一个国产的防火墙脚本

首页 | 图形图象 | 编程开发 | 操作系统 | 数据库 | 服务器 | 网络安全 | 人才酷 | 招聘 | 资源 | 酷站 | 顶尖周刊 |

热门文章

编辑推荐

相关文章
一个3S皮肤的教程一个中毒之后的惨胜的过程一个显为人知的木马随程序启动的一个包子引发的杀毒软件血战:到底关于木马隐藏一个的新方法 “线程安全”是一个什么概念？如何建立一个安全的无线连接如何在bind中建立一个区域的授权配置一个安全的chroot DNS 建一个大容量的webmail系统

您现在的位置：顶尖设计 >> IT学院 >> 服务器 >> Linux服务器 >> 文章正文

一个国产的防火墙脚本

作者：佚名来源：不详点击：更新：2006-12-20

简介：

DMZ部分尚不完善，其中难免有疏漏，希望大家跟我一块改进，使他功能越来越强大，使用时请将firewall-dev copy 到/etc/rc.d/init.d将 firewall.conf copy /etc/下，你只需修改firewall.conf文件就可以了。可以用firewall-dev start|stop起动和关闭防火墙，功能增加中，如你有任何改动请发一份给我，arlenecc@263.net
本着GPL的原则希望有志之士跟我一块完善它，如有改动请通知我！！！！

firewall-dev

#!/bin/bash
# This is a firewall script with the function of stateful and
# ip filter, you can change it to meet you need,in a words:
# uplink means the output interface ,router means if you neet it
# to be a router or not,nat means if you are useing a dynamic ip
# address
# if you do ,then you can change it to "dynamic",interfaces means
# all the interface in you server ,services means all the services
# you server providing ,enjoy it !!! ----- write by arlenecc
#
##############################################################################
# #
# Copyright (c) 2002 arlenecc arlenecc@netease.com #
# All rights reserved #
# #
##############################################################################
#
# now begins the firewall

UPLINK=`less /root/firewall.conf | grep "UPLINK" | cut -d = -f 2 `

UPIP=`less /root/firewall.conf | grep "UPIP" | cut -d = -f 2`

ROUTER=`less /root/firewall.conf | grep "ROUTER" | cut -d = -f 2`

NAT=`less /root/firewall.conf | grep "NAT" | cut -d = -f 2`

INTERFACES=`less /root/firewall.conf | grep "INTERFACES" | cut -d = -f 2`

SERVICES=`less /root/firewall.conf | grep "SERVICES" | cut -d = -f 2`

DENYPORTS=`less /root/firewall.conf | grep "DENYPORTS" | cut -d = -f 2`

DENYUDPPORT=`less /root/firewall.conf | grep "DENYUDPPORT" | cut -d = -f 2`

LAN_IF=`less /root/firewall.conf | grep "LAN_IF" | cut -d = -f 2`

LAN_NET=`less /root/firewall.conf | grep "LAN_NET" | cut -d = -f 2`

DMZ_NET=`less /root/firewall.conf | grep "DMZ_NET" | cut -d = -f 2`

DMZ_IF=`less /root/firewall.conf | grep "DMZ_IF" | cut -d = -f 2`

DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d = -f 2`

DMZ_UDP_PORT=`less /root/firewall.conf | grep "DMZ_UDP_PORT" | cut -d = -f 2`

WEB_IP=`less /root/firewall.conf | grep "WEB_IP" | cut -d = -f 2`

FTP_IP=`less /root/firewall.conf | grep "FTP_IP" | cut -d = -f 2`

H323_PORT=`less /root/firewall.conf | grep "H323_PORT" | cut -d = -f 2`

H323=`less /root/firewall.conf | grep "H323" | cut -d = -f 2`

if [ "$1" = "start" ]
then
echo "Starting firewall......"

echo "NOW prepareing kernel for use,please wait....."

# if [ -e /proc/sys/net/ipv4/ip_forward ]
#
# then
# echo 1 >/proc/sys/net/ipv4/ip_forward
# fi
if [ "$NAT" = " dynamic " ]
then
echo "Enable dynamic ip support...."
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo "Enable the syn cook flood protection"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo " OK !!!!"
fi
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]
then
echo "Setting the maximum number of connections to track.... "
echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
echo " OK !!!!"
fi

if [ -e /proc/sys/net/ipv4/ip_local_port_range ]
then
echo " Setting local port range for TCP/UDP connection...."
echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
echo " OK !!!!"
fi

if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo "Enable bad error message protection......."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " OK !!!! "
fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo "Disabling tcp_ecn,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_ecn
echo " OK !!!! "
fi

for x in ${INTERFACES}
do
echo " Enabling rp_filter on ${x} ,please wait...."
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
echo " ${x} OK !!!! "
done

if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]

then

echo "Disabing ICMP redirects,please wait...."
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo " OK !!!! "
fi

if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]

then
echo "Disabling source routing of packets,please wait...."
for i in /proc/sys/net/ipv4/conf/*/accept_source_route

do
echo 0 > $i
echo " $i OK !!!! "

done

fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
then
echo "Ignore any broadcast icmp echo requests......"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " OK !!!! "
fi

# if [ -e /proc/sys/net/ipv4/config/all/log_martians ]
#
# then
# echo "LOG packets with impossible addresses to kernel log...."
# echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# echo " OK !!!! "
# fi
#echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
#modprobe ip_tables
depmod -a

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
iptables -F -t mangle
iptables -Z
iptables -X
iptables -N CHECK_FLAGS
iptables -F CHECK_FLAGS
iptables -N tcpHandler
iptables -F tcpHandler
iptables -N udpHandler
iptables -F udpHandler
iptables -N icmpHandler
iptables -F icmpHandler
iptables -N DROP-AND-LOG
iptables -F DROP-AND-LOG

echo "OK,the kernel is now prepared to use for building a firewall!!!"
echo "Waitting ........................"
echo "Creating a drop chain....."
iptables -A DROP-AND-LOG -j LOG --log-level 5
iptables -A DROP-AND-LOG -j DROP
echo " OK !!!!"
echo "Now starting the check_flag rules,please wait...."

iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN "
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/RST "
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCAN "
iptables -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 64 "
iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix " Bogus TCP FLAG 128 "
iptables -A CHECK_FLAGS -p tcp --tcp-option 128 -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN"
iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP

echo " OK !!!! Finished check_flags rules...."

echo "Now starting the input rules,please wait......."
for x in ${DENYPORTS}

do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} TCP IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT:${x} SYN IN:"
iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j DROP
done

for x in ${DENYUDPPORT}

do
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT:${x} UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j DROP
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT:${x} UDP IN:"
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP
done

#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT

for x in ${SERVICES}

do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done

iptables -A INPUT -i ${UPLINK} -s 192.168.0.0/24 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG
iptables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j DROP-AND-LOG

#iptables -A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i ${UPLINK} -j LOG --log-prefix " INVALID INPUT "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i ${LAN_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ${DMZ_IF} -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j REJECT
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM DMZ:"
iptables -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD UDP FROM DMZ:"
iptabl

[1] [2] [3] 下一页