作者 主題: iptables script  (閱讀 4168 次)

0 會員 與 1 訪客 正在閱讀本文。

Anonymous

  • 訪客
iptables script
« 於: 2002-01-08 12:52 »
這兩天在重寫 NAT 的文章﹐剛完成了一隻 script ﹐丟上來請大家幫忙測試一下﹕

#!/bin/bash
#
# Script name: ipt_masq
# A simple script for masquerading, used in Linux (2.4.x).
#
# Copyleft 2002 by netman (netman@study-area.org).
#
# Redistribution of this file is permitted under the terms of
# the GNU General Public License (GPL).
#
# Date: 2002/01/08
# Version: 0.9

PATH=/sbin:/usr/sbin:/bin:/usr/bin
EXT_IF=ppp0
INT_IF=eth0

#
# ------------- ensure iptables ----------
CHK_IPTABLES=$(which iptables 2>/dev/null)
if [ -z "$CHK_IPTABLES" ]; then
   echo
   echo "$(basename $0): iptables program is not found."
   echo "   Please install the program first."
   echo
   exit 1
fi
# ------------- disable ipchains ----------
CHK_IPCHAINS=$(which ipchains 2>/dev/null)
CHK_IPCHAINS_M=$(lsmod | grep ipchains)
if [ -n "$CHK_IPCHAINS" ] && [ -n "$CHK_IPCHAINS_M" ]; then
   echo "Disabling ipchains..."
   /etc/rc.d/init.d/ipchains stop &>/dev/null
      || ipchains -F &>/dev/null
   rmmod ipchains
fi

# ------------- modules -----------
echo "Loading modules..."
modprobe ip_tables || exit 2
modprobe ip_conntrack_ftp
# --- all nat modules as well ---
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o
do
   module=$(basename $file)
   modprobe ${module%.*}
done

# ------------- ipforwarding -----------
echo "Turning on IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward

# ------------- anti spoofing -----------
echo "Turing on anti-spoofing..."
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo "1" > $file
done

# ------------- flushing ----------
echo "Cleaning up rules..."
iptables -F -t filter
iptables -X -t filter
iptables -Z -t filter
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat

# ------------- policies -------------
echo "Setting up policies to ACCEPT..."
iptables -P INPUT   ACCEPT
iptables -P OUTPUT   ACCEPT
iptables -P FORWARD   ACCEPT
iptables -t nat -P PREROUTING   ACCEPT
iptables -t nat -P POSTROUTING   ACCEPT

# ------------- block -------------
echo "Creating block chain..."
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW,INVALID -i $EXT_IF -j DROP
iptables -A block -m state --state NEW -i ! $EXT_IF -j ACCEPT
iptables -A block -j DROP

# ------------- filter -------------
echo "Filtering packets..."
iptables -A INPUT -j block
iptables -A FORWARD -j block

# ------------- masq -------------
echo "Masquerading internel network ...."
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE

# ------------- tr_proxy -------------
CHK_SQUID=$(/etc/rc.d/init.d/squid status 2>/dev/null | grep pid)
if [ -n "$CHK_SQUID" ]; then
   echo "Enabling transparent proxy...."
   CHK_IF=$(ifconfig | grep $INT_IF)
   if [ -z "$CHK_IF" ]; then
      echo
      echo "$(basename $0): $INT_IF is down."
      echo "   Please bring up the interface first."
      echo
      exit 3
   fi
   INT_IP=$(ifconfig $INT_IF | grep 'inet'
      | awk '{print $2}' | sed -e "s/addr://")
   if [ -z "$INT_IP" ]; then
      echo
      echo "$(basename $0): there is no IP found on $INT_IF."
      echo "   Please make sure $INT_IF is setup properly."
      echo
      exit 4
   fi
   iptables -t nat -A PREROUTING -d $INT_IP -i $INT_IF
      -p tcp -m tcp --dport 80 -j ACCEPT
   iptables -t nat -A PREROUTING -i $INT_IF -p tcp -m tcp
      --dport 80 -j REDIRECT --to-ports 3128
fi   

exit 0
## EOS