|
|
我用的这个是脚本floppyfw的,adsl拨号上网,内部上网正常。想做个内部的web服务器,web正常(内网可以浏览),但是外网无法访问我的web。
脚本如下:
OUTSIDE_DEV=eth0
INSIDE_DEV=eth1
INSIDE_IP=192.168.0.1
INSIDE_NETMASK=255.255.255.0
#!/bin/sh
# Firewall setup.
#
# This is a conversion of the ipchains/ipmasqadm based firewall.ini
# from the 1.x series of floppyfw, it's pretty simple and the
# corresponding ipchains rules are kept for references.
#
# Do you want to do port forwaring to an internal server?
# Set the server IP here and sort out the port stuff later in this file.
#
SERVER_IP=192.168.0.253
#
# Stopping forwarding (this script may be run during normal uptime because
# for re-lease of HDCP or demand dialing / PPPoE.
#
echo "0" > /proc/sys/net/ipv4/ip_forward
# Flushing the chains.
#
iptables -F
for i in `cat /proc/net/ip_tables_names`; do iptables -F -t $i ; done
iptables -X
iptables -Z # zero all counters
#
# Policy for chains DROP everything
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#
# SYN-Flooding protection
# Looks good and nicked from a firewall script mentioned on floppyfw.something.
# Didn't work that well..
#
iptables -N syn-flood
iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp ! --syn -m state --state NEW -j DROP
#
# Good old masquerading.
#
iptables -t nat -A POSTROUTING -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -o ${OUTSIDE_DEVICE} -j MASQUERADE
#
# Forwarding outside ports to an internal server.
# This used to be the ipchains / ipmasqadm portfw commad.
#
# Web:
iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${SERVER_IP}:80
iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT
# This rule helps the "I can't reach my web server from the inside" problem.
iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 80 -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP}
# Keep state and open up for outgoing connections.
#
iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP
#
# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
# keep it here.
#
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#
# We don't like the NetBIOS and Samba leaking..
#
iptables -t nat -A PREROUTING -p TCP --dport 135:139 -j DROP
iptables -t nat -A PREROUTING -p UDP --dport 137:139 -j DROP
iptables -t nat -A PREROUTING -p TCP --dport 445 -j DROP
iptables -t nat -A PREROUTING -p UDP --dport 445 -j DROP
#
# We would like to ask for names from our floppyfw box
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Ping and friends.
iptables -A OUTPUT -p icmp -j ACCEPT # to both sides.
iptables -A INPUT -p icmp -j ACCEPT
# And also, DHCP, but we can basically accept anything from the inside.
iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT
#
# If the user wants to have the fake identd running, the identd has to
# be able to answer.
#
if [ ${FAKEIDENT} ]
then
iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j ACCEPT
else
iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j REJECT --reject-with tcp-reset
fi
#
# And, some attempt to get interactive sesions a bit more interactive
# under load:
#
iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
# iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput
#
# This will also help:
# (Not used yet, have to replace "rate 240kbit" with a percentage.
# and also maybe change from qdisc to htb.
#
# tc qdisc add dev $OUTSIDE_DEVICE root tbf rate 240kbit latency 50ms burst 1540
#
# DMZ Stuff goes here:
#
if [ -f /etc/dmz.info ];
then
echo "Setting up DMZ."
. /etc/dmz.info
iptables -N dmz
if [ "$DMZ_USE_NAT" = "y" ]
then
iptables -t nat -A POSTROUTING -s ${DMZ_NETWORK}/${DMZ_NETMASK} -o ${OUTSIDE_DEVICE} -j MASQUERADE
fi
fi
#
# Finally, list what we have
#
#
iptables -L
# If broken DNS:
#iptables -L -n
#
# The insert stuff into the kernel (ipsysctl) - section:
#
# Some of there goes under the "Better safe than sorry" - banner.
#
#
# This enables dynamic IP address following
#
echo 7 > /proc/sys/net/ipv4/ip_dynaddr
#
# trying to stop some smurf attacks.
#
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Don't accept source routed packets.
#
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
#
# Syncookies (if they are really needed any more?)
#
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#
# We don't like IP spoofing,
#
if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ]
then
# These two are redundant but I'll kepp'em here for now.
# Will remind me that I can add the first one somewhere smart later.
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# while read filter
# do
# echo "1" > $filter
# done < `find /proc/sys/net/ipv4/conf -name rp_filter -print`
else
echo "Anti spoofing is not available, the author of this floppy spoofed, mail him."
fi
#
# nor ICMP redirect,
#
if [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ]
then
echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# while read accr
# do
# echo -n "fil"
# echo $accr
# echo "fil2"
# echo "0" > $accr
# done < `find /proc/sys/net/ipv4/conf -name accept_redirects -print`
else
echo "Anti spoofing is not available, the author of this floppy spoofed, mail him."
fi
#
# Enable bad error message protection.
#
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Maximum limit of ip_conntrack
# This is RAM dependant so be careful with this.
# The max, which is the valuehere, needs around 32M RAM to work properly.
# echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max
#
# This is commented out and will be an option when we have a "LOG_STUFF"
# config option.
# /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#
# Rules set, we can enable forwarding in the kernel.
#
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward |
|
IP卡
狗仔卡
发表于 2005-8-28 23:03:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
发表于 2005-8-29 16:44:07
楼主