[问题求助]【讨论】利用linux构建防火墙问题 [复制链接]

[转帖].firewall scripts一例.

#!/bin/sh
# iptables., by Technion.
# $Id: iptables.,v 1.3.3 2002/11/20 23:22:16 technion Exp $电影
# chkconfi.g: 2345 08 80外贸
# descri.ption: Script fo.r setting IPTABLES rules.
# proces.sname: iptables.


# Is this script to be run on Red Hat Lin.ux?  If not,. set to "NO"    健康
REDHAT="YES"

# Network information y.ou wil.l need to adjust服务器
INT.ERNALIF="eth0"    美容
INTERN.ALNET=".192.168.0.0/16".
INT..ERNALBCAST="192.168.0.255".
EXTER.NALIF="ppp0"              乙肝
#MYADDR="1.2.3.4"        # Only needed for DNAT, leave out .otherwis.e             电子

# Pathnames
DMESG.="/bin/dmesg"--- 印刷
IPTABL.ES="`which iptable.s`"           建材
MODPROBE="/sbin/modp.robe"             电子


# .This is a batch of Red Hat Linux.-specific commands.
# that e.nable. a user to call the script with a start/stop/restart虚拟主机
# argument.
if [ X"$REDHA.T." = X"YES" ]; then(        游戏          )
        .. /etc/rc.d/init..d/functions--------------彩票
        case "$1." in投资
          .      stop)              乙肝
                        acti.on "S.hutting down firewall:" echo服务器
        .       .         $IPTABLES -F域名
                        $IPTA.BLES -P FORWARD DR.OP<性病>
        .               . exit 0          婚庆
               ..         ;;--- 印刷
              .  status)域名
                        .echo ."T.he status command is not supported for iptables".
                       . e.xit 0.
             .          . ;;    健康
      .          restar.t|reload)电影
                        $0 ..stop学习
                        exe.c $0. start    健康
    .  .                  ;;           女人
        .        start)             汽车
  .                  .    action "Starting Firewall:" echo(        游戏          )
      .                 . ;;电脑
         .       *).
  .                      echo "Usage: firewall (start|s.top|restart)".
       .                 exi.t 1             汽车
        esac
fi


################################################.#.###############          婚庆
#Insert m.odules- should be .done automatically if needed[成人用品]
dmesg -n. 1 #Kill copyright display on modul.e load.
/sbi.n/modprobe ip_tables教育
/.sbin/modp.robe iptable_filter          婚庆
/sbin/.modprobe ip_.conntrack--------------彩票
/sbin/modprobe ip_conn.tra.ck_ftp(广告)
#
#.# Flush everything, start from scr.atch虚拟主机
#
# Incoming packets from .the outside ne.twork.
$IPTA.BLES -F INPUT(        游戏          )
# Outgoing packets fro.m .the internal network学习
$IPTABLES -F OU.TPUT             电子
# Forwarding/mas.querading             电子
$.IPTABLES -F FORWARD.
#Nat table
$I.PTABLES -t nat -F教育
##Setup sysctl controls which af.fect .tcp/ip.

#
#Disabling IP Spoofing att.acks..    外汇
#Com.ment this line out when u.sing IPSEC             汽车
echo 2 >.;. /proc/sys/net/ipv4/conf/all/rp_filter虚拟主机

#Don.'t respond to broadcast p.ings健康
echo "1" >; /proc/sys/net/.ipv4/icmp_echo_ignore_broadcast.s.

#Defragment .all Packets--- 印刷
#Default now

#Enable forw.arding.
echo 1 >;/proc/sys/net/ipv4./.ip_forward外贸

#Block sourc.e routing           建材
echo 0 >;/proc/sys/net./i.pv4/conf/all/accept_source_route             汽车

#Kill timestamps.  These have be.en the subj.ect of a recent bugtraq thread(        游戏          )
echo 0 >; /proc/sys/net./ipv4/tcp._timestamps电脑

#E.nable SYN Cookies.
echo 1 >; /proc/sys/net/.ipv4/.tcp_syncookies健康

#Kill red.irects--- 印刷
echo 0 >;/proc/sys/net/ipv4/conf/.all/accept_red.irects    美容

#Enable .bad error mess.age protection电脑
echo 1 >; /proc/sys/n.et/ipv4/.icmp_ignore_bogus_error_responses[成人用品]

#Allow .dynamic ip addresse.s.
echo "1" >; /proc/sys/net/ipv4/ip._dy.naddr(广告)

#Log martians (packets with impossib.l.e addresses)          婚庆
#RiVaL said that certain. NICs don't like this.  Comment out .if necessary..
echo 1 >;/proc/sys/net/ipv4/conf/all/.log_martian.s.

#Set out loc.al port range            杀毒
echo "32768 61000" >;/proc./sys/net/ipv4/ip_local_p.ort_range    外汇

#Reduce DoS'ing ability by reducing timeo..uts.
ec.ho. 30 >; /proc/sys/net/ipv4/tcp_fin_timeout    健康
echo 1800 >; /proc./sys/net/ipv4/tcp_keepalive_t.ime健康
echo 1 >; ./proc/sys/net/ipv4/tcp_window_s.caling.
echo 0 >; /.proc/sys/n.et/ipv4/tcp_sack           女人
echo 1280 >; /proc/sys/net/ipv4/tcp_max_syn_backl.o.g    美容


##Set basic rule.s--------------彩票
#
#Not.e that un.like ipchains, rules passing through a FORWARD chain do NOT虚拟主机
#also have to pass through an INP.UT ch.ain.           鲜花

#Kill ANY stupid .packets., including虚拟主机
#-Packets that are too sh.ort to have a full ICMP/UDP/TCP .header(广告)
#- TCP and UDP packets with zero (i.llegal) .source and destination ports.
#-.Illeg.al combinations of TCP flags学习
#-Zero-length (illegal.) or over.-length TCP and IP options, 域名
#        or o.pt.ions after the END-OF-OPTIONS option(广告)
#-Fragmen.ts of illegal lengt.h or offset (e.g., Ping of Death).虚拟主机
#Above list ripped from http://www.linux-mag.com/2000-01/bestdefense_02.html             汽车

#This has been found to be a .little buggy.  Removed .for now..
$.IPTABLES -A INPUT -m unc.lean -j DROP    健康
$IP.TABLES -A FORWARD -m unclean -j DR.OP          婚庆

#Kill invalid packets (illegal combinations .of flags.).
$IPTABLES -..A INPUT -m state --state INVALID -j DROP             电子
$I.PTABLES -A FORWARD -m state --state INV.ALID -j DROP--------------彩票


# A.llow all connections on the inter.nal interface电脑
#

$IPTABLES -A INPUT -i .lo -j ACCE.PT            杀毒

#Kil.l. connections to the local interface from the outside world.           鲜花
$IP.TABLES -A INPUT -d 127..0.0.0/8 -j REJECT[成人用品]


#Allow u.nlimited tra.ffic from internal network using legit addresses.
$IPTABLES -A INPUT -i $INTERNALIF -s $INTERNAL.NE.T -j ACCEPT电影
#
#Allow I.PV6 tunnel. traffic              乙肝
#$IPTABLE.S -A INPUT -p ipv6 -j ACCEP.T           建材

#.Al.low IPSEC tunnel traffic(广告)
#$IPTABLES -A INPUT. -p 50 .-j ACCEPT健康
#Allow all tr.affic from the ipsec device to the internal n.etwork外贸
#$IPTABLES -A FO.RWA.RD -i ipsec0 -o $INTERNALIF -j ACCEPT[成人用品]
#Allow key neg.otiation           鲜花
#$IPTAB.LES -A INPUT -p .udp --dport 500 -j ACCEPT.

#Ki.ll anything from outside claiming to be from internal n.etwork          婚庆
$IPTA.BLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJEC.T.

##ICMP
#p.ing don't f.orward pings going inside外贸
$IPTABLES -A FORWARD -p icmp --.ic.mp-type echo-request -o $INTERNALIF -j REJECT.虚拟主机
#.ping flood protection(        游戏          )
$I..PTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/.s -j ACCEPT.
$IPTABLES -A INPUT -.p .icmp --icmp-type echo-request -j DROP电脑
#Deny icmp .to broadcast addre.ss.
$IPTABLES -A I.NPUT -p icmp -d $INTERNALBC.AST -j DROP服务器

#Allow all other .icmp.
$.IPT.ABLES -A INPUT -p icmp -j ACCEPT           鲜花

##Al.low. established connections电脑
#Unlike i.pchains, we don't have. to go through the business of allowing学习
#a local por.t range- just allow all connections already est.ablished.虚拟主机

$IPTABLES -A INPUT -m state --state ESTA.BLISHED,RELATED -j ACCEP.T           鲜花

#.Note that .unlike ipchains, the following must be enabled even with masqu.erading<性病>
#Don't forward SMB rela.ted t.raffic.
$.IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 .-j REJECT .
$IPTABL.ES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j .REJECT             杀毒
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -.j REJE.CT               乙肝
$IPTABLES -A F.ORWARD -o. $EXTERNALIF -p udp --dport 137 -j REJECT .
$IPTABLES -A FORWARD -o $EXTERNALIF. -p udp --d.port 138 -j REJECT 电影
$IPTABLES. -A FORWARD -o .$EXTERNALIF -p udp --dport 139 -j REJECT     外汇

$IPTABLES -A INPUT -i $E.XT.ERNALIF -p udp --dport 137 -j REJECT虚拟主机

#Samba Share
#$IPTABLES -A INPUT -p tcp --dport 1.37 -j ACCE.PT.
#$IPTABLES. -A INPUT -p udp --dpor.t 137 -j ACCEPT电影
#$I.PTABLES -A INPUT -p tcp --dpor.t 138 -j ACCEPT--------------彩票
#$IPTABLES -A INPUT -p udp -.-dport 13.8 -j ACCEPT.
#$IPTABLES. -A INPUT -p tcp --dport 1.39 -j ACCEPT--------------彩票
#$IPTA.BLES -A INPUT -p udp --dp.ort 139 -j ACCEPT--- 印刷
#
#Allow ALL. .other forwarding going out健康
$.IPTABLE.S -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT    外汇

#Allow replies coming i.n.

$IPTABLES -A FORWARD -i $EX.TERNALIF -m state. --state ESTABLISHED,RELATED. -j ACCEPT


#Whack allo.wances--- 印刷
#A.llow DHCP- Optus. users need this教育
#$IPTABLES -A INPUT -p udp. -d 255.255.255.255 --dport 68. -j ACCEPT.

#Allow yo.urself to be a DHCP server for .your inside network虚拟主机
#Necessary because the default rule allowing valid. addresses ignor.es. broadcast.
#$IPTABL.ES -.A INPUT -i $INTERNALIF -p tcp --sport 68 --dport 67 -j ACCEPT<性病>
#.$IPTABLES -A INPUT -i $INTERNALIF. -p udp --sport 68 --dport 67 -j ACCEPT           女人

#Allow nam.eserver packets.  Different ve.rs.ions of iptables seem to error here.投资
#Co.mment ou.t if necessary.服务器

cat /etc./resolv.conf | \             电子
awk '/^namese.rve.r/ {print $2}' | \.
xargs. -n1 $IPTABLES -A INPUT -p udp --sport 53 -j .ACCEPT -s.

#Allow Telstra hearbeat.    健康
#Thi.s se.ction is propz to Defed学习
#$IPTAB.LES -A INPUT -p udp -.-sport 5050 -j ACCEPT.
#.$IPTABLES -A INPUT -p udp --sport 5051 .-j ACCEPT    外汇

#From here on,. we're dealing with connect.ion attempts.--- 印刷
#The -m limit is .a. DoS protection on connects             电子
#First we allow a certain amount. of connection.s per second投资
#DROP t.he rest (so we don't DoS ours.elf with rejections)学习
#We don't limit nor.mal packets (!syn) by allowing the. rest域名
##Basic services..  Un.comment to allow in.          婚庆
# ftp-data
#$I.PTABLES -A INPUT -.p tcp  --dport 20 -j ACCEPT--- 印刷
# ftp
#$IPTABLES -A INPUT -p t.cp  --dport 21 -j ACC.EPT外贸
# ssh
#$I.PTABLES -A INPUT -p tcp --dport 22 -j ACCE.PT.
#telnet
#$IPTABLES -A INPUT -.p tcp --dpor.t 23 -j ACCEPT<性病>

# smtp.  One per second limt -burst rate. of ten学习
#$IPTABLES -A INPUT -p. tcp --dport 25 --syn -m l.imit --limit 1/s \电影
#        --limit-bur.st 1.0 -j ACCEPT 投资
#$IPTABLES -A INP.UT -p tcp --dport 25. --syn -j DROP 电影
#$IPTABLES -A .INPUT -p tcp --dport 25 -j ACC.EPT

# DNS  
#$IPTABLES -.A INPUT -p tcp. --dport 53 -j ACCEPT    美容
#$IPTABLES -A INPUT -p u.dp --dport .53 -j ACCEPT.
# http
$IPTABLES -A INPU.T -p tcp --dport 80 -j ACCE.PT投资
# POP-3
#$IPTABLES -A INPUT .-p tcp --dport 110 -j A.CCEPT            杀毒
# identd
#$IPTABLES -A INPU.T -p tcp --dport. 113 -j ACCEPT.
# https
#$IPTABLES -A INPUT -p tcp --dpo.rt .443 -j ACCEPT          婚庆
#VNC Server
#$IPTABLES -A INPUT -p tcp --dpo.rt 5801 -j ACCE.PT(        游戏          )
#$IPTABLES .-A I.NPUT -p tcp --dport 5901 -j ACCEPT           建材
#$IPTABLES -A INPUT -.p tcp --dport 6001 -j ACCEPT.

#
##DNAT
#Modify addresses and uncomment to allow DNAT (por.t. forwarding)             电子

#.Send web requests to an .internal machine    美容
#Send mail to an intern.al .machine--- 印刷
#$IPTABLES -.A PRER.OUTING -t nat -i $EXTERNALIF -p tcp -d $MYA.DDR --dport 80 \    外汇
#             .       .  -j DNAT --to 192.168.0.10:80              乙肝
#$.IPTAB..LES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.0.10 --dport 80 -j ACCEPT.

#$I.PTABLES -A PREROUTIN.G -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dpo.rt 25 \.
#                      -..j DNAT --to 192.168.0.10:25    健康
#$IPTABLES -A FORWARD -i $EXTE.RNALIF -p tcp -.d 192.168.0.10 --dport 25 -j ACCE.PT电影


##Some ports should be denie.d. and logged..
$IPTABLES -A INPU.T -p tcp .--dport 1433 -m limit -j LOG \服务器
             .             --log-prefix "Firewalled packet.: MSSQL " .

$IPT.ABLES -A INPUT -p tcp --dport 1433 -j .DROP.
$IPTABLES -A INPUT -p tcp --dport 667.0 -m. limit -j LOG \(广告)
                          --log-prefix "Firewalled packet: Dee.pthrt ." 电影
$IPTABLES. -A INPUT -p tcp --dp.ort 6670 -j DROP服务器
$IPTABLES -A INPUT -p tcp --dpor.t 671.1 -m limit -j LOG \[成人用品]
                          --log-prefix "Firew.alled packet.: Sub7 "              电子
$IPTABLES -A INPUT. -p tcp --dport 6.711 -j DROP虚拟主机
$.IPTABLES -A IN.PUT -p tcp --dport 6712 -m limit -j LOG \    外汇
                          --log-prefix ."Firewa.lled packet: Sub7 " --------------彩票
$IPTABLE.S -A I.NPUT -p tcp --dport 6712 -j DROP.
$IPTA.BLES -A INPUT -p tcp --dport 6713 .-m limit -j LOG \[成人用品]
                          --log-prefix "Firew.alled p.acket: Sub7 "            女人
$IPT.ABLES -A. INPUT -p tcp --dport 6713 -j DROP           鲜花

$IPTABLES -.A INPUT -p tcp --dport 12345 -m .limit -j LOG \电脑
                          --log-prefix .".Firewalled packet: Netbus " .
$IPTABLES. -A INPUT -p tcp --dport 12345 -j D.ROP(广告)
$IPTABLES -A INPUT -p tcp --dport 12346 -m limit ..-j LOG \.
                          --log-prefix "Firew.alled packet.: Netbus " 域名
$.IPTABLES -A INPU.T -p tcp --dport 12346 -j DROP.
$IPTABLES -A INPUT -p tcp --d.port 20034 -m limit -.j LOG \虚拟主机
                          --log-p.refix "Firewalled. packet: Netbus " .
$IPTABLES -A INPUT -p .tcp --dport 20034 -j D.ROP外贸
$IPTABLES -A INPUT -p tcp --dport .31337 -m .limit -j LOG \
                          --lo.g-prefix "Firewalled pack.et: BO " [成人用品]
$IPTABL.ES -A INPUT -p tcp --dpo.rt 31337 -j DROP           女人
$IPTABL.ES -A INPUT -p tcp .--dport 6000  -m limit -j LOG \.
.                    .     --log-prefix "Firewalled packet: XWin ".
$IPTABLES -A INPUT -p tcp --dport 6000.  -j DROP.投资


#Traceroutes depend on .finding a rejected port.  DROP the ones it. uses(广告)

$IPTABLE.S -A INPUT -.p udp --dport 33434:33523 -j DROP.

#Don't log ide.nt because it gets hi.t all the time eg connecti.ng to an irc server    美容
$IPTAB.LES -A INPUT -p tcp .--dport 113 -j REJECT电脑

#Don't log ig.mp.  Some people get to.o many of these投资
$IPTA..BLES -A INPUT -p igmp -j REJECT.

#Don't log web or ssl because people surfing for long .times lose connec.tion           建材
#tracking and cause the system to create a new one, f.lood.ing logs..
$IPTABLES -A .INPUT -p tcp --dport 80 -j. REJECT           女人
$.IPTABLES -A INPUT -p tcp --dport 443 -j REJEC.T(        游戏          )

##Catch. all rules..
#iptables reverts to these if it hasn't matched any of th.e pre.vious rules.投资
#Log.  There's no point logging noise.  There'.s too muc.h of it.服务器
#Just log. connection reque.sts.
$IPTAB.LES -A INPUT -p tcp --syn -m l.imit --limit 5/minute -j LOG  \.
  . .     --log-prefix "Firewalled packet:"(        游戏          )
$IPTA.BLES -A FORWAR.D -p tcp --syn -m limit --limit 5/minute -j LOG \虚拟主机
       . --log-prefix "Firewalled p.acket:"--------------彩票
#Reject
$IPTABLES -A INPUT -p tcp -j REJE.C.T --reject-with tcp-reset.
$IPTABLES -A I.NPUT -.p all -j DROP<性病>

$.IPTABLES -A FORWARD -p tcp -j R.EJECT --reject-with tcp-reset          婚庆
$IPTABL.ES -A FORWARD -p all -.j DROP  .

#Accept .it anyway if i.t's only output健康
$IPTAB.LES -A OUTP.UT -j ACCEPT投资

#Masquerade. internal connections. going out..
$IPTABLES -A .POSTROUTING -t nat -o $EXTERNALIF -j MASQU.ERADE          婚庆


exit 0

iptables 在功能上要高出ipchains一块，
例如在做网关时，
iptables可以通过限制网卡的MAC地址来是否允许它上网
ipchains不行。

iptables有自己的优势，毕竟是在ipchains的基础上而来的吗？

xiaojiao写到:
"RH8中就已经没有ipchains了，iptables功能很强大，很好理解，很好配置防火墙的了"

谁有实际的应用？

http://www.linuxaid.com.cn/articles/9/9/993840306.shtml
http://www.linuxaid.com.cn/articles/1/4/145502601.shtml

www.linuxaid.com.cn上文档中心搜索iptables有几篇很好的文章.
本版精华区也有一些好帖子.

如何在Openbsd中邦定MAC地址防止IP占用上网    

--------------------------------------------------------------------------------

大家好，我想用OPENBSD3.2建立一个防火墙 PF
我想在防火墙中加入地址邦定功能，： MAC和IP地址邦定一起！
这样就可以搞定限制了别个不会去冒充上网，
如： IP：192.168.4.1-192.168.4.100 /24这个段可以上网
而 IP： 192.168.4.101-254 /24这个段不可以上网
如果没有MAC地址和IP邦定的话，那就很难办了！ 如果不能上网的机器在能上网的机器开机之前启动的话，它就可以上网了，这也是我们不想的事情！
如果 192.168.4.101的机器把自己的IP改为192.168.4.1就可以上网了
如果 我们做了MAC地址邦定的话，就 是改了IP地址也没有用，不能上网。
（但还是可以冒充IP！如果可以限制不能改IP地址就好了！）