|
|
下面是一位前辈编写的iptables脚本,不过是针对2.4.x内核编的,我现在用的是debian 4.0 testing,iptabels1.3.8,我该怎么改才能把这个脚本用起来?特别是
###########################################################################
# Configuration options.
# Internet Configuration.
INET_IP="194.236.50.155"
INET_SERVER=”194.236.50.156”
INET_IFACE="eth0"
INET_BROADCAST="194.236.50.255"
###########################################################################
#Lan configuration
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
LAN_IP="192.168.0.254"
LAN_SERVER=”192.168.0.1”
LAN_IP_RANGE="192.168.0.0/24"
LAN_BROADCAST=”192.168.0.255”
LAN_IFACE="eth1"
这一段该怎么改?麻烦指点:)
附我的网卡设置:
# more /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 59.36.255.33
netmask 255.255.255.0
network 198.30.66.0
broadcast 198.30.66.255
gateway 59.36.255.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 202.96.128.68
dns-search john.com
iface eth1 inet static
address 198.30.66.1
netmask 255.255.255.0
附前辈的脚本:
这是一个非常典型的企业网络拓扑结构,通过固定IP地址接入Internet,内部网络通过防火墙与Internet互连并进行安全控制,只允许内部网络的用户通过ftp、http、smtp、和pop3与Internet连接,而禁止所有从外网到内网的连接,内部用户通过防火墙的外网接口地址共享上网。运行脚本firewall.sh如下:
#!/bin/sh
# example.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
###########################################################################
# Configuration options.
# Internet Configuration.
INET_IP="194.236.50.155"
INET_SERVER=”194.236.50.156”
INET_IFACE="eth0"
INET_BROADCAST="194.236.50.255"
###########################################################################
#Lan configuration
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
LAN_IP="192.168.0.254"
LAN_SERVER=”192.168.0.1”
LAN_IP_RANGE="192.168.0.0/24"
LAN_BROADCAST=”192.168.0.255”
LAN_IFACE="eth1"
###########################################################################
# Localhost Configuration.
LO_IFACE="lo"
LO_IP="127.0.0.1"
###########################################################################
# IPTables Configuration.
IPTABLES="/usr/sbin/iptables"
###########################################################################
# Module loading.
# Needed to initially load modules
/sbin/depmod -a
# Required modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
##########################################################################
# Non-Required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
###########################################################################
# /proc set up.
# Required proc configuration
echo "1" > /proc/sys/net/ipv4/ip_forward
###########################################################################
# rules set up.
# Filter table
# Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
###########################################################################
# Create userspecified chains
# Create chain for bad tcp packets
$IPTABLES -N bad_tcp_packets
# Create separate chains for ICMP, TCP and UDP to traverse
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
###########################################################################
# Create content in userspecified chains
# bad_tcp_packets chain
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
###########################################################################
# allowed chain
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
############################################################################
# TCP rules for the services of ftp, ssh, smtp,http,pop3
#
$IPTABLES -A tcp_packets -p TCP –m multiport --dports 21,22,25,80,110 -j allowed
############################################################################
# UDP rules for the services of dns
#
$IPTABLES -A udp_packets -p UDP --destination-port 53 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs. Uncomment the following
# line to make the policy active if you have such a network
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP
#$IPTABLES -A udp_packets -p UDP -i $LAN_IFACE -d $LAN_BROADCAST \
#--destination-port 135:139 -j DROP
###########################################################################
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP --icmp-type 8 -j ACCEPT
###########################################################################
# INPUT chain
#
# Bad TCP packets you don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
# Drop the packet from Internet
#
$IPTABLES -A INPUT -p ALL -i $INET_IFACE –j DROP
# Log weird packets that don't match the above.
#
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix " INPUT packet died: "
###########################################################################
# FORWARD chain
#
# Bad TCP packets we don't want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD –p tcp -i $LAN_IFACE -j tcp_packets
$IPTABLES -A FORWARD –p udp -i $LAN_IFACE -j udp_packets
$IPTABLES -A FORWARD -p icmp -i $LAN_IFACE -j icmp_packets
#
# Log weird packets that don't match the above.
#
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "FORWARD packet died: "
#
# OUTPUT chain
#
# Bad TCP packets we don't want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "OUTPUT packet died: "
###########################################################################
# nat table
-j DNAT --to-destination $LAN_SERVER
# POSTROUTING chain
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
编辑好脚本后,为其添加可执行权限:
#chmod ugo+x firewall.sh
将firewall.sh脚本移动到/etc目录下:
#mv firewall.sh /etc/
确保系统在启动是能够运行该脚本,添加如下语句到/etc/rc.d/rc.local文件中:
#echo sh /etc/firewall.sh >> /etc/rc.d/rc.local |
|
IP卡
狗仔卡
发表于 2007-12-3 08:57:29
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡