|
Routing() {
echo 0 > /proc/sys/net/ipv4/ip_forward
}
##############################################################################
# FORWARDING
SetForwardingRules() {
iptables -A FORWARD -i $IF_PUB -o $IF_PRV -m state --state ESTABLISHED,RELATED -
j ACCEPT
iptables -A FORWARD -i $IF_PRV -o $IF_PUB -j ACCEPT
}
##############################################################################
# LOOPBACK
SetLoopbackRules() {
# Allow everything
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
}
##############################################################################
# PRIVATE INTERFACES
SetPrivateInterfaceRules() {
# Allow everything
iptables -A INPUT -i $IF_PRV -s $NET_PRV -j ACCEPT
iptables -A OUTPUT -o $IF_PRV -d $NET_PRV -j ACCEPT
}
#############################################################################
# PUBLIC INTERFACES
SetPublicInterfaceRules() {
iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_PUB -j ACCEPT
}
##############################################################################
# SOURCE NAT
EnableSourceNAT() {
# Then source NAT everything else
iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j SNAT --to $IP_PUB
}
# Various ICMP
SetICMP_Open() {
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
}
# SSH (on a non-standard port)
SetSSH_Open() {
iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB --dport 2202 -j ACCEPT
}
##############################################################################
# Destination NAT
# smtp
SetSMTP_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j
DNAT --to 192.168.1.254
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp -
-dport smtp -j ACCEPT
}
# pop3
SetPOP3_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport pop3 -j
DNAT --to 192.168.10.254
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp -
-dport pop3 -j ACCEPT
}
# Webmail (444->443)
SetWebmail_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j DNAT -
-to 192.168.10.254:443
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp -
-dport 443 -j ACCEPT
}
# http
SetHTTP_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j
DNAT --to 192.168.10.253
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp -
-dport http -j ACCEPT
}
# Blocked protocols
SetBlockedProtocols() {
# Block all normal irc (used by botnets)
iptables -A INPUT -p tcp --dport irc -j DROP
iptables -A INPUT -p udp --dport irc -j DROP
iptables -A INPUT -p tcp --dport irc-serv -j DROP
iptables -A INPUT -p udp --dport irc-serv -j DROP
iptables -A INPUT -p tcp --dport ircs -j DROP
iptables -A INPUT -p udp --dport ircs -j DROP
}
# Blocked hosts
SetBlockedHosts() {
iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-
host-prohibited
iptables -A FORWARD -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-
host-prohibited
}
# Blocked networks
SetBlockedNetworks() {
iptables -A INPUT -i $IF_PUB -s 10.220.232.0/24 -j REJECT --reject-with icmp-
net-prohibited
iptables -A FORWARD -i $IF_PUB -d $IP_PUB -s 10.220.232.0/24 -j REJECT --reject-
with icmp-net-prohibited
}
# Specify things to drop before logging
SetPrelogDropRules() {
# DHCP
iptables -A INPUT -i $IF_PUB -p udp --sport bootps -j DROP
}
# Log those on the public interface
SetLoggingRules() {
iptables -A INPUT -i $IF_PUB -j LOG --log-prefix="INPUT "
iptables -A OUTPUT -o $IF_PUB -j LOG --log-prefix="OUTPUT "
iptables -A FORWARD -j LOG --log-prefix="FORWARD "
# iptables -t nat -A PREROUTING -i $IF_PUB -j LOG --log-prefix="nPre "
# iptables -t nat -A POSTROUTING -o $IF_PUB -j LOG --log-prefix="nPost "
# iptables -t nat -A OUTPUT -o $IF_PUB -j LOG --log-prefix="NAT OUT "
}
# Drop them all
SetDropRules() {
# Reset tcp connection attempts on all other ports
# This is the standard TCP behaviour for a closed port. Reading
# suggests there is no value in stealthing ports and since some are
# open on this host it doesn't seem to matter. Therefore, let's be a
# good TCP citizen
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
}
##############################################################################
# SCRIPT ENTRY POINT
echo -n "Firewall configuration..."
echo $1
##############################################################################
# ENVIRONMENT
# Private interface
IF_PRV=eth0
IP_PRV=192.168.1.1
NET_PRV=192.168.1.0/24
# Public interface
IF_PUB=eth1
IP_PUB=10.0.0.1
NET_PUB=10.0.0.0/24
# Others
ANYWHERE=0.0.0.0/0
. /etc/rc.status
rc_reset
##############################################################################
# COMMAND LINE
case "$1" in
start)
SetDefaultPolicy
FlushTables
EnableRouting
SetBlockedProtocols
SetBlockedNetworks
SetBlockedHosts
SetForwardingRules
SetLoopbackRules
SetPrivateInterfaceRules
SetPublicInterfaceRules
EnableSourceNAT
SetICMP_Open
SetSSH_Open
SetSMTP_DNAT
SetPOP3_DNAT
SetWebmail_DNAT
SetHTTP_DNAT
SetPrelogDropRules
SetLoggingRules
;;
stop)
SetDefaultPolicy
FlushTables
SetPrivateInterfaceRules
SetPublicInterfaceRules
;;
restart)
$0 stop
$0 start
;;
*)
;;
esac
rc_exit
=============================================
原文链接:http://www.novell.com/coolsolutions/feature/18139.html
原文作者:David Mair
原文来源:Novel 上一页 [1] [2] |
网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) 
