Linux¨t²ÎIptablesªº±`¥Î¨¾¤õÀð°t¸m¤èªk

Iptablesªº±`¥Î¨¾¤õÀð°t¸m

¥»¸}¥»Àô¹Ò¬°eth0¥~ºô,eth1¤ººô;

#!/bin/sh

#¥~ºôºô¥d

EXT_IF="eth0"

FW_IP="61.137.85.21"

#¤ººôºô¥d

INT_IF="eth1"

LAN_IP="192.168.0.1"

LAN_IP_RANGE="192.168.0.0/255.255.255.0"

#¥[¾\¼Ò²Õ,¤@¯ë¤w¤º«Ø

#Module loading.

#echo "modprobe modules"

#modprode ip_tables

#modprode ip_nat_ftp

#modprode ip_conntrack

#modprobe ip_conntrack_ftp

#±Ò¥ÎÂàµo(forward)¥\¯à

echo "enabling IP FORWARDING......"

echo "1" >; /proc/sys/net/ipv4/ip_forward

#³W«hªì©l¤Æ,³]¸mÀq»{³£¬°drop

echo "enabling iptables rules"

#reset the default policies in the tables

iptables -F

iptables -X

iptables -F -t mangle

iptables -X -t mangle

iptables -F -t nat

iptables -X -t nat

iptables -Z -t nat

#set policies

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

###-----------------------------------------------------------------###

#¹L¼{įÂίf¬r

#444/445/69/135/139

###-----------------------------------------------------------------###

iptables -A FORWARD -p tcp --dport 4444 -j DROP

iptables -A FORWARD -p udp --dport 4444 -j DROP

iptables -A FORWARD -p tcp --dport 445 -j DROP

iptables -A FORWARD -p udp --dport 445 -j DROP

iptables -A FORWARD -p tcp --dport 69 -j DROP

iptables -A FORWARD -p udp --dport 69 -j DROP

iptables -A FORWARD -p tcp --dport 135 -j DROP

iptables -A FORWARD -p udp --dport 135 -j DROP

iptables -A FORWARD -p tcp --dport 139 -j DROP

iptables -A FORWARD -p udp --dport 139 -j DROP

#¤¹³\ping localhost,ping 192.168.0.1/2

#allow loopback access

iptables -A INPUT -p icmp -i lo -j ACCEPT

iptables -A OUTPUT -p icmp -o lo -j ACCEPT

#¥´¶}¤º¹ï¤º³s±µ

#iptables -A INPUT -i lo -j ACCEPT

#¤¹³\¥N²z©M¤ººô«È¤á¾÷¬Û¤¬¶Ç¿é¼Æ¾Ú(¥]¬Aping)

#allow ping LAN

iptables -A INPUT -p ALL -i $INT_IF -s $LAN_IP_RANGE -j ACCEPT

iptables -A OUTPUT -p ALL -o $INT_IF -d $LAN_IP_RANGE -j ACCEPT

#¤¹³\¥~ºôªººô¥d»P¤ººô¬Û¤¬³q°T.±µ¨ü¼Æ¾Ú¥u±µ¨üÅTÀ³«Ê¥],§_«h¤£¤©©ñ¦æ.µo°e¼Æ¾Ú¨S¦³­­¨î.

iptables -A INPUT -p ALL -i $INT_IF -s $LAN_IP_RANGE -j ACCEPT

iptables -A INPUT -p ALL -i $INT_IF -s $LAN_IP_RANGE -j ACCEPT

#©Úµ´¥~³¡¨Ï¥Î¤ººô¶i¦æ´ÛÄF

#deny local cheat

iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP

iptables -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP

iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP

iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP

#±qLAN¶i¤J¨¾¤õÀð¥D¾÷ªºdhcp«Ê¥],¤£¤_©ñ¦æ,¥u¦³¨¾¤õÀð¾á¥ôDHCP®É¤~©ñ¦æ

#deny DHCP_packets from LAN

iptables -A INPUT -p udp -i $INT_IF --dport 67 --sport 68 -j DROP

###-----------------------------------------------------------------------------------###

#°t¸m¦V¥~¤è¦VªºTCP³W«h,¨ä¤¤,--state ESTABLISHED ,NEW°Ñ¼Æ«ü©w­nÀˬd­þ­Óª¬ºA.

#ESTABLISHED¼Ð»x¤Ç°tÄÝ©ó¤w¦³ªºTCP³s±µªº«Ê¥].

#NEW¼Ð»x«ü©w¸Õ¹Ï³Ð«Ø¤@±ø·sªºTCP³s±µªº²Ä¤@­Ó«Ê¥],³o±ø³W«h«ü©úÄÝ©ó·s«Øªº©M¤w«Ø¥ßªº

#TCP³s±µªº«Ê¥]±N·|³q¹Leth0ºÝ¤f¦V¥~µo°e.

###-----------------------------------------------------------------------------------###

iptables -A OUTPUT -o $EXT_IF -p tcp -m state --state ESTABLISHED,NEW -j ACCEPT

###----------------------------------------------------------------------------------###

#°t¸m«Ê¥]±q¤@­ÓºÝ¤fÂàµo¨ì¥t¤@­ÓºÝ¤f

###----------------------------------------------------------------------------------###

iptables -A FORWARD -i $INT_IF -j ACCEPT

# same to above ©M¤W­±ªº³W«h¥\¯à¬Û¦P

#iptables -A FORWARD -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

###-------------------------------------------------------------------------------------###

#Àˬd¨ì¹F¥~³¡ºô¸ô¤¶­±ªº«Ê¥]ª¬ºA.ÄÝ©ó¤w¦³TCP³s±µªº«Ê¥]³£¤¹³\³q¹L

# ±qWAN¨ìLANªº«Ê¥]¶È©ñ¦æ¦^À³«Ê¥]

###-------------------------------------------------------------------------------------###

iptables -A INPUT -i $EXT_IF -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

# ­­¨î¹LÂo³W«hªº¤ñ¹ïÀW²v¬°¨C¤ÀÄÁ¥­§¡¬y¶q¤T­Ó«Ê¥]¡]¶W¹L¤W­­ªº«Ê¥]±N¼È°±¤ñ¹ï¡^¡A

#¨Ã±NÀþ¶¡¬y¶q³]©w¬°¤@¦¸³Ì¦h³B²z¤T­Ó«Ê¥]¡]¶W¹L¤W­­ªº«Ê¥]±N¥á±ó¤£¤©³B²z¡^¡A

#³oÃþ«Ê¥]³q±`¬OÀb«È¥Î¨Ó¶i¦æªýÂ_¦¡§ðÀ»

iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "IPT INPUT packets died:"

###-------------------------------------------------------------------------###

#¤£ºÞ¨Ó¦Û­þªºip¸H¤ù³£¶i¦æ±±¨î,¤¹³\¨C¬í³q¹L100­Ó¸H¤ù

###-------------------------------------------------------------------------###

iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

###-------------------------------------------------------------------------###

#icmp¥]³q¹Lªº±±¨î,¨¾¤îicmpÀb«È§ðÀ»

###-------------------------------------------------------------------------###

iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

###-------------------------------------------------------------------------###

# ¨¾¤îDDOS

###-------------------------------------------------------------------------###

#iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

###-------------------------------------------------------------------------###

# UDP¥]¤@«ß©ñ¦æ

# allow UDP

###-------------------------------------------------------------------------###

iptables -A FORWARD -p udp -d $LAN_IP_RANGE -i $EXT_IF -j ACCEPT

###-------------------------------------------------------------------------###

#®Ú¾Úmac¾B¸n¥D¾÷¤Wºô

###-------------------------------------------------------------------------###

#iptables -t nat -I PREROUTING -m mac --mac-source 4C:00:10:D8:57:F3 -j DROP

###-----------------------------------------------------###

# ¶}©ñ¤º³¡¥D¾÷¥i¥Htelnet¦Ü¥~³¡¥D telnet port 23

###-----------------------------------------------------###

#¨S¥²­n¥´¶}23ºÝ¤f

#iptables -A OUTPUT -o $EXT_IF -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 23 -j ACCEPT

#iptables -A INPUT -i $EXT_IF -p tcp ! --syn -s any/0 --sport 23 -d $FW_IP --dport 1024:65535 -j ACCEPT

###-----------------------------------------------------###

# ¶}©ñ¶l¥]Âà°e³q¹D open SMTP port 25

###-----------------------------------------------------###

#¥H¤U¬O§O¤H¥i¥H°e«Hµ¹§A

iptables -A INPUT -i $EXT_IF -p tcp -s any/0 --sport 1024:65535 -d $FW_IP --dport 25 -j ACCEPT

iptables -A OUTPUT -o $EXT_IF -p tcp ! --syn -s $FW_IP --sport 25 -d any/0 --dport 1024:65535 -j ACCEPT

#¥H¤U¬O§A¥i¥H°e«Hµ¹§O¤H

iptables -A OUTPUT -o $EXT_IF -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 25 -j ACCEPT

iptables -A INPUT -i $EXT_IF -p tcp ! --syn -s any/0 --sport 25 -d $FW_IP --dport 1024:65525 -j ACCEPT

###-----------------------------------------------------###

# ¶}©ñ¹ï¥~Â÷½u¤U¸ü«H¥óªº³q¹D POP3 port 110

###-----------------------------------------------------###

iptables -A OUTPUT -o $EXT_IF -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 110 -j ACCEPT

iptables -A INPUT -i $EXT_IF -p tcp ! --syn -s any/0 --sport 110 -d $FW_IP --dport 1024:65535 -j ACCEPT

###-----------------------------------------------------###

# ¶}©ñÂsÄýºô­¶ªº³q¹D http port 80

###-----------------------------------------------------###

iptables -A OUTPUT -o $EXT_IF -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 80 -j ACCEPT

iptables -A INPUT -i $EXT_IF -p tcp ! --syn -s any/0 --sport 80 -d $FW_IP --dport 1024:65535 -j ACCEPT

###-----------------------------------------------------###

# ¶}©ñ¬d¸ß¥~³¡ºô¸ôªºDNS¥D¾÷ DNS port:53

###-----------------------------------------------------###

#²Ä¤@¦¸·|¥Îudp«Ê¥]¨Ó¬d¸ß

iptables -A OUTPUT -o $EXT_IF -p udp -s $FW_IP --sport 1024:65535 -d any/0 --dport 53 -j ACCEPT

iptables -A INPUT -i $EXT_IF -p udp -s any/0 --sport 53 -d $FW_IP --dport 1024:65535 -j ACCEPT

#­Y¦³¿ù»~,·|§ï¥Îtcp¥]¨Ó¬d¸ß

iptables -A OUTPUT -o $EXT_IF -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 53 -j ACCEPT

iptables -A INPUT -i $EXT_IF -p tcp ! --syn -s any/0 --sport 53 -d $FW_IP --dport 1024:65535 -j ACCEPT

#¶}©ñ³o»O¥D¾÷¤WªºDNS©M¥~³¡ªºDNS¥D¾÷¤¬°Ê¬d¸ß:¨Ï¥Îudp

iptables -A OUTPUT -o $EXT_IF -p udp -s $FW_IP --sport 53 -d any/0 --dport 53 -j ACCEPT

iptables -A INPUT -i $EXT_IF -p udp -s any/0 --sport 53 -d $FW_IP --dport 53 -j ACCEPT

#¶}©ñ³o»O¥D¾÷¤WªºDNS©M¥~³¡ªºDNS¥D¾÷¤¬°Ê¬d¸ß:¨Ï¥Îudp

iptables -A OUTPUT -o EXT_IF -p tcp -s $FW_IP --sport 53 -d any/0 --dport 53 -j ACCEPT

iptables -A INPUT -i EXT_IF -p tcp ! --syn -s any/0 --sport 53 -d $FW_IP --dport 53 -j ACCEPT

###------------------------------------------------------------------------###

#¶}©ñ¤º³¡¥D¾÷¥i¥HSSH¦Ü¥~³¡ªº¥D¾÷ SSH port:22

###------------------------------------------------------------------------###

iptables -A OUTPUT -o $EXT_IF -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 22 -j ACCEPT

iptables -A INPUT -i $EXT_IF -p tcp ! --syn -s any/0 --sport 22 -d $FW_IP --dport 1024:65535 -j ACCEPT

#¥H¤U¬OSSH protocol¤ñ¸û¤£¦Pªº¦a¤è

iptables -A OUTPUT -o $EXT_IF -p tcp -s $FW_IP --sport 1020:1023 -d any/0 --dport 22 -j ACCEPT

iptables -A INPUT -i $EXT_IF -p tcp ! --syn -s any/0 --sport 22 -d $FW_IP --dport 1020:1023 -j ACCEPT

###------------------------------------------------------------------------###

###¶}©ñ¤º³¡ºô¸ô,¥i¥Hftp¦Ü¥~³¡¥D¾÷

###------------------------------------------------------------------------###

#¥H¤U¬O¥´¶}©R¥O channel 21

iptables -A OUTPUT -o $EXT_IF -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 21 -j ACCEPT

iptables -A INPUT -i $EXT_IF -p tcp ! --syn -s any/0 --sport 21 -d $FW_IP --dport 1024:65535 -j ACCEPT

#¥H¤U¬O¥´¶}¸ê®Æ channel 20

iptables -A INPUT -i $EXT_IF -p tcp -s any/0 --sport 20 -d $FW_IP --dport 1024:65535 -j ACCEPT

iptables -A OUTPUT -o $EXT_IF -p tcp ! --syn -s $FW_IP --sport 1024:65535 -d any/0 --dport 20 -j ACCEPT

#¥H¤U¬O¥´¶} passive mode FTP ¸ê®Æ³q¹D

iptables -A OUTPUT -o $EXT_IF -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 1024:65535 -j ACCEPT

iptables -A INPUT -i $EXT_IF -p tcp ! --syn -s any/0 --sport 1024:65535 -d $FW_IP --dport 1024:65535 -j ACCEPT

#-------------------------------------NAT------------------------------------------------

#³z©ú¥N²z³]©w:±NWWWªA°ÈÂà¦Vsquid

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

###-------------------------------------------------------------------------###

#±Ò°Ê¤º³¡¹ï¥~³¡Âà§}:·½ºô¸ô¦a§}Âà´«SNAT

###-------------------------------------------------------------------------###

iptables -t nat -A POSTROUTING -o $EXT_IF -s $LAN_IP_RANGE -j SNAT --to $FW_IP

###-------------------------------------------------------------------------###

#±Ò°Ê¥~³¡¹ï¤º³¡Âà§}(³]¸m¤ººôWWWW¦øªA¾¹¬M®g)DNAT

###-------------------------------------------------------------------------###

iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $FW_IP --dport 80 -j DNAT --to 192.168.0.16:80

Âù½u­ì²z¬O¤@¼Ëªº:

¦pªG¤ººô1[©ÎªÌ¥~ºô]¬O192.168.1.0/24

¤ººô2[©ÎªÌ¥~ºô]¬O192.168.2.0/24

¥u­n§ï¬ÛÀ³³¡¤À´N¦æ¤F

#±Ò°Ê¤º³¡¹ï¥~³¡Âà§}:·½ºô¸ô¦a§}Âà´«SNAT

###-------------------------------------------------------------------------###

iptables -t nat -A POSTROUTING -o $EXT_IF -s 192.168.1.0/24 -j SNAT --to $FW_IP

iptables -t nat -A POSTROUTING -o $EXT_IF -s 192.168.2.0/24 -j SNAT --to $FW_IP

¡]³d¥ô½s¿è¡G¶³¤l¡^