#
# Script name: ipt_server
# A simple script for firewall, used in Linux (kernel 2.4.x),
# with certain services provided to outside world.
#
# Copyleft 2002 by netman (netman@study-area.org).
#
# Redistribution of this file is permitted under the terms of
# the GNU General Public License (GPL).
#
# Date: 2002/07/03
# Version: 1.4
PATH=/sbin:/usr/sbin:/bin:/usr/bin
RC_SQUID=/etc/rc.d/init.d/squid
EXT_IF=eth0
INT_IF=eth1
TRUSTED_TCP_PORT="1723 20 21 22 25 53 80 110 113 137 138 139 161 389 443 636 1812 1813 5900"
TRUSTED_UDP_PORT="53 1812 1813 5900"
ALLOWED_ICMP="0 3 8 3/4 4 11 12 14 16 18"
BAN_YAHOO_IP="66.163.169.143 66.163.169.148 216.136.227.20 216.136.227.23 216.136.173.183 216.136.227.25 66.163.169.149 63.216.136.22 66.135.224.142 66.136.175.132 66.163.168.105 66.163.172.117 66.163.173.76 66.163.173.77 66.163.173.78 66.163.173.203 66.163.175.128 66.163.178.78 204.71.200.36 204.71.200.3 204.71.200.37 204.71.201.134 204.71.201.141 216.136.173.172 216.136.173.179 216.136.175.132 216.136.175.142 216.136.175.143 216.136.175.144 216.136.175.145 216.136.175.145 216.136.175.226 216.136.224.134 216.136.224.142 216.136.224.213 216.136.224.213 216.136.224.214 216.136.225.12 216.136.226.117 216.136.226.118 216.136.226.209 216.136.226.210 216.136.227.168 216.136.233.129 216.136.233.130 216.136.233.131 216.136.233.133 216.136.233.135 216.136.233.148 216.136.233.151 216.136.233.152 216.155.193.133 216.109.116.191"
#
#
# ------------- ensure iptables ----------
which iptables &>/dev/null || {
echo
echo "$(basename $0): iptables program is not found."
echo " Please install the program first."
echo
exit 1
}
# ------------- disable ipchains ----------
lsmod | grep ipchains &>/dev/null && {
echo "Disabling ipchains..."
rmmod ipchains
}
# ------------- modules -----------
echo "Loading modules..."
modprobe ip_tables &>/dev/null || {
echo -n "$(basename $0): loading ip_tables module failure."
echo " Please Fix it!"
exit 3
}
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o
do
module=$(basename $file)
modprobe ${module%.*} &>/dev/null
done
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o
do
module=$(basename $file)
modprobe ${module%.*} &>/dev/null
done
# ------------- ipforwarding -----------
echo "Turning on IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
# ------------- anti spoofing -----------
echo "Turning on anti-spoofing..."
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $file
done
# ------------- flushing ----------
echo "Cleaning up..."
iptables -F -t filter
iptables -X -t filter
iptables -Z -t filter
iptables -F -t mangle
iptables -X -t mangle
iptables -Z -t mangle
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
# ------------- policies -------------
echo "Setting up policies to ACCEPT..."
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
###iptables -A INPUT -d 163.17.209.7 -p tcp --dport 3389 -j DNAT --to-destination 192.168.7.11:3389
# ------------- ICMP -------------
echo "Creating icmpfilter chain..."
iptables -N icmpfilter
for TYPE in $ALLOWED_ICMP; do
iptables -A icmpfilter -i $EXT_IF -p icmp \
--icmp-type $TYPE -j ACCEPT
done
# ------------- services ------------
echo "Creating services chain...."
iptables -N services
for PORT in $TRUSTED_TCP_PORT; do
iptables -A services -i $EXT_IF -p tcp --dport $PORT -j ACCEPT
done
for PORT in $TRUSTED_UDP_PORT; do
iptables -A services -i $EXT_IF -p udp --dport $PORT -j ACCEPT
done
# ------------- block -------------
echo "Creating block chain..."
iptables -N block
#iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A block -m state --state NEW -i ! $EXT_IF -j ACCEPT
#iptables -A block -j DROP
# ------------- filter -------------
echo "Filtering packets..."
iptables -A INPUT -j icmpfilter
iptables -A INPUT -j services
iptables -A INPUT -j block
iptables -A FORWARD -j icmpfilter
iptables -A FORWARD -j block
# ------------- masq -------------
echo "Masquerading internel network..."
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
exit 0
沒有留言:
張貼留言