很久没来了,其实也不是什么新东西,2001年底就写了很多了,主要是改正了以前版本里面的逻辑错误,整理了一下,把原来的WAN+LAN+DMZ改成了放在单独的linux服务器上的版本,使用LINUX服务器的兄弟们有福了,可以节省N多的脑细胞,呵呵,有问题邮件联系 arlenecc@rainlow.com
#!/bin/bash echo -e " \t\t \033[1;31m RainLow firewall \033[m server version 1.0rc1 -- 09/24/2004 \n" echo -e "############################################################" echo -e " This software may be used and distributed according to " echo -e "the terms of the GNU General Public License (GPL) provided" echo -e "credit is given to the original author. " echo -e "\t\t\t \033[1;31m Copyright (c) 2004 rainlow \033[m \n" echo -e "\t\t\t\t All rights reserved \n\n\n" echo -e "############################################################"
# now begins the firewall echo -e "\n\t\t\t Welcome to \033[3;31m Rainlow Firewall \033[0m \n\n" echo -e " \t\t\t\t \033[1;32m http://www.rainlow.com \033[m \n"
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin . /etc/init.d/functions
exit_failure() { echo -en " \t \033[3;031m [ FAILED ] \033[0m \n" echo -en " \033[3;031m -> FATAL: $FAILURE \033[0m \n" echo -en " \033[3;031m -> ** ABORTED **.\033[0m \n" exit 1 }
check_root() { ROOT_ID=0 echo "Checking if you are root...." if [ "$UID" = "$ROOT_ID" ] then echo -e "\n\t OK ! continue....\n" echo -e "\a" else echo -e " Sorry,you are not root and not permitted to do this option...\n" echo -e "\a" FAILURE="you can not run this command ,you must be root to do this" exit_failure
fi }
check_enviroment() { echo -e "\t\t \033[1;31m Now Checking software envrioment \033[m \n"
OS=`uname -s` _OS=$OS if [ "$_OS" != "Linux" ];then FAILURE="Sorry this version can only work under linux " exit_failure else echo -en "\t\t \033[1;32m PASS \033[m \n" fi
KERNELMAJ=`uname -r | sed -e ''''s,\..*,,''''` KERNELMIN=`uname -r | sed -e ''''s,[^\.]*\.,,'''' -e ''''s,\..*,,''''`
if [ "$KERNELMAJ" -lt 2 ] ; then FAILURE="Sorry you kernel is too old,please upgrade it first!" exit_failure fi if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 4 ] ; then FAILURE="only kernel greater than 2.4 is supported" exit_failure fi
if ((`iptables -V 2>&1 | grep -c "Command not found"` )); then
FAILURE="can not find iptables command you must install iptables first" exit_failure fi
if !(( `which modprobe 2>&1 | grep -c "which: no modprobe in"` )) && ( [ -a /proc/modules ] || ! [ -a /proc/version ] ); then if (( `lsmod | grep -c "ipchains"` )); then rmmod ipchains > /dev/null 2>&1 fi fi
}
wait() { echo | awk ''''{printf "||" ,$1}'''' for x in `seq 1 10`; do sleep 1 echo "#" | awk ''''{printf "%s",$1}'''' done
echo -en "\n" }
iptables() { /sbin/iptables "$@" }
mp() { /sbin/modprobe "$@" }
load_module() { if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ] then echo -e "\n\tLoading iptables modules please wait...." mp ip_tables mp ipt_LOG mp ipt_owner mp ipt_MASQURADE mp ipt_REJECT mp ipt_conntrack_ftp mp ipt_conntrack_irc mp iptable_filter mp iptable_nat mp iptable_mangle mp ip_conntrack mp ipt_limit mp ipt_state mp ipt_unclean mp ipt_TCPMSS mp ipt_TOS mp ipt_TTL mp ipt_quota mp ipt_iplimit mp ipt_pkttype mp ipt_ipv4options mp ipt_MARK echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" else echo -e "\tSorry,no iptables modules found !!" fi }
ip_stack_adjust() { if [ -e /proc/sys/net/ipv4/ip_forward ]
then echo -e "enable ip_forward.please wait...." echo 0 >/proc/sys/net/ipv4/ip_forward echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi if [ -e /proc/sys/net/ipv4/ip_default_ttl ]
then echo -e "changing default ttl...." echo 88 >/proc/sys/net/ipv4/ip_default_ttl echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi echo -e "\n\t disable dynamic ip support...." echo 0 > /proc/sys/net/ipv4/ip_dynaddr echo -e "\t\t\t\t\033[3;032m [ OK ] \033[0m\n"
if [ -e /proc/sys/net/ipv4/ip_no_pmtu_disc ]
then echo -e "disable path mtu discovery.please wait...." echo 0 >/proc/sys/net/ipv4/ip_no_pmtu_disc echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi
if [ -e /proc/sys/net/ipv4/ipfrag_high_thresh ]
then echo -e "changing ipfrag_high_thresh.please wait...." echo 5800 >/proc/sys/net/ipv4/ipfrag_high_thresh echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi if [ -e /proc/sys/net/ipv4/ipfrag_low_thresh ]
then echo -e "changing ipfrag_low_thresh.please wait...." echo 2048 >/proc/sys/net/ipv4/ipfrag_low_thresh echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi if [ -e /proc/sys/net/ipv4/ipfrag_time ]
then echo -e "changing ipfrag_low_thresh.please wait...." echo 20 >/proc/sys/net/ipv4/ipfrag_time echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi if [ -e /proc/sys/net/ipv4/ipfrag_secret_interval ]
then echo -e "changing ipfrag_secret_interval.please wait...." echo 600 >/proc/sys/net/ipv4/ipfrag_secret_interval echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi if [ -e /proc/sys/net/ipv4/tcp_syn_retries ]
then echo -e "changing tcp_syn_retries.please wait...." echo 4 >/proc/sys/net/ipv4/tcp_syn_retries echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi if [ -e /proc/sys/net/ipv4/tcp_synack_retries ]
then echo -e "changing tcp_synack_retries.please wait...." echo 4 >/proc/sys/net/ipv4/tcp_synack_retries echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]
then echo -e "changing tcp_keepalive_time.please wait...." echo 300 >/proc/sys/net/ipv4/tcp_keepalive_time echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi if [ -e /proc/sys/net/ipv4/tcp_keepalive_probes ]
then echo -e "changing tcp_keepalive_probes.please wait...." echo 4 >/proc/sys/net/ipv4/tcp_keepalive_probes echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi if [ -e /proc/sys/net/ipv4/tcp_keepalive_intvl ]
then echo -e "changing tcp_keepalive_intvl.please wait...." echo 60 >/proc/sys/net/ipv4/tcp_keepalive_intvl echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi if [ -e /proc/sys/net/ipv4/tcp_retries1 ]
then echo -e "changing tcp_retriest.please wait...." echo 3 >/proc/sys/net/ipv4/tcp_retries1 echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi
if [ -e /proc/sys/net/ipv4/tcp_retries2 ]
then echo -e "changing tcp_retriest.please wait...." echo 15 >/proc/sys/net/ipv4/tcp_retries2 echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi
if [ -e /proc/sys/net/ipv4/tcp_orphan_retries ]
then echo -e "disable tcp_orphan_retriest.please wait...." echo 0 >/proc/sys/net/ipv4/tcp_orphan_retries echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi
if [ -e /proc/sys/net/ipv4/tcp_max_tw_buckets ]
then echo -e "changing tcp_max_tw_bucketst.please wait...." echo 4000 >/proc/sys/net/ipv4/tcp_max_tw_buckets echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi
if [ -e /proc/sys/net/ipv4/tcp_tw_recycle ]
then echo -e "changing tcp_recycle.please wait...." echo 1 >/proc/sys/net/ipv4/tcp_tw_recycle echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi
if [ -e /proc/sys/net/ipv4/tcp_tw_reuse ]
then echo -e "changing tcp_tw_reuse.please wait...." echo 1 >/proc/sys/net/ipv4/tcp_tw_reuse echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi
if [ -e /proc/sys/net/ipv4/tcp_max_orphans ]
then echo -e "changing tcp_max_orphans.please wait...." echo 2000 >/proc/sys/net/ipv4/tcp_max_orphans echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi if [ -e /proc/sys/net/ipv4/tcp_max_syn_backlog ]
then echo -e "changing tcp_max_syn_backlog.please wait...." echo 8000 >/proc/sys/net/ipv4/tcp_max_syn_backlog echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi
if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]
then echo -e "enable tcp_window_scaling.please wait...." echo 1 >/proc/sys/net/ipv4/tcp_window_scaling echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi if [ -e /proc/sys/net/ipv4/tcp_timestamps ]
then echo -e "disable tcp_timestamps.please wait...." echo 0 >/proc/sys/net/ipv4/tcp_timestamps echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi
for x in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > ${x} done
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] then echo -e "\n\tEnable the syncookies flood protection" echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ] then echo -e "\n\tSetting the maximum number of connections to track.... " echo "80000" > /proc/sys/net/ipv4/ip_conntrack_max echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n" fi
if [ -e /proc/sys/net/ipv4/ip_local_port_range ] then echo -e " \n\tSetting local port range for TCP/UDP connection...." echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range echo -e "\t\t\t\t \033[3;0 [1] [2] [3] [4] [5] 下一页 没有相关教程
|