Chinaunix首页 | 论坛 | 博客
  • 博客访问: 555253
  • 博文数量: 114
  • 博客积分: 5611
  • 博客等级: 大校
  • 技术积分: 1027
  • 用 户 组: 普通用户
  • 注册时间: 2007-04-19 08:55
文章分类

全部博文(114)

文章存档

2011年(29)

2010年(20)

2009年(1)

2008年(11)

2007年(53)

分类: LINUX

2007-12-18 16:00:01

#!/bin/sh
# Local Settings
SYSCTL="/sbin/sysctl -w"
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth0"
INET_ADDRESS="*.*.*.*"
# Local Interface Information
LOCAL_IFACE="eth1"
LOCAL_IP="172.21.41.15"
LOCAL_NET="172.21.41.0/24"
LOCAL_BCAST="172.21.41.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
        echo -n "Saving firewall to /etc/sysconfig/iptables ... "
        $IPTS > /etc/sysconfig/iptables
        echo "done"
        exit 0
elif [ "$1" = "restore" ]
then
        echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
        $IPTR < /etc/sysconfig/iptables
        echo "done"
        exit 0
fi
echo "Loading kernel modules ..."
# core netfilter module
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_mark
# /sbin/modprobe multiport
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
# /sbin/modprobe iptable_filter
# /sbin/modprobe iptable_mangle
# /sbin/modprobe ipt_LOG
"iptables.new" 194L, 5382C
#!/bin/sh
# Local Settings
SYSCTL="/sbin/sysctl -w"
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth0"
INET_ADDRESS="218.93.112.27"
# Local Interface Information
LOCAL_IFACE="eth1"
LOCAL_IP="172.21.41.15"
LOCAL_NET="172.21.41.0/24"
LOCAL_BCAST="172.21.41.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
        echo -n "Saving firewall to /etc/sysconfig/iptables ... "
        $IPTS > /etc/sysconfig/iptables
        echo "done"
        exit 0
elif [ "$1" = "restore" ]
then
        echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
        $IPTR < /etc/sysconfig/iptables
        echo "done"
        exit 0
fi
echo "Loading kernel modules ..."
# core netfilter module
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_mark
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
# /sbin/modprobe iptable_filter
# /sbin/modprobe iptable_mangle
# /sbin/modprobe ipt_LOG
$IPT -A INPUT -p TCP -i $INET_IFACE -m multiport --dports 20,21,22,25,80,8080,110 -j ACCEPT
$IPT -A INPUT -i $INET_IFACE -p TCP -s 0/0 -m multiport --dports 5000:5100 -j ACCEPT
$IPT -A INPUT -i $INET_IFACE -p TCP -s 0/0 -m multiport --dports 6891:6900 -j ACCEPT
$IPT -A INPUT -i $INET_IFACE -p TCP -s 0/0 -m multiport --dports 30000:50000 -j ACCEPT

$IPT -A INPUT -i $INET_IFACE -p UDP -s 0/0 --dport 53 -j ACCEPT
# $IPT -A FORWARD -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
# $IPT -A FORWARD -p ALL -m state --state INVALID -j DROP

$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
# $IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "FORWARD died: "
# $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
# $IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG  --log-prefix "OUTPUT died: "
## $IPT -t nat -A PREROUTING -i $LOCAL_IFACE -p tcp --dport 80  -j REDIRECT --to-port 3128
## $IPT -t nat -A PREROUTING -i $LOCAL_IFACE -p tcp --dport 443  -j REDIRECT --to-port 3128
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS
# $IPT -t nat -A POSTROUTING -s $LOCAL_IFACE -o $INET_IFACE -j MASQUERADE
# mangle table

# chong ding xiang dao nei wang
$IPT -A FORWARD -p tcp -i $INET_IFACE  -d 172.21.41.13 --dport 3000 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --dport 8080 -j DNAT --to 172.21.41.13:3000
$IPT -t nat -A PREROUTING -p tcp -i $LOCAL_IFACE --dport 8080 -j DNAT --to 172.21.41.13:3000
$IPT -t nat -A POSTROUTING -o $LOCAL_IFACE -d 172.21.41.13 -p tcp --dport 3000 -j SNAT --to-source $LOCAL_IP
阅读(1200) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~