作者 主題: [分享]: ipt_fw for basic firewall  (閱讀 7760 次)

0 會員 與 1 訪客 正在閱讀本文。

hikohan

  • 俺是博士!
  • *****
  • 文章數: 1288
    • 檢視個人資料
[分享]: ipt_fw for basic firewall
« 於: 2004-09-14 00:36 »
本從網中起、理成線上材

--
Open WebMail Project (http://openwebmail.org)


---------- Original Message -----------
From: 網中人 <netman@study-area.org>
To: "VEGA" <vega@phsbb.idv.tw>
Sent: Tue, 14 Sep 2004 00:06:24 +0800
Subject: Re: ipt_fw

> 感謝感謝!
>
> 若能貼到 http://phorum.study-area.org 更好....  ^_^
>
> netman
>
> --
> ----- Original Message -----
> From: "VEGA" <vega@phsbb.idv.tw>
> To: <netman@study-area.org>
> Sent: Monday, September 13, 2004 3:49 PM
> Subject: ipt_fw
>
引用
dear netman:

承蒙您的ipt_fw,讓我的伺服器免除基本砲火。

修改了一些敘述,希望更多人能分享。

預設這一台網站伺服器可以提供內網上網,只有sysop可以連線進入主機。


===== START
代碼: [選擇]

#!/bin/sh

# basic settings -------------------------------------------------- #

PATH=/sbin:/usr/sbin:/bin:/usr/bin

# squid server for transparent proxy
SQUIDER="192.168.0.254:3128"

# (!) restrict ssh source
ADMIN_HOME="61.62.63.64"

# (!) WAN & LAN NICs
EXT_IF="eth0"
INT_IF="eth1"

TRUSTED_TCP_PORT="20 21 22 25 53 80 443"

TRUSTED_UDP_PORT="53"

ALLOWED_ICMP="0 3 3/4 4 11 12 14 16 18"

# advanced settings & modules ------------------------------------- #

# cal vars
WAN_IP=$(ifconfig $EXT_IF | grep inet | cut -d : -f 2 | cut -d \ -f 1)
LAN_IP=$(ifconfig $INT_IF | grep inet | cut -d : -f 2 | cut -d \ -f 1)
W_AREA=$(route -n|grep $EXT_IF|grep -v UG|awk '{print $1"/"$3}')
L_AREA=$(route -n|grep $INT_IF|grep -v UG|awk '{print $1"/"$3}')

echo "Loading modules..."
modprobe ip_tables &>/dev/null || {
    echo -n "$(basename $0): loading ip_tables module failure."
    echo " Please Fix it!"
    exit 3
}

for file in
> /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o
do
    module=$(basename $file)
    modprobe ${module%.*} &>/dev/null
done

for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o
do
    module=$(basename $file)
    modprobe ${module%.*} &>/dev/null
done

# ------------- ipforwarding -----------
echo "Turning on IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward

# ------------- anti spoofing -----------
echo "Turning on anti-spoofing..."
for file in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo "1" > $file
done

# ------------- flushing ----------
echo "Cleaning up..."
iptables -F -t filter
iptables -X -t filter
iptables -Z -t filter
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat

# ------------- policies -------------
echo "Setting up policies to ACCEPT..."
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT


# ------------- ICMP -------------
echo "Creating icmpfilter chain..."

iptables -N icmpfilter

for TYPE in $ALLOWED_ICMP
do
    iptables -A icmpfilter -i $EXT_IF -p icmp --icmp-type $TYPE -j ACCEPT
done

# ------------- services ------------
echo "Creating services chain...."

iptables -N services

for PORT in $TRUSTED_TCP_PORT
do
    iptables -A services -i $EXT_IF -p tcp --dport $PORT -j ACCEPT
done

for PORT in $TRUSTED_UDP_PORT
do
    iptables -A services -i $EXT_IF -p udp --dport $PORT -j ACCEPT
done

# ------------- block -------------
echo "Creating block chain..."
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! $EXT_IF -j ACCEPT
iptables -A block -j DROP

# ------------- filter -------------
echo "Filtering packets..."
iptables -A INPUT -j icmpfilter
iptables -A INPUT -j services
iptables -A INPUT -j block
iptables -A FORWARD -j icmpfilter
iptables -A FORWARD -j block

# ------------- disable ICMP echo reply -------------
iptables -I INPUT -p icmp --icmp-type echo-request -j DROP
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# ^^^^^ disable it if icmp echo need


# ------------- masq -------------
echo "Masquerading internel network..."
# iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
iptables -t nat -A POSTROUTING -d $W_AREA -o $EXT_IF -j MASQUERADE
iptables -t nat -A POSTROUTING -s $L_AREA -o $EXT_IF -j MASQUERADE
# ^^^^^ change $L_AREA to your good boys.

# ------------- tproxy -------------
#echo "enable t-proxy"
#iptables -t nat -A PREROUTING -d $LAN_IP -i eth1 -p tcp \
#-m tcp --dport 80 -j ACCEPT
#iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 \
#-j DNAT --to $SQUIDER
# ^^^^^ remove '#' if there a squid is.

# ------------- restrict ssh from admin's home only
iptables -I INPUT -i $EXT_IF -s ! $ADMIN_HOME \
-p tcp --dport 22 -j DROP

exit 0
## EOS

===== EOF


------- End of Original Message -------
lifeIsFunWithPHP.