Chinaunix首页 | 论坛 | 博客
  • 博客访问: 5376567
  • 博文数量: 1144
  • 博客积分: 11974
  • 博客等级: 上将
  • 技术积分: 12312
  • 用 户 组: 普通用户
  • 注册时间: 2005-04-13 20:06
文章存档

2017年(2)

2016年(14)

2015年(10)

2014年(28)

2013年(23)

2012年(29)

2011年(53)

2010年(86)

2009年(83)

2008年(43)

2007年(153)

2006年(575)

2005年(45)

分类: LINUX

2007-01-07 13:03:37

#!/bin/bash
########################
#   name: firewall.sh
# author: folkert
#   date: dec2k3
#######################################
#
# sets up the netfilter facility for use with the hotspot authorization
# scheme and offers a frontend for other scripts to authorize/deauthorize
# access for hosts with a given IP/MAC combination.
#
###############################################################################
 
IPTABLES=/share/hotspot/sbin/iptables
WIFI_SELF="10.11.12.13"
WIFI_NET="10.11.12.0/24"
WIFI_DEV="wlan0"
INET_SELF="172.23.5.12"
INET_NET="172.23.5.0/27"
INET_DEV="eth0"
NS1="213.148.129.10"
NS2="213.148.130.10"
 
usage()
{
 echo "usage:"
 echo "$0 reset"
 echo "$0 show"
 echo "$0 show auth"
 echo "$0 addClient IP MAC"
 echo "$0 delClient IP MAC"
 echo "$0 addServer IP"
 echo "$0 delServer IP"
 exit 1;
}

fferror()
{
 echo "^_^'"
 echo "error setting netfilter: $1"
 exit $1
}

case "$1" in

 reset)
  #flush and zero all tables
  for TABLE in filter nat mangle; do
   for SWITCH in F X Z; do
    $IPTABLES -t $TABLE -$SWITCH
   done
  done  
    
  #create filter chain for accepting authenticated clients
  $IPTABLES -t filter -N FCLIENT
  #create filter chain for accepting allowed destination websites
  $IPTABLES -t filter -N FSERVER

  #create filter chain for not rerouting authenticated clients
  $IPTABLES -t nat -N DCLIENT
  #create filter chain for not rerouting allowed servers
  $IPTABLES -t nat -N DSERVER
  #create filter chain for routing from authenticated clients
  $IPTABLES -t nat -N SCLIENT
  #create filter chain for routing to allowed servers
  $IPTABLES -t nat -N SSERVER
  
  
  #default filter policy is DROP
  $IPTABLES -t filter -P INPUT DROP
  $IPTABLES -t filter -P OUTPUT DROP
  $IPTABLES -t filter -P FORWARD DROP
 
 
  #allow all local traffic
  $IPTABLES -t filter -A  INPUT -i lo0 -j ACCEPT
  $IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT
 
 
  #allow all icmp traffic self<->wifi
  $IPTABLES -t filter -A  INPUT -i $WIFI_DEV -s $WIFI_NET -d $WIFI_SELF -p icmp -j ACCEPT
  $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p icmp -j ACCEPT
  #allow dhcp traffic self<->wifi
  $IPTABLES -t filter -A  INPUT -i $WIFI_DEV -s 0.0.0.0/0 -d 255.255.255.255 -p udp --dport 67:68 -j ACCEPT
  $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p udp --sport 67:68 -j ACCEPT
  #allow all web traffic self<->wifi
  for PORT in 80 443; do
   $IPTABLES -t filter -A  INPUT -i $WIFI_DEV -s $WIFI_NET -d $WIFI_SELF -p tcp --dport $PORT -j ACCEPT
   $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p tcp --sport $PORT -j ACCEPT
  done
 
### ENABLE IF USING OWN DNS FSERVER ###
#
#  #allow dns traffic self<->wifi
#  $IPTABLES -t filter -A  INPUT -i $WIFI_DEV -s $WIFI_NET -d $WIFI_SELF -p udp --dport 53 -j ACCEPT
#  $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p udp --sport 53 -j ACCEPT
#  #allow dns traffic self<->dns
#  for NS in $NS1 $NS2; do
#   $IPTABLES -t filter -A OUTPUT -o $INET_DEV -s $INET_SELF -d $NS -p udp --dport 53 -j ACCEPT
#   $IPTABLES -t filter -A  INPUT -i $INET_DEV -s $NS -d $INET_SELF -p udp --sport 53 -j ACCEPT
#  done;
#
### /ENABLE ###########################
 
### DISABLE IF USING OWN DNS FSERVER ###
#
  for NS in $NS1 $NS2; do
   #allow wifi->dns
   $IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -d $NS -p udp --dport 53 -j ACCEPT
   $IPTABLES -t filter -A FORWARD -i $INET_DEV -o $WIFI_DEV -s $NS -d $WIFI_NET -p udp --sport 53 -j ACCEPT
   #enable source network address translation for dns
   $IPTABLES -t nat -A POSTROUTING  -s $WIFI_NET -p udp --dport 53 -d $NS -o $INET_DEV -j SNAT --to $INET_SELF
  done
#
### /DISABLE ##########################  

  
### DISABLE THE FOLLOWING BEFORE DEPLOYING THE UNIT IN THE FIELD ###
#
  #allow all telnet and smb traffic to/from self
  for PORT in 23 139; do
   $IPTABLES -t filter -A  INPUT -p tcp --dport $PORT -j ACCEPT
   $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT
  done
#
### /DISABLE #######################################################
 
  
 
  
  #check for wifi->allowed servers
  $IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -j FSERVER
  #check for allowed clients -> inet
  $IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -j FCLIENT
  #reject all other clients
  $IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -j REJECT --reject-with icmp-net-prohibited

  #allow established connections wifi<->inet
  $IPTABLES -t filter -A FORWARD -i $INET_DEV -o $WIFI_DEV -d $WIFI_NET -m state --state ESTABLISHED -j ACCEPT
  
  #snat traffic from authenticated clients
  $IPTABLES -t nat -A POSTROUTING -s $WIFI_NET -d ! $WIFI_NET -j SCLIENT 
  #snat traffic to allowed servers
  $IPTABLES -t nat -A POSTROUTING -s $WIFI_NET -d ! $WIFI_NET -j SSERVER
  
  
  
  
  #do not dnat traffic from authenticated clients
  $IPTABLES -t nat -A PREROUTING -i $WIFI_DEV -d ! $WIFI_SELF -j DCLIENT
  #do not dnat web traffic allowed servers  
  $IPTABLES -t nat -A PREROUTING -i $WIFI_DEV -d ! $WIFI_SELF -j DSERVER
  #enable dnat to self for all web traffic
  for PORT in 80 443; do
   $IPTABLES -t nat -A PREROUTING -i $WIFI_DEV -d ! $WIFI_SELF -p tcp --dport $PORT -j DNAT --to $WIFI_SELF
  done
  
  
  
### DISABLE THE FOLLOWING BEFORE DEPLOYING THE UNIT IN THE FIELD ###
#  
  #log all other packets
  #$IPTABLES -t filter -A INPUT -j LOG --log-level warning   --log-prefix "  >>INPUT<< "
  #$IPTABLES -t filter -A OUTPUT -j LOG --log-level warning  --log-prefix " <> "
  #$IPTABLES -t filter -A FORWARD -j LOG --log-level warning --log-prefix ">>FORWARD>> "
#
### /DISABLE #######################################################
  
  
  
  #add default REJECT rule (just more polite than DROP)
  for CHAIN in INPUT OUTPUT FORWARD; do
   $IPTABLES -t filter -A $CHAIN -j REJECT;
  done 
  
  
  ;;
  
  
   
 addClient)
  [ "ff"$2 != "ff" ] || usage; [ "ff"$3 != "ff" ] || usage;
  #allow client
  $IPTABLES -t filter -A FCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $?
  $IPTABLES -t nat -A DCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $?
  $IPTABLES -t nat -A SCLIENT -s $2 -d ! $WIFI_NET -j SNAT --to $INET_SELF || fferror $?
  echo "added Client: IP $2 MAC $3";
  ;;  
   
 delClient)
  [ "ff"$2 != "ff" ] || usage;  [ "ff"$3 != "ff" ] || usage;  
  $IPTABLES -t filter -D FCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $?
  $IPTABLES -t nat -D DCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $?
  $IPTABLES -t nat -D SCLIENT -s $2 -d ! $WIFI_NET -j SNAT --to $INET_SELF || fferror $?
  echo "removed Client: IP $2 MAC $3";
  ;;  
   
   
  
 addServer)
  [ "ff"$2 != "ff" ] || usage;
  $IPTABLES -t filter -A FSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $?
  $IPTABLES -t nat -A DSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $?
  $IPTABLES -t nat -A SSERVER -s $WIFI_NET -d $2 -j SNAT --to $INET_SELF || fferror $?
  echo "added Server: IP $2";
  ;;
  
  
 delServer)
  [ "ff"$2 != "ff" ] || usage;
  $IPTABLES -t filter -D FSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $?
  $IPTABLES -t nat -D DSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $?
  $IPTABLES -t nat -D SSERVER -s $WIFI_NET -d $2 -j SNAT --to $INET_SELF || fferror $?
  echo "removed Server: IP $2";
  ;; 
  
  
  
  
 show)
  case "$2" in
   mangle)
    echo "___mangle_______________________________________"
    $IPTABLES -t mangle --list -n
    echo; echo;
    ;;
   nat)
    echo "___nat__________________________________________"
    $IPTABLES -t nat --list -n
    echo; echo;
    ;;
   filter) 
    echo "___filter_______________________________________"
    $IPTABLES -t filter --list -n
    echo; echo;
    ;;
   auth)
    echo "___clients______________________________________"
    $IPTABLES -t filter --list FCLIENT -n
    $IPTABLES -t nat --list DCLIENT -n
    $IPTABLES -t nat --list SCLIENT -n
    echo "___servers______________________________________"
    $IPTABLES -t filter --list FSERVER -n
    $IPTABLES -t nat --list DSERVER -n
    $IPTABLES -t nat --list SSERVER -n
    ;;
   *)
    echo "___mangle_______________________________________"
    $IPTABLES -t mangle --list -n
    echo; echo;
    echo "___nat__________________________________________"
    $IPTABLES  -t nat --list -n
    echo; echo;
    echo "___filter_______________________________________"
    $IPTABLES -t filter --list -n
    echo; echo;
  esac  
  ;;

 *)
  usage;
  ;;  
esac
exit
 
阅读(2481) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~