文章详情

短信预约-IT技能 免费直播动态提醒

请输入下面的图形验证码

提交验证

短信预约提醒成功

NAT iptables防火墙(script)(转)

2023-06-03 05:21

关注
NAT iptables防火墙(script)(转)[@more@]

#!/bin/sh

# make me executable (chmod a+x rc.firewall ) and run me on boot

#

# djweis@sjdjweis.com

# iptables firewall script

# this script is meant to be run once per boot

# the rules will be double added if you try to run it twice

# if you need to add another rule during runtime, change the

# -A to a -I to add it to the top of the list of rules

# if you use -A it will go at the end after the reject rule :-(

#

# interface definitions

BAD_IFACE=eth0

DMZ_IFACE=eth2

DMZ_ADDR=x.x.x.96/28

GOOD_IFACE=eth3

GOOD_ADDR=192.168.1.0/24

MASQ_SERVER=x.x.x.98

FTP_SERVER=x.x.x.100

MAIL_SERVER=x.x.x.99

MAIL_SERVER_INTERNAL=192.168.1.3

# testing

#set -x

ip route del x.x.x.96/28 dev $BAD_IFACE

ip route del x.x.x.96/28 dev $DMZ_IFACE

ip route add x.x.x.97 dev $BAD_IFACE

ip route add x.x.x.96/28 dev $DMZ_IFACE

# we need proxy arp for the dmz network

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp

# turn on ip forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

# turn on antispoofing protection

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

# flush all rules in the filter table

#iptables -F

# flush built in rules

iptables -F INPUT

iptables -F OUTPUT

iptables -F FORWARD

# deny everything for now

iptables -A INPUT -j DROP

iptables -A FORWARD -j DROP

iptables -A OUTPUT -j DROP

# make the chains to define packet directions

# bad is the internet, dmz is our dmz, good is our masqed network

iptables -N good-dmz

iptables -N bad-dmz

iptables -N good-bad

iptables -N dmz-good

iptables -N dmz-bad

iptables -N bad-good

iptables -N icmp-acc

# accept related packets

iptables -A FORWARD -m state --state INVALID -j DROP

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# internal client masqing

iptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER

# mail server masqing

iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25

iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80

iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443

# to allow the above to work you need something like

# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT

# set which addresses jump to which chains

iptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmz

iptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-bad

iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad

iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good

iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz

iptables -A FORWARD -o $GOOD_IFACE -j bad-good

# drop anything that doesn't fit these

iptables -A FORWARD -j LOG --log-prefix "chain-jump "

iptables -A FORWARD -j DROP

# icmp acceptance

iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT

iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT

iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT

iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT

iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT

# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "

iptables -A icmp-acc -j DROP

# from internal to dmz

iptables -A good-dmz -p tcp --dport smtp -j ACCEPT

iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT

iptables -A good-dmz -p udp --dport domain -j ACCEPT

iptables -A good-dmz -p tcp --dport domain -j ACCEPT

iptables -A good-dmz -p tcp --dport www -j ACCEPT

iptables -A good-dmz -p tcp --dport https -j ACCEPT

iptables -A good-dmz -p tcp --dport ssh -j ACCEPT

iptables -A good-dmz -p tcp --dport telnet -j ACCEPT

iptables -A good-dmz -p tcp --dport auth -j ACCEPT

iptables -A good-dmz -p tcp --dport ftp -j ACCEPT

iptables -A good-dmz -p tcp --dport 1521 -j ACCEPT

iptables -A good-dmz -p icmp -j icmp-acc

iptables -A good-dmz -j LOG --log-prefix "good-dmz "

iptables -A good-dmz -j DROP

# from external to dmz

iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT

iptables -A bad-dmz -p udp --dport domain -j ACCEPT

iptables -A bad-dmz -p tcp --dport domain -j ACCEPT

iptables -A bad-dmz -p udp --sport domain -j ACCEPT

iptables -A bad-dmz -p tcp --sport domain -j ACCEPT

iptables -A bad-dmz -p tcp --dport www -j ACCEPT

iptables -A bad-dmz -p tcp --dport https -j ACCEPT

iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT

iptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPT

iptables -A bad-dmz -p icmp -j icmp-acc

iptables -A bad-dmz -j LOG --log-prefix "bad-dmz "

iptables -A bad-dmz -j DROP

# from internal to external

iptables -A good-bad -j ACCEPT

# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER

#iptables -A good-bad -p tcp -j MASQ

#iptables -A good-bad -p udp -j MASQ

#iptables -A good-bad -p icmp -j MASQ

#ipchains -A good-bad -p tcp --dport www -j MASQ

#ipchains -A good-bad -p tcp --dport ssh -j MASQ

#ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ

#ipchains -A good-bad -p tcp --dport ftp -j MASQ

#ipchains -A good-bad -p icmp --icmp-type ping -j MASQ

#ipchains -A good-bad -j REJECT -l

# from dmz to internal

# iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPT

iptables -A dmz-good -p tcp --dport smtp -j ACCEPT

iptables -A dmz-good -p tcp --sport smtp -j ACCEPT

iptables -A dmz-good -p udp --sport domain -j ACCEPT

iptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPT

iptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPT

iptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPT

iptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPT

iptables -A dmz-good -p icmp -j icmp-acc

iptables -A dmz-good -j LOG --log-prefix "dmz-good "

iptables -A dmz-good -j DROP

# from dmz to external

iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT

iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT

iptables -A dmz-bad -p udp --dport domain -j ACCEPT

iptables -A dmz-bad -p tcp --dport domain -j ACCEPT

iptables -A dmz-bad -p tcp --dport www -j ACCEPT

iptables -A dmz-bad -p tcp --dport https -j ACCEPT

iptables -A dmz-bad -p tcp --dport ssh -j ACCEPT

iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT

iptables -A dmz-bad -p tcp --dport whois -j ACCEPT

iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT

iptables -A dmz-bad -p udp --dport ntp -j ACCEPT

# ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ

iptables -A dmz-bad -p icmp -j icmp-acc

iptables -A dmz-bad -j LOG --log-prefix "dmz-bad "

iptables -A dmz-bad -j DROP

# from external to internal

iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT

iptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPT

iptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPT

iptables -A bad-good -j LOG --log-prefix "bad-good "

iptables -A bad-good -j REJECT

# rules for this machine itself

iptables -N bad-if

iptables -N dmz-if

iptables -N good-if

# set up the jumps to each chain

iptables -A INPUT -i $BAD_IFACE -j bad-if

iptables -A INPUT -i $DMZ_IFACE -j dmz-if

iptables -A INPUT -i $GOOD_IFACE -j good-if

# external iface

iptables -A bad-if -p icmp -j icmp-acc

iptables -A bad-if -j ACCEPT

#ipchains -A bad-if -i ! ppp0 -j DENY -l

#ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT

#ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT

#ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT

#ipchains -A bad-if -j icmp-acc

#ipchains -A bad-if -j DENY

# dmz iface

iptables -A bad-if -p icmp -j icmp-acc

iptables -A dmz-if -j ACCEPT

# internal iface

iptables -A good-if -p tcp --dport ssh -j ACCEPT

iptables -A good-if -p ICMP --icmp-type ping -j ACCEPT

iptables -A good-if -p ICMP --icmp-type pong -j ACCEPT

iptables -A good-if -j icmp-acc

iptables -A good-if -j DROP

# remove the complete blocks

iptables -D INPUT 1

iptables -D FORWARD 1

iptables -D OUTPUT
阅读原文内容投诉

免责声明:

① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。

② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341

软考中级精品资料免费领

  • 历年真题答案解析
  • 备考技巧名师总结
  • 高频考点精准押题
  • 2024年上半年信息系统项目管理师第二批次真题及答案解析(完整版)

    难度     807人已做
    查看
  • 【考后总结】2024年5月26日信息系统项目管理师第2批次考情分析

    难度     351人已做
    查看
  • 【考后总结】2024年5月25日信息系统项目管理师第1批次考情分析

    难度     314人已做
    查看
  • 2024年上半年软考高项第一、二批次真题考点汇总(完整版)

    难度     433人已做
    查看
  • 2024年上半年系统架构设计师考试综合知识真题

    难度     221人已做
    查看

相关文章

发现更多好内容

猜你喜欢

AI推送时光机
位置:首页-资讯-后端开发
咦!没有更多了?去看看其它编程学习网 内容吧
首页课程
资料下载
问答资讯