ation-needed -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID output: "
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -p icmp -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state INVALID -j LOG --log-prefix "INVAILD ICMP STATE OUTPUT:"
iptables -A OUTPUT -p icmp -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state NEW,INVALID -j LOG --log-prefix "INVAILD NEW:"
iptables -A OUTPUT -m state --state NEW,INVALID -j DROP
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\t The OUTPUT rules has been successful applied,conniture..."
#echo -e "\t Now applying nat rules ,please wait ...."
#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE
#iptables -t nat -A PREROUTING -d ${LAN_NET} -i ${UPLINK} -j DROP
#if [ " $ROUTER " = " yes " ]
# then
# echo -e "\t enabing ip_forward,please wait..."
# echo 1 >/proc/sys/net/ipv4/ip_forward
# echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
# if [ " $NAT " = " dynamic " ]
# then
# echo -e "\tEnableing MASQUERADING (dynamic ip )..."
# echo -e "\tDynamic PPP connection,Now getting the dynamic ip address"
# IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`
# echo -e "\t Now you IP ADDRESS is : ${IP_ADDR} "
# iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
# iptables -t nat -A POSTROUTING -o ${UPLINK} -s ${DMZ_NET} -j SNAT --to ${IP_ADDR}
# iptables -t nat -A POSTROUTING -o ${UPLINK} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} -p tcp --dport 80 -j DNAT --to ${WEB_IP}:80
# iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 22 -j DNAT --to ${ADMIN_IP}:22
# echo -e "\t OK,NAT setting start succecc.."
# elif [ " $NAT " != " " ]
# then
# echo -e "\tEnableing SNAT (static ip)..."
# iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
# iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLINK} -j SNAT --to ${UPIP}
# iptables -t nat -A POSTROUTING -o ${UPLINK} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80
# iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 88 -j DNAT --to ${ADMIN_IP}:22
# echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
# fi
#fi
echo -e "\a"
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
echo -e "\tAll rules has been successful applied,enjoy it...."
elif [ "$1" = "stop" ] || [ "$1" = "flush" ] || [ "$1" = "clear" ]
then
echo -e "\tStoping Firewall...."
iptables -t filter -F > /dev/null 2>&1
iptables -t filter -X > /dev/null 2>&1
iptables -t nat -F > /dev/null 2>&1
iptables -t nat -X > /dev/null 2>&1
iptables -t mangle -F > /dev/null 2>&1
iptables -t mangle -X > /dev/null 2>&1
iptables -t filter -P INPUT ACCEPT > /dev/null 2>&1
iptables -t filter -P OUTPUT ACCEPT > /dev/null 2>&1
iptables -t filter -P FORWARD ACCEPT > /dev/null 2>&1
iptables -F tcpHandler > /dev/null 2>&1
iptables -F udpHandler > /dev/null 2>&1
iptables -F icmpHandler > /dev/null 2>&1
iptables -F CHECK_FLAGS > /dev/null 2>&1
iptables -F DROP-AND-LOG > /dev/null 2>&1
iptables -F syn-flood > /dev/null 2>&1
iptables -X tcpHandler > /dev/null 2>&1
iptables -X udpHandler > /dev/null 2>&1
iptables -X icmpHandler > /dev/null 2>&1
iptables -X CHECK_FLAGS > /dev/null 2>&1
iptables -X DROP-AND-LOG > /dev/null 2>&1
iptables -X syn-flood > /dev/null 2>&1
echo -e "\a"
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"
echo -e "\t\tThe firewall has successful shuted down,be careful !"
fi
最后进行编辑的是 arlenecc on 2004-09-24 16:09, 总计第 2 次编辑
# RainLow firewall server version-- 09/05/2004
# This software may be used and distributed according to
#the terms of the GNU General Public License (GPL) provided
#credit is given to the original author.
# Copyright (c) 2004 rainlow
# All rights reserved
############################################################
#echo -e "\n\t\t\t Welcome to \033[3;031m RainLow Tech. \033[0m\n\n"
#echo -e " \t\t\t\t \033[1;32m http://www.rainlow.com \033[m \n"
# means the interface you connected to internet,if you use ADSL you should set
# it to ppp0
UPLINK=eth0
# means if you use fixed IP address you can set here
UPIP=221.137.58.48
# means the interface you have
INTERFACES=lo eth0
#means if you want to load all modules needed for this program
LOAD_MODULES=no
#means if you want to log the illegal tcp flags(most of these flags is used for a scanner)
LOG_ILLEGAL_FLAGS=yes
# means the IP address you want to log and DENY
DENYIP=10.0.0.1 10.0.0.255
# means the UDP port you want to log and drop the connections
UDP_PORT_LOG=7 9 19 107 137 138 139 161 199 162 369
#means the tcp port you want to log and drop the connections
TCP_PORT_LOG=135 136 137 138 139 445 500 1433 3306 515 513
#means tcp ports you want to open on this server
OPEN_TCP=25 110 22 21
#means udp ports you want to open,please only use this if you are provide services on firewall,dangerous
OPEN_UDP=
#means if you will log malformed packets
MALFORMED_PACKET_LOG=no
#means the ip address you want to manage the firewall remotely
MANAGE_IP=61.129.112.46
#means if you want to disable all log function(to save disk and other resource)
DISABLE_ALL_LOG=no
上一页 [1] [2] [3] [4] [5] |
