最权威学习Iptables实例
[root@squids shell]# cat fire_wall.sh
#!/bin/sh
IPS="/sbin/iptables"
PPPX="ppp0"
LAN_ip_eth0="192.168.0.4"
LAN_ip_eth1="192.168.2.1"
LAN_ip_eth2="192.168.1.3"
LAN_ip_eth3="192.168.3.1"
LAN_ONE="192.168.0.0/24"
LAN_TWO="192.168.2.0/24"
MULDPORT="-m multiport --destination-ports"
MULSPORT="-m multiport --source-ports"
IP_OPTIONS="--log-ip-options --log-tcp-options"
PLUDP="53,67,68,32768,32770,3130,32769,3130,111,11371,3478,3480,123"
PLTCP="80,443,53,22,21,20,67,68,53,873,3128,3306,3478,3480"
PRPORT_LIST="80,443"
PORT1="80,443,21,20,858,873,5222,5224,5225,5226,25,110,143,3306"
PORT2="53,22,3128,5223,8080,3478,3480,5227,5228,995,465,8000,8005,9001"
PORT3="6060,9099,22222,22223,81,8443,1863,8018,993,8888"
RUDP="53,25,110,143,161,2401,3478,3480,123"
NOPROXY="/etc/shell/txt/static.txt"
WHITELIST="/etc/shell/txt/iplist.txt"
SERVERIP="/etc/shell/txt/serverip.txt"
#
PPP_IP=`/sbin/ifconfig |grep ppp0|awk '{print $1}'`
if [[ -z ${PPP_IP} ]]
then
/sbin/ifup ${PPPX}
fi
ip route del default
ip ro add default dev ${PPPX}
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#flush tables
clear()
{
${IPS} -t filter -F
${IPS} -t nat -F
${IPS} -t mangle -F
#dek chains
${IPS} -t filter -X
${IPS} -t nat -X
${IPS} -t mangle -X
}
#!/bin/sh
IPS="/sbin/iptables"
PPPX="ppp0"
LAN_ip_eth0="192.168.0.4"
LAN_ip_eth1="192.168.2.1"
LAN_ip_eth2="192.168.1.3"
LAN_ip_eth3="192.168.3.1"
LAN_ONE="192.168.0.0/24"
LAN_TWO="192.168.2.0/24"
MULDPORT="-m multiport --destination-ports"
MULSPORT="-m multiport --source-ports"
IP_OPTIONS="--log-ip-options --log-tcp-options"
PLUDP="53,67,68,32768,32770,3130,32769,3130,111,11371,3478,3480,123"
PLTCP="80,443,53,22,21,20,67,68,53,873,3128,3306,3478,3480"
PRPORT_LIST="80,443"
PORT1="80,443,21,20,858,873,5222,5224,5225,5226,25,110,143,3306"
PORT2="53,22,3128,5223,8080,3478,3480,5227,5228,995,465,8000,8005,9001"
PORT3="6060,9099,22222,22223,81,8443,1863,8018,993,8888"
RUDP="53,25,110,143,161,2401,3478,3480,123"
NOPROXY="/etc/shell/txt/static.txt"
WHITELIST="/etc/shell/txt/iplist.txt"
SERVERIP="/etc/shell/txt/serverip.txt"
#
PPP_IP=`/sbin/ifconfig |grep ppp0|awk '{print $1}'`
if [[ -z ${PPP_IP} ]]
then
/sbin/ifup ${PPPX}
fi
ip route del default
ip ro add default dev ${PPPX}
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#flush tables
clear()
{
${IPS} -t filter -F
${IPS} -t nat -F
${IPS} -t mangle -F
#dek chains
${IPS} -t filter -X
${IPS} -t nat -X
${IPS} -t mangle -X
}
default_policy()
{
${IPS} -P INPUT ACCEPT
${IPS} -P OUTPUT ACCEPT
${IPS} -P FORWARD ACCEPT
${IPS} -t nat -A PREROUTING -p tcp ${MULDPORT} ${PRPORT_LIST} -j REDIRECT --to-ports 3128
${IPS} -t nat -A POSTROUTING -o ${PPPX} -j MASQUERADE
}
{
${IPS} -P INPUT ACCEPT
${IPS} -P OUTPUT ACCEPT
${IPS} -P FORWARD ACCEPT
${IPS} -t nat -A PREROUTING -p tcp ${MULDPORT} ${PRPORT_LIST} -j REDIRECT --to-ports 3128
${IPS} -t nat -A POSTROUTING -o ${PPPX} -j MASQUERADE
}
flux()
{
{
${IPS} -t mangle -A OUTPUT -o eth0 -p tcp --sport ! 3128 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth1 -p tcp -s ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth1 -p tcp -s ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth1 -p tcp -s ${LAN_TWO} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth1 -p tcp -s ${LAN_TWO} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth0 -p tcp -s ${LAN_ONE} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth0 -p tcp -s ${LAN_ONE} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth1 -p tcp -s ${LAN_TWO} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth0 -p tcp -s ${LAN_ONE} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth0 -p tcp -s ${LAN_ONE} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A FORWARD -i eth1 -o eth0 -p tcp -s ${LAN_TWO} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A FORWARD -i eth0 -o eth1 -p tcp -s ${LAN_ONE} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A FORWARD -i eth0 -o eth1 -p tcp -s ${LAN_ONE} -d ${LAN_TWO} --dport ! 3128 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A FORWARD -i eth1 -o eth0 -p tcp -s ${LAN_TWO} -d ${LAN_ONE} --dport ! 3128 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A FORWARD -i eth0 -o eth1 -p tcp -s ${LAN_ONE} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A FORWARD -i eth0 -o eth1 -p tcp -s ${LAN_ONE} -d ${LAN_TWO} --dport ! 3128 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A FORWARD -i eth1 -o eth0 -p tcp -s ${LAN_TWO} -d ${LAN_ONE} --dport ! 3128 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
for ETH_IP in `grep -v ^# ${WHITELIST}|awk '{print $1}'`
do
SERVER_IP=`grep ${ETH_IP} ${SERVERIP}`
if [[ -n ${SERVER_IP} ]]
then
continue
fi
${IPS} -t mangle -A FORWARD -i ${PPPX} -d ${ETH_IP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A FORWARD -o ${PPPX} -s ${ETH_IP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
case ${ETH_IP} in
192.168.0.*)
${IPS} -t mangle -A INPUT -i eth0 -s ${ETH_IP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth0 -d ${ETH_IP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
;;
192.168.2.*)
${IPS} -t mangle -A INPUT -i eth1 -s ${ETH_IP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth1 -d ${ETH_IP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
;;
*)
continue
;;
esac
do
SERVER_IP=`grep ${ETH_IP} ${SERVERIP}`
if [[ -n ${SERVER_IP} ]]
then
continue
fi
${IPS} -t mangle -A FORWARD -i ${PPPX} -d ${ETH_IP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A FORWARD -o ${PPPX} -s ${ETH_IP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
case ${ETH_IP} in
192.168.0.*)
${IPS} -t mangle -A INPUT -i eth0 -s ${ETH_IP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth0 -d ${ETH_IP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
;;
192.168.2.*)
${IPS} -t mangle -A INPUT -i eth1 -s ${ETH_IP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -t mangle -A OUTPUT -o eth1 -d ${ETH_IP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
;;
*)
continue
;;
esac
done
}
}
scan()
{
${IPS} -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level 1 --log-prefix "ALL,NONE scan "
${IPS} -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
${IPS} -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level 1 --log-prefix "SYN,FIN scan "
${IPS} -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
${IPS} -A INPUT -p tcp --tcp-flags FIN FIN -j LOG --log-level 1 --log-prefix "FIN FIN scan "
${IPS} -A INPUT -p tcp --tcp-flags FIN FIN -j DROP
${IPS} -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-level 1 --log-prefix "FIN RST scan "
#${IPS} -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
${IPS} -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 1 --log-prefix "SYN,RST SYN,RST scan "
#${IPS} -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
${IPS} -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-level 1 --log-prefix "ACK,FIN FIN scan "
${IPS} -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
${IPS} -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-level 1 --log-prefix "ACK,PSH scan "
#${IPS} -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
${IPS} -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-level 1 --log-prefix "ACK,URG scan "
#${IPS} -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
${IPS} -A INPUT -p tcp ! --syn -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "input new not syn"
${IPS} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IPS} -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "ip cheat"
${IPS} -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
#forword
${IPS} -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "FORWARD new not syn"
${IPS} -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
${IPS} -A FORWARD -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "ip cheat"
${IPS} -A FORWARD -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
}
{
${IPS} -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level 1 --log-prefix "ALL,NONE scan "
${IPS} -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
${IPS} -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level 1 --log-prefix "SYN,FIN scan "
${IPS} -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
${IPS} -A INPUT -p tcp --tcp-flags FIN FIN -j LOG --log-level 1 --log-prefix "FIN FIN scan "
${IPS} -A INPUT -p tcp --tcp-flags FIN FIN -j DROP
${IPS} -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-level 1 --log-prefix "FIN RST scan "
#${IPS} -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
${IPS} -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level 1 --log-prefix "SYN,RST SYN,RST scan "
#${IPS} -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
${IPS} -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-level 1 --log-prefix "ACK,FIN FIN scan "
${IPS} -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
${IPS} -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-level 1 --log-prefix "ACK,PSH scan "
#${IPS} -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
${IPS} -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-level 1 --log-prefix "ACK,URG scan "
#${IPS} -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
${IPS} -A INPUT -p tcp ! --syn -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "input new not syn"
${IPS} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IPS} -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "ip cheat"
${IPS} -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
#forword
${IPS} -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "FORWARD new not syn"
${IPS} -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
${IPS} -A FORWARD -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "ip cheat"
${IPS} -A FORWARD -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
}
start()
{
#not going squid'ip
${IPS} -t nat -A PREROUTING -i eth1 -s ${LAN_TWO} -d 192.168.0.0/24 -j ACCEPT
${IPS} -t nat -A PREROUTING -i eth1 -s ${LAN_ONE} -d 192.168.2.1 -p tcp --dport 21 -j ACCEPT
${IPS} -t nat -A PREROUTING -i eth1 -s ${LAN_TWO} -d 192.168.2.1 -p tcp --dport 22 -j ACCEPT
${IPS} -t nat -A PREROUTING -i eth0 -s ${LAN_ONE} -d 192.168.2.1 -p tcp --dport 22 -j ACCEPT
for ETH0_IP in `grep -v ^# ${NOPROXY}|awk '{print $1}'`
do
${IPS} -t nat -A PREROUTING -s ${ETH0_IP} -j ACCEPT
done
#use squid
${IPS} -t nat -A PREROUTING -i eth0 -s ${LAN_ONE} -p tcp ${MULDPORT} ${PRPORT_LIST} -j REDIRECT --to-ports 3128
${IPS} -t nat -A PREROUTING -i eth1 -s ${LAN_TWO} -p tcp ${MULDPORT} ${PRPORT_LIST} -j REDIRECT --to-ports 3128
#=====================
#${IPS} -A INPUT -p tcp ! --syn -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "input new not syn"
#${IPS} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#${IPS} -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "ip cheat"
#${IPS} -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
${IPS} -A INPUT -i lo -j ACCEPT
${IPS} -A INPUT -i eth1 -p tcp -s ${LAN_TWO} ${MULDPORT} ${PLTCP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A INPUT -i eth0 -p tcp -s ${LAN_ONE} ${MULDPORT} ${PLTCP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A INPUT -i eth1 -j ACCEPT
${IPS} -A INPUT -i eth0 -j ACCEPT
#
${IPS} -A INPUT -i eth1 -p udp -s ${LAN_TWO} ${MULDPORT} ${PLUDP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A INPUT -i eth0 -p udp -s ${LAN_ONE} ${MULDPORT} ${PLUDP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
${IPS} -A OUTPUT -o lo -j ACCEPT
${IPS} -A OUTPUT -o eth0 -j ACCEPT
${IPS} -A OUTPUT -o eth1 -j ACCEPT
#open traceroute
${IPS} -A OUTPUT -p udp --sport 1024:65535 --dport 1024:33523 -j ACCEPT
#
${IPS} -A INPUT -i ${PPPX} -p tcp ${MULSPORT} ${PORT1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A INPUT -i ${PPPX} -p tcp ${MULSPORT} ${PORT2} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A INPUT -i ${PPPX} -p tcp ${MULSPORT} ${PORT3} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A INPUT -i ${PPPX} -p udp ${MULSPORT} ${RUDP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
{
#not going squid'ip
${IPS} -t nat -A PREROUTING -i eth1 -s ${LAN_TWO} -d 192.168.0.0/24 -j ACCEPT
${IPS} -t nat -A PREROUTING -i eth1 -s ${LAN_ONE} -d 192.168.2.1 -p tcp --dport 21 -j ACCEPT
${IPS} -t nat -A PREROUTING -i eth1 -s ${LAN_TWO} -d 192.168.2.1 -p tcp --dport 22 -j ACCEPT
${IPS} -t nat -A PREROUTING -i eth0 -s ${LAN_ONE} -d 192.168.2.1 -p tcp --dport 22 -j ACCEPT
for ETH0_IP in `grep -v ^# ${NOPROXY}|awk '{print $1}'`
do
${IPS} -t nat -A PREROUTING -s ${ETH0_IP} -j ACCEPT
done
#use squid
${IPS} -t nat -A PREROUTING -i eth0 -s ${LAN_ONE} -p tcp ${MULDPORT} ${PRPORT_LIST} -j REDIRECT --to-ports 3128
${IPS} -t nat -A PREROUTING -i eth1 -s ${LAN_TWO} -p tcp ${MULDPORT} ${PRPORT_LIST} -j REDIRECT --to-ports 3128
#=====================
#${IPS} -A INPUT -p tcp ! --syn -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "input new not syn"
#${IPS} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#${IPS} -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "ip cheat"
#${IPS} -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
${IPS} -A INPUT -i lo -j ACCEPT
${IPS} -A INPUT -i eth1 -p tcp -s ${LAN_TWO} ${MULDPORT} ${PLTCP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A INPUT -i eth0 -p tcp -s ${LAN_ONE} ${MULDPORT} ${PLTCP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A INPUT -i eth1 -j ACCEPT
${IPS} -A INPUT -i eth0 -j ACCEPT
#
${IPS} -A INPUT -i eth1 -p udp -s ${LAN_TWO} ${MULDPORT} ${PLUDP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A INPUT -i eth0 -p udp -s ${LAN_ONE} ${MULDPORT} ${PLUDP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
${IPS} -A OUTPUT -o lo -j ACCEPT
${IPS} -A OUTPUT -o eth0 -j ACCEPT
${IPS} -A OUTPUT -o eth1 -j ACCEPT
#open traceroute
${IPS} -A OUTPUT -p udp --sport 1024:65535 --dport 1024:33523 -j ACCEPT
#
${IPS} -A INPUT -i ${PPPX} -p tcp ${MULSPORT} ${PORT1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A INPUT -i ${PPPX} -p tcp ${MULSPORT} ${PORT2} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A INPUT -i ${PPPX} -p tcp ${MULSPORT} ${PORT3} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A INPUT -i ${PPPX} -p udp ${MULSPORT} ${RUDP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A OUTPUT -o ${PPPX} -p tcp ${MULDPORT} ${PORT1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A OUTPUT -o ${PPPX} -p tcp ${MULDPORT} ${PORT2} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A OUTPUT -o ${PPPX} -p tcp ${MULDPORT} ${PORT3} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A OUTPUT -o ${PPPX} -p udp ${MULDPORT} ${RUDP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A OUTPUT -o ${PPPX} -p tcp ${MULDPORT} ${PORT2} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A OUTPUT -o ${PPPX} -p tcp ${MULDPORT} ${PORT3} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A OUTPUT -o ${PPPX} -p udp ${MULDPORT} ${RUDP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
#${IPS} -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "FORWARD new not syn"
#${IPS} -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#${IPS} -A FORWARD -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "ip cheat"
#${IPS} -A FORWARD -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
${IPS} -A FORWARD -i eth1 -o eth0 -s ${LAN_TWO} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth0 -o eth1 -s ${LAN_ONE} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth1 -o ${PPPX} -s ${LAN_TWO} -p tcp ${MULDPORT} ${PORT1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth1 -o ${PPPX} -s ${LAN_TWO} -p tcp ${MULDPORT} ${PORT2} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth1 -o ${PPPX} -s ${LAN_TWO} -p tcp ${MULDPORT} ${PORT3} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth1 -o ${PPPX} -s ${LAN_TWO} -p udp ${MULDPORT} ${RUDP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#${IPS} -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "FORWARD new not syn"
#${IPS} -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#${IPS} -A FORWARD -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG ${IP_OPTIONS} --log-prefix "ip cheat"
#${IPS} -A FORWARD -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
${IPS} -A FORWARD -i eth1 -o eth0 -s ${LAN_TWO} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth0 -o eth1 -s ${LAN_ONE} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth1 -o ${PPPX} -s ${LAN_TWO} -p tcp ${MULDPORT} ${PORT1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth1 -o ${PPPX} -s ${LAN_TWO} -p tcp ${MULDPORT} ${PORT2} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth1 -o ${PPPX} -s ${LAN_TWO} -p tcp ${MULDPORT} ${PORT3} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth1 -o ${PPPX} -s ${LAN_TWO} -p udp ${MULDPORT} ${RUDP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth0 -o ${PPPX} -s ${LAN_ONE} -p tcp ${MULDPORT} ${PORT1} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth0 -o ${PPPX} -s ${LAN_ONE} -p tcp ${MULDPORT} ${PORT2} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth0 -o ${PPPX} -s ${LAN_ONE} -p tcp ${MULDPORT} ${PORT3} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth0 -o ${PPPX} -s ${LAN_ONE} -p udp ${MULDPORT} ${RUDP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth0 -o ${PPPX} -s ${LAN_ONE} -p tcp ${MULDPORT} ${PORT2} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth0 -o ${PPPX} -s ${LAN_ONE} -p tcp ${MULDPORT} ${PORT3} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i eth0 -o ${PPPX} -s ${LAN_ONE} -p udp ${MULDPORT} ${RUDP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth0 -p tcp ${MULSPORT} ${PORT1} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth0 -p tcp ${MULSPORT} ${PORT2} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth0 -p tcp ${MULSPORT} ${PORT3} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth0 -p udp ${MULSPORT} ${RUDP} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth0 -p tcp ${MULSPORT} ${PORT2} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth0 -p tcp ${MULSPORT} ${PORT3} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth0 -p udp ${MULSPORT} ${RUDP} -d ${LAN_ONE} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth1 -p tcp ${MULSPORT} ${PORT1} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth1 -p tcp ${MULSPORT} ${PORT2} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth1 -p tcp ${MULSPORT} ${PORT3} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth1 -p udp ${MULSPORT} ${RUDP} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth1 -p tcp ${MULSPORT} ${PORT2} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth1 -p tcp ${MULSPORT} ${PORT3} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -i ${PPPX} -o eth1 -p udp ${MULSPORT} ${RUDP} -d ${LAN_TWO} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#open ftp
${IPS} -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#
${IPS} -A INPUT -i eth1 -p icmp -j ACCEPT
${IPS} -A INPUT -i eth0 -p icmp -j ACCEPT
${IPS} -A INPUT -i ${PPPX} -p icmp -j ACCEPT
#
${IPS} -A OUTPUT -o eth1 -p icmp -j ACCEPT
${IPS} -A OUTPUT -o eth0 -p icmp -j ACCEPT
${IPS} -A OUTPUT -o ${PPPX} -p icmp -j ACCEPT
################
#eth1
${IPS} -A FORWARD -i eth1 -p icmp -j ACCEPT
${IPS} -A FORWARD -o eth1 -p icmp -j ACCEPT
${IPS} -A FORWARD -i eth0 -p icmp -j ACCEPT
${IPS} -A FORWARD -o eth0 -p icmp -j ACCEPT
#ppp0
${IPS} -A FORWARD -i ${PPPX} -p icmp -j ACCEPT
${IPS} -A FORWARD -o ${PPPX} -p icmp -j ACCEPT
#ALL UDP ACCEPT
${IPS} -t nat -A PREROUTING -p udp -j ACCEPT
${IPS} -t filter -A INPUT -p udp -j ACCEPT
${IPS} -t filter -A FORWARD -p udp -j ACCEPT
${IPS} -t filter -A OUTPUT -p udp -j ACCEPT
${IPS} -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPS} -A FORWARD -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
#
#
${IPS} -A INPUT -i eth1 -p icmp -j ACCEPT
${IPS} -A INPUT -i eth0 -p icmp -j ACCEPT
${IPS} -A INPUT -i ${PPPX} -p icmp -j ACCEPT
#
${IPS} -A OUTPUT -o eth1 -p icmp -j ACCEPT
${IPS} -A OUTPUT -o eth0 -p icmp -j ACCEPT
${IPS} -A OUTPUT -o ${PPPX} -p icmp -j ACCEPT
################
#eth1
${IPS} -A FORWARD -i eth1 -p icmp -j ACCEPT
${IPS} -A FORWARD -o eth1 -p icmp -j ACCEPT
${IPS} -A FORWARD -i eth0 -p icmp -j ACCEPT
${IPS} -A FORWARD -o eth0 -p icmp -j ACCEPT
#ppp0
${IPS} -A FORWARD -i ${PPPX} -p icmp -j ACCEPT
${IPS} -A FORWARD -o ${PPPX} -p icmp -j ACCEPT
#ALL UDP ACCEPT
${IPS} -t nat -A PREROUTING -p udp -j ACCEPT
${IPS} -t filter -A INPUT -p udp -j ACCEPT
${IPS} -t filter -A FORWARD -p udp -j ACCEPT
${IPS} -t filter -A OUTPUT -p udp -j ACCEPT
################
#eth0 192.168.0.0
${IPS} -t nat -A POSTROUTING -o ${PPPX} -s ${LAN_ONE} -p tcp -j MASQUERADE
${IPS} -t nat -A POSTROUTING -o ${PPPX} -s ${LAN_TWO} -p tcp -j MASQUERADE
${IPS} -t nat -A POSTROUTING -o ${PPPX} -s ${LAN_TWO} -p udp -j MASQUERADE
${IPS} -t nat -A POSTROUTING -o ${PPPX} -s ${LAN_ONE} -p udp -j MASQUERADE
${IPS} -t nat -A POSTROUTING -o ${PPPX} -s ${LAN_TWO} -p icmp -j MASQUERADE
${IPS} -t nat -A POSTROUTING -o ${PPPX} -s ${LAN_ONE} -p icmp -j MASQUERADE
#eth0 192.168.0.0
${IPS} -t nat -A POSTROUTING -o ${PPPX} -s ${LAN_ONE} -p tcp -j MASQUERADE
${IPS} -t nat -A POSTROUTING -o ${PPPX} -s ${LAN_TWO} -p tcp -j MASQUERADE
${IPS} -t nat -A POSTROUTING -o ${PPPX} -s ${LAN_TWO} -p udp -j MASQUERADE
${IPS} -t nat -A POSTROUTING -o ${PPPX} -s ${LAN_ONE} -p udp -j MASQUERADE
${IPS} -t nat -A POSTROUTING -o ${PPPX} -s ${LAN_TWO} -p icmp -j MASQUERADE
${IPS} -t nat -A POSTROUTING -o ${PPPX} -s ${LAN_ONE} -p icmp -j MASQUERADE
#***************eth2 opened
${IPS} -P INPUT DROP
${IPS} -P OUTPUT DROP
${IPS} -P FORWARD DROP
}
force_out()
{
${IPS} -I INPUT -s $1 -m state --state NEW,ESTABLISHED,RELATED -j DROP
${IPS} -I OUTPUT -d $1 -m state --state NEW,ESTABLISHED,RELATED -j DROP
${IPS} -I FORWARD -s $1 -m state --state NEW,ESTABLISHED,RELATED -j DROP
}
{
${IPS} -I INPUT -s $1 -m state --state NEW,ESTABLISHED,RELATED -j DROP
${IPS} -I OUTPUT -d $1 -m state --state NEW,ESTABLISHED,RELATED -j DROP
${IPS} -I FORWARD -s $1 -m state --state NEW,ESTABLISHED,RELATED -j DROP
}
allow()
{
${IPS} -D INPUT -s $1 -m state --state NEW,ESTABLISHED,RELATED -j DROP
${IPS} -D OUTPUT -d $1 -m state --state NEW,ESTABLISHED,RELATED -j DROP
${IPS} -D FORWARD -s $1 -m state --state NEW,ESTABLISHED,RELATED -j DROP
}
dos_syn()
{
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth2/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth3/rp_filter
/sbin/sysctl -w net.ipv4.tcp_syn_retries=2
/sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
#disable ping
#/sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=1
/sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
/sbin/sysctl -w net.ipv4.tcp_keepalive_time=1800
/sbin/sysctl -w net.ipv4.tcp_keepalive_intvl=60
/sbin/sysctl -w net.ipv4.tcp_fin_timeout=30
/sbin/sysctl -w net.ipv4.tcp_keepalive_probes=3
/sbin/sysctl -w net.ipv4.ip_conntrack_max=65535
/sbin/sysctl -w net.ipv4.icmp_ratelimit=100
}
{
${IPS} -D INPUT -s $1 -m state --state NEW,ESTABLISHED,RELATED -j DROP
${IPS} -D OUTPUT -d $1 -m state --state NEW,ESTABLISHED,RELATED -j DROP
${IPS} -D FORWARD -s $1 -m state --state NEW,ESTABLISHED,RELATED -j DROP
}
dos_syn()
{
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth2/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth3/rp_filter
/sbin/sysctl -w net.ipv4.tcp_syn_retries=2
/sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
#disable ping
#/sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=1
/sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
/sbin/sysctl -w net.ipv4.tcp_keepalive_time=1800
/sbin/sysctl -w net.ipv4.tcp_keepalive_intvl=60
/sbin/sysctl -w net.ipv4.tcp_fin_timeout=30
/sbin/sysctl -w net.ipv4.tcp_keepalive_probes=3
/sbin/sysctl -w net.ipv4.ip_conntrack_max=65535
/sbin/sysctl -w net.ipv4.icmp_ratelimit=100
}
if (( $# < 1 ))
then
echo "usage: `basename $0` [start | stop|forbid |allow|flux|doc]"
exit 1
fi
then
echo "usage: `basename $0` [start | stop|forbid |allow|flux|doc]"
exit 1
fi
case $1 in
start)
#dos_syn
clear
#scan
flux
start
start)
#dos_syn
clear
#scan
flux
start
;;
stop)
clear
default_policy
;;
forbid)
if (( $# < 2 ))
then
echo "input forbid-ip after $1"
exit 1
fi
force_out $2
stop)
clear
default_policy
;;
forbid)
if (( $# < 2 ))
then
echo "input forbid-ip after $1"
exit 1
fi
force_out $2
;;
allow)
if (( $# < 2 ))
then
echo "input allow-ip after $1"
exit 1
fi
allow $2
;;
flux)
/etc/shell/fluxsee.sh
;;
dos)
dos_syn
;;
clear)
clear
;;
*)
echo "lawless input,only start|stop|forbid |allow|flux|doc is within the law"
exit 1
esac
allow)
if (( $# < 2 ))
then
echo "input allow-ip after $1"
exit 1
fi
allow $2
;;
flux)
/etc/shell/fluxsee.sh
;;
dos)
dos_syn
;;
clear)
clear
;;
*)
echo "lawless input,only start|stop|forbid |allow|flux|doc is within the law"
exit 1
esac