# 防火牆設定
#
#!/bin/bash
# 變數設定
ALL="0.0.0.0/0"
# PRI_A_NET="10.0.0.0/8"
# PRI_B_NET="172.16.0.0/12"
# PRI_C_NET="192.168.0.0/16"
# PRI_NET="61.xxx.xxx.0/29" # 請修改
NIC_WAN="eth0"
WAN_IP="我的真實IP"
NIC_LAN="eth1"
LAN_IP="192.168.216.0/24" # This is for NAT's network
LO="127.0.0.1"
HI="1024:65535"
# allow_d_port 是指允許連到本地端的 port
allow_d_port="" # Reset
allow_d_port=`echo $allow_d_port" 20"` # ftp-data
allow_d_port=`echo $allow_d_port" 21"` # ftp
allow_d_port=`echo $allow_d_port" 22"` # ssh
allow_d_port=`echo $allow_d_port" 25"` # smtp
allow_d_port=`echo $allow_d_port" 110"` # pop3
allow_d_port=`echo $allow_d_port" 53"` # domain
allow_d_port=`echo $allow_d_port" 80"` # www
allow_d_port=`echo $allow_d_port" 443"` # https
allow_d_port=`echo $allow_d_port" 465"` # ssmtp
allow_d_port=`echo $allow_d_port" 995"` # pop3s
# allow_d_port=`echo $allow_d_port" 8021"` zope-ftp
# allow_d_port=`echo $allow_d_port" 8080"` zope-zmi
# allow_s_port 是指允許連到遠端的 port
allow_s_port="" # Reset
allow_s_port=`echo $allow_d_port" 20"` # ftp-data
allow_s_port=`echo $allow_d_port" 21"` # ftp
allow_s_port=`echo $allow_d_port" 22"` # ssh
allow_s_port=`echo $allow_d_port" 25"` # smtp
allow_d_port=`echo $allow_d_port" 110"` # pop3
allow_s_port=`echo $allow_d_port" 53"` # domain
allow_s_port=`echo $allow_d_port" 80"` # www
allow_s_port=`echo $allow_d_port" 443"` # https
allow_s_port=`echo $allow_d_port" 465"` # ssmtp
allow_s_port=`echo $allow_d_port" 995"` # pop3s
# allow_s_port=`echo $allow_d_port" 8021"` zope-ftp
# allow_s_port=`echo $allow_d_port" 8080"` zope-zmi
# 模組啟用
/sbin/modprobe iptable_filter
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_state
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_LOG
# 清除 iptables 設定
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
# 對內部網路不限制
# iptables -I INPUT -i $NIC_WAN -p tcp -s $PRI_WAN -j ACCEPT
# iptables -I OUTPUT -o $NIC_WAN -p tcp -d $PRI_WAN -j ACCEPT
# lo 介面不限制
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# 限制聲稱是我自已 IP 的封包
/sbin/iptables -A INPUT -i $NIC_WAN -s $WAN_IP -d $ALL -j DROP
# 限制使用 port scan 軟體 (ex:nmap) 來掃 port。
## NMAP FIN/URG/PSH
/sbin/iptables -A INPUT -i $NIC_WAN -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
## Xmas Tree
/sbin/iptables -A INPUT -i $NIC_WAN -p tcp --tcp-flags ALL ALL -j DROP
## Another Xmas Tree
/sbin/iptables -A INPUT -i $NIC_WAN -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
## Null Scan(possibly)
/sbin/iptables -A INPUT -i $NIC_WAN -p tcp --tcp-flags ALL NONE -j DROP
## SYN/RST
/sbin/iptables -A INPUT -i $NIC_WAN -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## SYN/FIN -- Scan(possibly)
/sbin/iptables -A INPUT -i $NIC_WAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# 定義 chains name
/sbin/iptables -N allowed
/sbin/iptables -A allowed -p TCP --syn -j ACCEPT
/sbin/iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A allowed -p TCP -j DROP
/sbin/iptables -N remoteallowed
/sbin/iptables -A remoteallowed -p TCP --dport $HI -j ACCEPT
/sbin/iptables -A remoteallowed -p TCP -j DROP
# 啟動 NAT 功能
/sbin/iptables -A INPUT -i lo -j ACCEPT
if [ "$NIC_LAN" != "" ]; then
/sbin/iptables -A INPUT -i $NIC_LAN -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -A POSTROUTING -t nat -o $NIC_WAN -s $LAN_IP -j MASQUERADE
fi
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 允許的 icmp 封包
icmp_type="0 3 3/4 4 11 12 14 16 18"
/sbin/iptables -N icmp_packets
for type in $icmp_type
do
/sbin/iptables -A icmp_packets -p ICMP --icmp-type $type -j ACCEPT
done
# 允許上面定義過的 tcp/port 封包
/sbin/iptables -N tcp_d_packets
for port in $allow_d_port;do
/sbin/iptables -A tcp_d_packets -p TCP --dport $port -j allowed
done
/sbin/iptables -N tcp_s_packets
for port in $allow_s_port;do
/sbin/iptables -A tcp_s_packets -p TCP --sport $port -j remoteallowed
done
# 允許允許上面定義過的 udp/port 封包
/sbin/iptables -N udp_d_packets
for port in $allow_d_port;do
/sbin/iptables -A udp_d_packets -p UDP --dport $port -j ACCEPT
done
/sbin/iptables -N udp_s_packets
for port in $allow_s_port;do
/sbin/iptables -A udp_s_packets -p UDP --sport $port -j ACCEPT
done
# 防止 sync flood :
/sbin/iptables -N synfoold
/sbin/iptables -A synfoold -p tcp --syn -m limit --limit 3/s -j RETURN
/sbin/iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
# 防止 Ping of Death :
/sbin/iptables -N ping
/sbin/iptables -A ping -i $NIC_WAN -p icmp --icmp-type echo-request \
-m limit --limit 3/s -j RETURN
/sbin/iptables -A ping -p icmp -j REJECT
# --- IN&OUT PUT Chains Firewall Rules ---
/sbin/iptables -A INPUT -p tcp -m state --state NEW -j synfoold
/sbin/iptables -A INPUT -p icmp -i $NIC_WAN --icmp-type echo-request \
-m state --state NEW -j ping
/sbin/iptables -A INPUT -p icmp -i $NIC_WAN -d $WAN_IP -j icmp_packets
/sbin/iptables -A INPUT -p tcp -i $NIC_WAN -d $WAN_IP -j tcp_d_packets
/sbin/iptables -A INPUT -p udp -i $NIC_WAN -d $WAN_IP -j udp_d_packets
/sbin/iptables -A INPUT -p tcp -i $NIC_WAN -d $WAN_IP -j tcp_s_packets
/sbin/iptables -A INPUT -p udp -i $NIC_WAN -d $WAN_IP -j udp_s_packets
-----------------------------------------------------------------------------------------------
以上是修改自一位高人所發表的,但是我不知道我修改的對不對... 所以想請教高人指點迷津...
感謝之意...盡在不言中...