32m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo -e "\n\tEnable bad error message protection......."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo -e "\n\tDisabling tcp_ecn,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_ecn
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_reordering ]
then
echo -e "\n\tchangling tcp_reordering,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_reordering
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_wmem ]
then
echo -e "\n\tchanging tcp_wmem,please wait..."
echo "4096 16384 131072" >/proc/sys/net/ipv4/tcp_wmem
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_rmem ]
then
echo -e "\n\tchanging tcp_rmem,please wait..."
echo "4096 87380 174760" >/proc/sys/net/ipv4/tcp_rmem
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_mem ]
then
echo -e "\n\tchanging tcp_mem,please wait..."
echo "97280 97792 98304" >/proc/sys/net/ipv4/tcp_mem
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_adv_win_scale ]
then
echo -e "\n\tchanging tcp_adv_win_scale,please wait..."
echo 2 >/proc/sys/net/ipv4/tcp_adv_win_scale
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_rfc1337 ]
then
echo -e "\n\tchanging tcp_rfc1337,please wait..."
echo 0 >/proc/sys/net/ipv4/tcp_rfc1337
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]
then
echo -e "\n\tDisabing ICMP redirects,please wait...."
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]
then
echo -e "\n\tDisabling source routing of packets,please wait...."
for i in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $i
done
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
then
echo -e "\n\tIgnore any broadcast icmp echo requests......"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/icmp_destunreach_rate ]
then
echo -e "modify icmp_destunreach_rate and icmp_echoreply_rate.."
echo 5 > /proc/sys/net/ipv4/icmp_destunreach_rate
echo 5 > /proc/sys/net/ipv4/icmp_echoreply_rate
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/bootp_relay ]
then
echo -e "\n\tDisable the bootp_relay......"
echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
#
if [ -e /proc/sys/net/ipv4/tcp_timestamps ]
then
echo -e "\n\tDisable the tcp_timestamps......"
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]
then
echo -e "\n\tSetting up tcp_fin_timeout...."
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]
then
echo -e "\n\tDisabling tcp_window_scaling...."
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_sack ]
then
echo -e "\n\tDisabling tcp_sack...."
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/tcp_abort_on_overflowe ]
then
echo -e "\n\t Enabling tcp_abort_on_overflow"
echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
then
echo -e "\n\t Enabling icmp_ignore_bogus_error_responses"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/forwarding ]
then
echo -e "\n\t disabling forwarding"
echo 1 > /proc/sys/net/ipv4/forwarding
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/mc_forwarding ]
then
echo -e "\n\t disabling mc_forwarding"
echo 1 > /proc/sys/net/ipv4/mc_forwarding
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/config/all/log_martians ]
then
echo -e "\n\tnot LOG packets with impossible addresses to kernel log...."
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
for x in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $x
done
if [ -e /proc/sys/net/ipv4/conf/all/proxy_arp ]
then
echo -e "\n\tdisable proxy_arp...."
echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]
then
echo -e "\n\tdisable send_redirects...."
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]
then
echo -e "\n\tenable secure_redirects...."
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
fi
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
}
unload_module()
{
for MODULE in ipt_TTL iptable_mangle ipt_mark ipt_MARK ipt_MASQUERADE ip_nat_irc ip_nat_ftp ipt_LOG \
ipt_limit ipt_REJECT ip_conntrack_irc ip_conntrack_ftp ipt_state iptable_nat iptable_filter ip_tables; do
if (( `lsmod | grep -c "$MODULE"` )); then
rmmod $MODULE > /dev/null 2>&1
fi
done
}
load_config()
{
FW_LOCATE=/etc/firewall
if [ ! -e "$FW_LOCATE" ]
then
mkdir $FW_LOCATE
fi
if [ ! -f /etc/firewall/firewall.conf ]
then
echo "can not find firewall.conf,creating one with default setting..."
echo -e " UPLINK=eth1 \n UPIP=211.137.58.48 \n INTERFACES=lo eth0 \n LOAD_MODULES=no \n LOG_ILLEGAL_FLAGS=yes \n DENYIP=10.0.0.1 10.0.0.255 \n DENYUDPPORT=7 9 19 107 137 138 139 161 199 369 \n TCP_PORT_LOG=135 137 138 139 445 500 1433 3306 515 513 \n OPEN_TCP= 21 22 \n OPEN_UDP= \n LAN_IF=eth0 \n MALFORMED_PACKET_LOG=no \n MANAGE_IP=61.129.112.46 \n DISABLE_ALL_LOG=no \n " > /etc/firewall/firewall.conf
fi
echo -e "\t\t\t Loading the firewall configuration.......\n"
UPLINK=`grep "UPLINK" /etc/firewall/firewall.conf | cut -d = -f 2 `
UPIP=`grep "UPIP" /etc/firewall/firewall.conf | cut -d = -f 2`
INTERFACES=`grep "INTERFACES" /etc/firewall/firewall.conf | cut -d = -f 2`
LOAD_MODULES=`grep "LOAD_MODULES" /etc/firewall/firewall.conf | cut -d = -f 2`
LOG_ILLEGAL_FLAGS=`grep "LOG_ILLEGAL_FLAGS" /etc/firewall/firewall.conf | cut -d = -f 2`
OPEN_TCP=`grep "OPEN_TCP" /etc/firewall/firewall.conf | cut -d = -f 2`
OPEN_UDP=`grep "OPEN_UDP" /etc/firewall/firewall.conf | cut -d = -f 2`
TCP_PORT_LOG=`grep "TCP_PORT_LOG" /etc/firewall/firewall.conf | cut -d = -f 2`
DENYIP=`grep "DENYIP" /etc/firewall/firewall.conf | cut -d = -f 2`
UDP_PORT_LOG=`grep "UDP_PORT_LOG" /etc/firewall/firewall.conf | cut -d = -f 2`
MALFORMED_PACKET_LOG=` grep "MALFORED_PACKET_LOG" /etc/firewall/firewall.conf | cut -d = -f 2 `
MANAGE_IP=` grep "MANAGE_IP" /etc/firewall/firewall.conf | cut -d = -f 2 `
DISABLE_ALL_LOG=` grep "DISABLE_ALL_LOG" /etc/firewall/firewall.conf | cut -d = -f 2 `
if [ "$DISABLE_ALL_LOG" == "yes" ]; then
MALFORMED_PACKET_LOG=no
UDP_PORT_LOG=
TCP_PORT_LOG=
LOG_ILLEGAL_FLAGS=no
fi
}
check_root
check_enviroment
# if [ "$NAT" == "DHCP" ]; then
# if [ -z "$UPIP" ]; then
# echo " [ WAIT ]"
# echo -n "-> $UPLINK has no IP address. Waiting for DHCP"
# for COUNT in 1 2 3 4 5 6 7 8 9 10; do
# sleep 1
# echo -n "*#"
# UPIP=`ifconfig ${UPLINK} | grep inet | cut -d : -f 2 | cut -d " " -f 1`
# if [ -n "$UPIP" ]; then
# echo " [ FOUND ]"
# break
# else
# if [ "$COUNT" == "10" ]; then
# echo " [ MISSING ]"
# echo "-> WARNING: IP address for $UPLINK not found. "
# fi
# fi
# done
# fi
#fi
if [ "$1" = "start" ]
then
echo "Starting firewall......"
ip_stack_adjust
load_config
echo -e "Now prepareing the kernel to use for a firewall ,please wait....."
#if [ "$NAT" = " dynamic " ]
# then
# echo -e "\n\tEnable dynamic ip support...."
# echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# echo -e "\t\t\t\t\033[3;032m [ OK ] \033[0m\n"
# fi
#echo 0 > /proc/sys/net/ipv4/conf/all/bootp_relay
#depmod -a
#define the load modules function
if [ "$LOAD_MODULES" = "yes" ]
then
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]
then
echo -e "\n\tLoading iptables modules please wait...."
mp ip_tables
mp ipt_LOG
mp ipt_owner
上一页 [1] [2] [3] [4] [5] 下一页 |
