ÎÒµÄiptablesÅäÖ÷½°¸¡£µ«ÊǹýÂËQQ²»³É¹¦¡£
#defEXT0_IF="ppp0"
EXT1_IF="eth2"
INT0_IF="eht1"
EXT1_IP="192.168.15.251"
INT0_IP="192.168.1.227"
LAN="192.168.1.0/24"
MLAN="192.168.1.224/27"
YZYY="192.168.15.0/24"
#SMTP HTTP POP3 DNS SSH
FWD_TCP_PORT="20 21 22 25 53 80 110 113"
FWD_UDP_PORT="22 25 53 80 110"
#reject
RJT_TCP_PORT="2000 4000"
RJT_UDP_PORT="4000 8000"
#load any special modules
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ip_nat_irc
modprobe ip_conntrack_irc
#turn off ip forwarding
echo "0">/proc/sys/net/ipv4/ip_forward
#delete any existing chains
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
#setting up default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
#allow ping
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
#enable local traffic
iptables -N allowed
iptables -A allowed -i $EXT0_IF -m state --state NEW -j ACCEPT
iptables -A allowed -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j allowed
iptables -A FORWARD -j allowed
#for PORT in $TRUSTED_LOCAL_TCP_PORT;do
#iptables -A INPUT ! -i $INT0_IF -p tcp --dport $PORT -m state --state NEW -j ACCEPT
#done
#for PORT in $TRUSTED_LOCAL_UDP_PORT;do
#iptables -A INPUT ! -i $INT0_IF -p udp --dport $PORT -m state --state NEW -j ACCEPT
#done
#reject
for PORT in $RJT_TCP_PORT;do
iptables -A FORWARD -p tcp -i $INT0_IF ! -s $MLAN --dport $PORT -j DROP
done
for PORT in $RJT_UDP_PORT;do
iptables -A FORWARD -p udp -i $INT0_IF ! -s $MLAN --dport $PORT -j DROP
done
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i eht0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#ip_forward
#iptables -A FORWARD -j ACCEPT
#iptables -A INPUT -j ACCEPT
iptables -A INPUT -s $MLAN -j ACCEPT
iptables -A FORWARD -s $MLAN -j ACCEPT
#iptables -A FORWARD -i $INT0_IF -s $MLAN -j ACCEPT
#iptables -A INPUT -i $INT0_IF -s $MLAN -j ACCEPT
#iptables -A FORWARD -i $EXT0_IF -j ACCEPT
#iptables -A INPUT -i $EXT0_IF -j ACCEPT
#YZYY
iptables -A FORWARD -s $LAN -d $YZYY -j ACCEPT
iptables -A INPUT -s $LAN -d $YZYY -j ACCEPT
iptables -A FORWARD -i EXT1_IF -j ACCEPT
iptables -A INPUT -i EXT1_IF -j ACCEPT
for PORT in $FWD_TCP_PORT;do
iptables -A FORWARD -s $LAN -p tcp --dport $PORT -j ACCEPT
iptables -A INPUT -s $LAN -p tcp --dport $PORT -j ACCEPT
done
for PORT in $FWD_UDP_PORT;do
iptables -A FORWARD -s $LAN -p udp --dport $PORT -j ACCEPT
iptables -A INPUT -s $LAN -p udp --dport $PORT -j ACCEPT
done
for PORT in $FWD_TCP_PORT;do
iptables -A FORWARD -i $EXT0_IF -p tcp --sport $PORT -j ACCEPT
iptables -A INPUT -i $EXT0_IF -p tcp --sport $PORT -j ACCEPT
done
for PORT in $FWD_UDP_PORT;do
iptables -A FORWARD -i $EXT0_IF -p udp --sport $PORT -j ACCEPT
iptables -A INPUT -i $EXT0_IF -p udp --sport $PORT -j ACCEPT
done
#reject
#for PORT in $RJT_TCP_PORT;do
#iptables -A FORWARD -i $INT0_IF -p tcp ! -s $MLAN --dport $PORT -j DROP
#done
#for PORT in $RJT_UDP_PORT;do
#iptables -A FORWARD -i $INT0_IF -p udp ! -s $MLAN --dport $PORT -j DROP
#done
#masquerade
iptables -t nat -A POSTROUTING -o $INT0_IF -j SNAT --to-source 192.168.1.227
iptables -t nat -A POSTROUTING -o $EXT0_IF -j MASQUERADE
iptables -t nat -A POSTROUTING -o $EXT1_IF -j SNAT --to-source 192.168.15.251
#LOG
iptables -A INPUT -p tcp -d 0.0.0.0/24 -j LOG --log-prefix "yxy_log_1" --log-level info
iptables -A INPUT -p tcp --dport 1:65535 -j LOG --log-prefix "yxy_log_2" --log-level info
#turn on ip forwarding
echo "1">/proc/sys/net/ipv4/ip_forward
#setting up ip spoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter;do
echo 1>$f
done
Ò³:
[1]