很久没来了,其实也不是什么新东西,2001年底就写了很多了,主要是改正了以前版本里面的逻辑错误,整理了一下,把原来的WAN+LAN+DMZ改成了放在单独的linux服务器上的版本,使用LINUX服务器的兄弟们有福了,可以节省N多的脑细胞,呵呵,有问题邮件联系 arlenecc@rainlow.com


#!/bin/bash
echo -e " \t\t \033[1;31m RainLow firewall \033[m server version 1.0rc1 -- 09/24/2004 \n"
echo -e "############################################################"
echo -e " This software may be used and distributed according to "
echo -e "the terms of the GNU General Public License (GPL) provided"
echo -e "credit is given to the original author. "
echo -e "\t\t\t \033[1;31m Copyright (c) 2004 rainlow \033[m \n"
echo -e "\t\t\t\t All rights reserved \n\n\n"
echo -e "############################################################"

# now begins the firewall
echo -e "\n\t\t\t Welcome to \033[3;31m Rainlow Firewall \033[0m \n\n"
echo -e " \t\t\t\t \033[1;32m http://www.rainlow.com \033[m \n"


PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
. /etc/init.d/functions

exit_failure()
{
echo -en " \t \033[3;031m [ FAILED ] \033[0m \n"
echo -en " \033[3;031m -> FATAL: $FAILURE \033[0m \n"
echo -en " \033[3;031m -> ** ABORTED **.\033[0m \n"
exit 1
}

check_root()
{
ROOT_ID=0
echo "Checking if you are root...."
if [ "$UID" = "$ROOT_ID" ]
then
echo -e "\n\t OK ! continue....\n"
echo -e "\a"
else
echo -e " Sorry,you are not root and not permitted to do this option...\n"
echo -e "\a"
FAILURE="you can not run this command ,you must be root to do this"
exit_failure

fi
}

check_enviroment()
{
echo -e "\t\t \033[1;31m Now Checking software envrioment \033[m \n"

OS=`uname -s`
_OS=$OS
if [ "$_OS" != "Linux" ];then
FAILURE="Sorry this version can only work under linux "
exit_failure
else
echo -en "\t\t \033[1;32m PASS \033[m \n"
fi

KERNELMAJ=`uname -r | sed -e ''''s,\..*,,''''`
KERNELMIN=`uname -r | sed -e ''''s,[^\.]*\.,,'''' -e ''''s,\..*,,''''`

if [ "$KERNELMAJ" -lt 2 ] ; then
FAILURE="Sorry you kernel is too old,please upgrade it first!"
exit_failure
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 4 ] ; then
FAILURE="only kernel greater than 2.4 is supported"
exit_failure
fi

if ((`iptables -V 2>&1 | grep -c "Command not found"` )); then

FAILURE="can not find iptables command you must install iptables first"
exit_failure
fi

if !(( `which modprobe 2>&1 | grep -c "which: no modprobe in"` )) && ( [ -a /proc/modules ] || ! [ -a /proc/version ] ); then
if (( `lsmod | grep -c "ipchains"` )); then
rmmod ipchains > /dev/null 2>&1
fi
fi

}

wait()
{
echo | awk ''''{printf "||" ,$1}''''
for x in `seq 1 10`;
do
sleep 1
echo "#" | awk ''''{printf "%s",$1}''''
done

echo -en "\n"
}

iptables()
{
/sbin/iptables "$@"
}

mp()
{
/sbin/modprobe "$@"
}

load_module()
{
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]
then
echo -e "\n\tLoading iptables modules please wait...."
mp ip_tables
mp ipt_LOG
mp ipt_owner
mp ipt_MASQURADE
mp ipt_REJECT
mp ipt_conntrack_ftp
mp ipt_conntrack_irc
mp iptable_filter
mp iptable_nat
mp iptable_mangle
mp ip_conntrack
mp ipt_limit
mp ipt_state
mp ipt_unclean
mp ipt_TCPMSS
mp ipt_TOS
mp ipt_TTL
mp ipt_quota
mp ipt_iplimit
mp ipt_pkttype
mp ipt_ipv4options
mp ipt_MARK
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
else
echo -e "\tSorry,no iptables modules found !!"
fi
}

ip_stack_adjust()
{
if [ -e /proc/sys/net/ipv4/ip_forward ]

then
echo -e "enable ip_forward.please wait...."
echo 0 >/proc/sys/net/ipv4/ip_forward
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/ip_default_ttl ]

then
echo -e "changing default ttl...."
echo 88 >/proc/sys/net/ipv4/ip_default_ttl
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
echo -e "\n\t disable dynamic ip support...."
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echo -e "\t\t\t\t\033[3;032m [ OK ] \033[0m\n"

if [ -e /proc/sys/net/ipv4/ip_no_pmtu_disc ]

then
echo -e "disable path mtu discovery.please wait...."
echo 0 >/proc/sys/net/ipv4/ip_no_pmtu_disc
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/ipfrag_high_thresh ]

then
echo -e "changing ipfrag_high_thresh.please wait...."
echo 5800 >/proc/sys/net/ipv4/ipfrag_high_thresh
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/ipfrag_low_thresh ]

then
echo -e "changing ipfrag_low_thresh.please wait...."
echo 2048 >/proc/sys/net/ipv4/ipfrag_low_thresh
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/ipfrag_time ]

then
echo -e "changing ipfrag_low_thresh.please wait...."
echo 20 >/proc/sys/net/ipv4/ipfrag_time
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/ipfrag_secret_interval ]

then
echo -e "changing ipfrag_secret_interval.please wait...."
echo 600 >/proc/sys/net/ipv4/ipfrag_secret_interval
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_syn_retries ]

then
echo -e "changing tcp_syn_retries.please wait...."
echo 4 >/proc/sys/net/ipv4/tcp_syn_retries
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_synack_retries ]

then
echo -e "changing tcp_synack_retries.please wait...."
echo 4 >/proc/sys/net/ipv4/tcp_synack_retries
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]

then
echo -e "changing tcp_keepalive_time.please wait...."
echo 300 >/proc/sys/net/ipv4/tcp_keepalive_time
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_keepalive_probes ]

then
echo -e "changing tcp_keepalive_probes.please wait...."
echo 4 >/proc/sys/net/ipv4/tcp_keepalive_probes
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_keepalive_intvl ]

then
echo -e "changing tcp_keepalive_intvl.please wait...."
echo 60 >/proc/sys/net/ipv4/tcp_keepalive_intvl
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_retries1 ]

then
echo -e "changing tcp_retriest.please wait...."
echo 3 >/proc/sys/net/ipv4/tcp_retries1
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_retries2 ]

then
echo -e "changing tcp_retriest.please wait...."
echo 15 >/proc/sys/net/ipv4/tcp_retries2
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_orphan_retries ]

then
echo -e "disable tcp_orphan_retriest.please wait...."
echo 0 >/proc/sys/net/ipv4/tcp_orphan_retries
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_max_tw_buckets ]

then
echo -e "changing tcp_max_tw_bucketst.please wait...."
echo 4000 >/proc/sys/net/ipv4/tcp_max_tw_buckets
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_tw_recycle ]

then
echo -e "changing tcp_recycle.please wait...."
echo 1 >/proc/sys/net/ipv4/tcp_tw_recycle
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_tw_reuse ]

then
echo -e "changing tcp_tw_reuse.please wait...."
echo 1 >/proc/sys/net/ipv4/tcp_tw_reuse
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_max_orphans ]

then
echo -e "changing tcp_max_orphans.please wait...."
echo 2000 >/proc/sys/net/ipv4/tcp_max_orphans
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_max_syn_backlog ]

then
echo -e "changing tcp_max_syn_backlog.please wait...."
echo 8000 >/proc/sys/net/ipv4/tcp_max_syn_backlog
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]

then
echo -e "enable tcp_window_scaling.please wait...."
echo 1 >/proc/sys/net/ipv4/tcp_window_scaling
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_timestamps ]

then
echo -e "disable tcp_timestamps.please wait...."
echo 0 >/proc/sys/net/ipv4/tcp_timestamps
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

for x in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > ${x}
done

if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo -e "\n\tEnable the syncookies flood protection"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]
then
echo -e "\n\tSetting the maximum number of connections to track.... "
echo "80000" > /proc/sys/net/ipv4/ip_conntrack_max
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi

if [ -e /proc/sys/net/ipv4/ip_local_port_range ]
then
echo -e " \n\tSetting local port range for TCP/UDP connection...."
echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
echo -e "\t\t\t\t \033[3;0

[1] [2] [3] [4] [5]  下一页