo "[+] Flushing existing iptable's rules ..."

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
#3.1.2 Create user specified chains
#
echo "[+] Creating user specified chains and rules ..."

#
#Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
#Create separate chains for ICMP,TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
#3.1.3 Create content in user specified chains
#

#
#bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW \
-j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW \
-j DROP
$IPTABLES -A bad_tcp_packets -p tcp -m state --state INVALID \
-j DROP
$IPTABLES -A bad_tcp_packets -p tcp --sport 1:1023 --dport 1:1023 \
--syn -j DROP

#
#allowed chain
#

#
#'--syn' this command would in other words be exactly the same as the
#'--tcp-flags SYN,RST,ACK SYN'match.Such packets are mainly used to request
#new TCP connections from a server.If you block these packets,you should
#have effectively blocked all incoming connection attempt,but not have
#blocked the outgoing connections.
#
#'! --syn'this would match all packets with the RST or the ACK bits set,
#in other words packets in an already established connection.
#

$IPTABLES -A allowed -p tcp --syn -j ACCEPT
$IPTABLES -A allowed -p tcp -m state --state ESTABLISHED,RELATED \
-j ACCEPT
#$IPTABLES -A allowed -p tcp --syn -j DROP
$IPTABLES -A allowed -p tcp -j DROP

#
#TCP rules
#21port(FTP)22port(SSH)25port(SMTP)993(IMAP)110port(POP3)
#53port(DNS)80port(HTTP)443port(HTTPS)113port(IRC)873port(rsync)
#23port(Telnet)111port(Portmap/NFS)139port(smbd/SAMBA)TCP445port
#65400:65410 port(passive FTP)==>/etc/vsftpd/vsftpd.conf
#
#man 5 vsftpd.conf
#pasv_max_port=65400
#pasv_min_port=65410

#$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 21 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 65400:65410 -j allowed
$IPTABLES -A tcp_packets -p tcp -s $LAN_IP_RANGE --dport 22 -j allowed
#$IPTABLES -A tcp_packets -p tcp -m mac --mac-source AA:BB:CC:DD:EE:FF \
#--dport 22 -j allowed

#$IPTABLES -A tcp_packets -p tcp -s 0/0 -m multiport --dport 80,443 -j allowed

#$IPTABLES -A tcp_packets -p tcp -s $LAN_IP_RANGE --dport 23 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s $LAN_IP_RANGE --dport 111 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s $LAN_IP_RANGE --dport 139 -j allowed

#$IPTABLES -A tcp_packets -p tcp -s $LAN_IP_RANGE --dport 25 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s $LAN_IP_RANGE --dport 993 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 53 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 110 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 443 -j allowed
#$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 113 -j allowed

#
#UDP rules
#53port(DNS)123port(NTP)111port(Portmap/NFS)137:138port(nmbd/SAMBA)
#333/8000(QQ)3000(ICQ)2073(SpeakFreely)
#

if [ $DHCP == "yes" ] ; then
 $IPTABLES -A udp_packets -p udp -s $DHCP_SERVER --sport 67 \
 --dport 68 -j ACCEPT
fi
#$IPTABLES -A udp_packets -p udp -s 0/0 --dport 53 -j ACCEPT
#$IPTABLES -A udp_packets -p udp -s $LAN_IP_RANGE --dport 111 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s $LAN_IP_RANGE --dport 123 -j ACCEPT
#$IPTABLES -A udp_packets -p udp -s $LAN_IP_RANGE --dport 137:138 -j ACCEPT

#$IPTABLES -A udp_packets -p udp -s 0/0 --dport 2073 -j ACCEPT
#$IPTABLES -A udp_packets -p udp -s 0/0 --dport 3000 -j ACCEPT

#
#In Microsoft Networks you will be swamped by broadcasts. These lines
#will prevent them from showing up in the logs.
#

#$IPTABLES -A udp_packets -p udp -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP


#
#If we get DHCP requests from the outside of our network,our logs will
#be swamped as well.This rule will block them from getting logged.
#

#$IPTABLES -A udp_packets -p udp -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP

#
#ICMP rules
#

#
#Echo Requests(type 8)are used to request an echo reply(type 0),which in turn is
#used to mainly ping other hosts to see if they are available on any of
#the networks.Without this rule,other hosts will not be able to ping us
#to see if we are available on any network connection.
#
#Do note that some people would tend to erase this rule,since they
#simply do not want to be seen on the Internet.Deleting this rule will
#effectively render any pings to our firewall totally useless from the
#Internet since the firewall will simply not respond to them.
#

#
#Time Exceeded(type 11)
#(TTL equals 0 during transit and TTL equals 0 during reassembly)
#is allowed in the case we want to trace-route some host or if a packet
#gets its Time To Live set to 0,we will get a reply about this.
#

#$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
#$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
#TYPES="0 3 3/4 4 11 12 14 16 18"
#for type in $TYPES
#do
# $IPTABLES -A icmp_packets -p icmp --icmp-type $type -j ACCEPT
#done
$IPTABLES -A icmp_packets -p icmp -s ! $LAN_IP_RANGE -j DROP

################################################################################
#
#3.1.4 INPUT chain
#
echo "[+] Setting up INPUT chain's rules ..."

#
#Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
#Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
#$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
#Mac match options..
#
#Note that since MAC address are only used on Ethernet type networks,
#this match will only be possible to use for Ethernet interfaces.
#The MAC match is only valid in the PREROUTING,FORWARD and INPUT chains
#and nowhere else.
#

#$IPTABLES -A INPUT -m mac --mac-source AA:BB:CC:DD:EE:FF -j ACCEPT
#$IPTABLES -A INPUT -m mac --mac-source ! AA:BB:CC:DD:EE:FF -j ACCEPT

#
#Special rule for DHCP requests from LAN,which are not caught 
#properly otherwise.
#68port(DHCP Client)/67port(DHCP Server)
#

$IPTABLES -A INPUT -p udp -i $LAN_IFACE --dport 67:68 --sport 67:68 -j ACCEPT

#
#Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $LAN_IFACE -j tcp_packets
$IPTABLES -A INPUT -p udp -i $LAN_IFACE -j udp_packets
$IPTABLES -A INPUT -p icmp -i $LAN_IFACE -j icmp_packets

#
#If you have a Microsoft Network on the outside of your firewall,you
#may also get flooded by Multicasts.We drop them so we do not get
#flooded by logs

#$IPTABLES -A INPUT -i $INET_IFACE -d 223.0.0.0/8 -j DROP

#
#Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j \
LOG --log-level DEBUG --log-prefix "IPT INPUT packet died:"

#
#3.1.5 FORWARD chain
#
echo "[+] Setting up FORWARD chain's rules ..."

#
#Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
#Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
#Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j \
LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"

#
#3.1.6 OUTPUT chain
#
echo "[+] Setting up OUTPUT chain's rules ..."

#
#Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
#Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
#$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -d ! $LAN_IP_RANGE -m owner \
--uid-owner 0 -j DROP 

#
#Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j \
LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died:"

################################################################################
#
#3.2 nat table
#
echo "[+] Setting up NAT table's  rules ..."

#
#3.2.1 Set policies
#

#
#3.2.2 Create user specified chains
#

#
#3.2.3 Create content in user specified chains
#

#
#3.2.4 PREROUTING chain
#

#$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
#$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP -i $INET_IFACE --dport 80 \
#-j DNAT --to-destination 192.168.1.2:80

#
#3.2.5 POSTROUTING chain
#

#
#Enable simple IP Forwarding and Network Address Translation
#

if [ $PPPOE_PMTU == "yes" ] ; then
 $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
 -j TCPMSS --clamp-mss-to-pmtu
fi
#$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE \
#-j SNAT --to-source $INET_IP

################################################################################
#
#3.3 mangle table
#
echo "[+] Setting up mangle table's rules ..."

#
#3.3.1 Set policies
#

#
#3.3.2 Create user specified chains
#

#
#3.3.3 Create content in user specified chains
#

#
#3.3.4 PREROUTING chain
#

$IPTABLES -A PREROUTING -t mangle -i $LAN_IFACE -j TTL --ttl-set 64
$IPTABLES -A PREROUTING -t mangle -i $LAN_IFACE -j TTL --ttl-inc 1

#
#3.3.5 OUTPUT chain
#

################################################################################
#
#4.proc set up.
#

#
#4.1 Required proc configuration
#

#
#It may be a very bad idea to turn on ip_forward before
#we habe all firewall rules and routes up and running.
#

echo "[+] Enabling IP forwarding(default:0)..."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "[+] Prevent SYN Flood attack(default:1) ..."
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "[+] Ignore Ping Broadcast(default:1)..."
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#echo "[+] The ExecShield feature that protect app from being compromised by most buffer exploits(default:1)..."
#echo "1" > /proc/sys/kernel/exec-shield

echo "[+] Disable another useful function..."
for value in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo "0" > $value
done
for value in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo "0" > $value
done
for value in /proc/sys/net/ipv4/conf/*/send_redirects;
do
echo "0" > $value
done
#
#4.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#
# save the current configuration and reload the service
#
echo "[+] Saving the current configuration above..."
service iptables save
echo "[+] Reload the configuration from /etc/sysconfig/iptables..."
service iptables restart

阅读(379) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~