[问题求助]linux下具有DMZ区域的软件防火墙 [复制链接]

linux下具有DMZ区.域的软件防火墙脚本代码 ：(广告)

http://upload.bbs.csuboy.com/Mon_1004/126_6718_53d39f700604724.jpg[/img][成人用品]

脚本所针对的情况是这样的：有一个可信任的内网.，一个DMZ，还有一个Internet连接。这里的DMZ是通过设置一对一的NAT 操作得到的.，它需要IP别名（就是在一块网卡上设.置多个IP地址）的支持。.我们还有其他的方法来实现 DMZ：如果你有一.个整个的网段，可划分子网，然后把某个子网分给DMZ，再为防火墙配置相应的内网与外网 IP地址（译者.注：第一种方法是针对有多个网段的情况，即内网一个网段，DMZ一个网段，第二种方法是把一个网段划分成几个子网，这样就和第一种情况一样了）。注意，这种方法会多消.耗两个IP，一个是网络地址，一个是广播地址（译者注：具体细节请上网搜索子网划分的相.关信息，这个指南并不包含此类信息）。以上两种方法用哪一个就要你自己决定了。本指南会给你实现防火墙与NAT的手段或叫做技术，但具体如何去做，没有完全.的说明，因为这已经超出本文的范围了。           建材

这个脚本需要以下模块，也可能它们.已被编译进内核了。服务器

　

CONFIG_NETFILTER. 外贸
CONFIG_IP_NF_CONNTRACK. .
CONFIG_IP_NF_.IPTABLES     健康
CONFIG_IP_NF_MATCH_LIM.IT .
CONFIG_IP_NF_MATCH_S.TATE .
CONF.IG_IP_NF_FILTER 学习
CO.NFIG_IP_NF_NAT 域名
CONFIG_IP_NF_TAR.GET_LOG 服务器
从图中可以看出，此.脚本假设你有两个内网，一个是可信任的内网，使用地址.192.168.0.0/24，另一个是 DMZ（我们正是对它做一对一的NAT），使用地址192.168.1.0/24。如果有人从Internet向我们的DNS_IP发送一个包，我们就要对它使用D.NAT，之后，此包的目的地址就指向DMZ 里的DNS服务器了，它也就.可以到达真正的DNS服务器。否则，.DNS服务器不会看到这个包，也就没有应答之说了。下面是实现上述DNAT功能的语句：(        游戏          )

$IPTA.BLES -t nat. -A PREROUTING -p TCP -i $INET_IFACE -d 学习
$DNS_IP \
--dport 53 -j DNAT --to-destination $DMZ_DNS._.IP电影
    
我们可以看出，这个规则要放在nat表的PREROUTING链中，包要满足的条件是：使用 TCP协议且使用53号端口，从接口$INE.T_.IFACE进入，而且要以$DN.S_IP为目的。被匹配.的包要交给DNAT target来处理，它会把包的目的地址改为由--to-destination指定的地址$DMZ_DNS_IP.。这就是 DNAT的工作流程。当相应的应答包被发送到防火墙时，会自动地被un-DNAT。    美容

现在，你应该完全可以读懂这个脚本了。如果有什么你不明白的东西在脚本的其他部.分没有被用到，那可能就是我的错误了，要告.诉我哦。.


#!/bin/sh
#
#. rc.DMZ.firewall - DMZ IP Firewall script for Linux. 2.4.x and iptables外贸
#
# Copyright (C) 2001  Oskar. Andreasson <bluefluxATkoffeinDOTnet>.;投资
#
# This program is .free software; you. can redistribute it and/or modify.
# it under the terms of th.e GNU General Public License as pu.blished by             电子
# the Free Software Foun.dation; version 2 of the Li.cense..
#
# Thi.s pr.ogram is distributed in the hope that it will be useful,.
# but WITHOUT AN.Y WARRANTY; without even the implied war.ranty of          婚庆
# ME.RCHANTABILITY. or FITNESS FOR A PARTICULAR PURPOSE.  See the.
# GNU General Publ.ic License for more de.tails..
#
# You should have received a copy of the GNU Ge.neral Public Lice.nse(广告)
# along. with this program or. from the site that you downloaded it.
# from; if not, write to the Free So.ftware Foundation, In.c., 59 Temple.
# Place, Suite 330, Boston, MA.  021.11-1307   USA外贸
#

######################..#####################################################.
#
# 1. Con.fig.uration options..
#

#
# 1.1. Internet Configu.ration.           女人
#

INET_IP="194.2.36.50.152".
HTTP_IP="194.236.50.1.53"(广告)
DNS_IP="194.236.5.0.154"          婚庆
INET_IFACE="eth0"..

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1..2. Local Area Network configuration.
#
# your LAN's IP ran.ge. and localhost IP. /24 means to only use the first 24           建材
# bits. of the 32 bit IP address. th.e same as netmask 255.255.255.0投资
#

LAN_IP="192.1.68.0.1".
LAN_IFACE="e.th1"外贸

#
# 1.3. DMZ Configuration.[成人用品]
#

DMZ_HTTP_I.P="192.168.1.2"             汽车
DMZ_DNS_IP="192.168..1.3".
DMZ_IP="192.1.68.1.1"电影
DMZ._IFACE="eth2".

#
#. 1.4 Localhost Configuration...
#

LO_IFACE="lo"
LO_IP="127.0.0.1.".

#
# 1..5 IPTables Configuration..教育
#

IPTABLES.="/usr/sb.in/iptables"教育

#
# .1.6 Other Configur.ation.(广告)
#

#####################.#####################################################.#    外汇
#
#. 2. Module loading.              乙肝
#

#
# Needed to initial.ly load module.s服务器
#
/s.bin/depmod -a.



#
# 2.1 Required mo.dules虚拟主机
#

/sbin/modp.robe ip_tables.
/sbin/mod.p.robe ip_conntrack服务器
/sbin/modprobe.. iptable_filter.
/sbin/mod.probe iptable_mangl.e
/sbin/.modprobe .iptable_nat             电子
/sbin/modp.robe ipt_LOG教育
/sbin/modp.robe ipt_limit投资
/sbin/modprobe ip.t_state.

#
# 2.2 Non-Requir.ed module.s虚拟主机
#

#/.sbin/modprobe ipt_owner             电子
#/.sbin/modprobe .ipt_REJECT.
#./sbin/modp.robe ipt_MASQUERADE.
#/sbin/modprob.e ip_conntrac.k_ftp           鲜花
#/sbin./modprobe ip_conntrack_i.rc.
#/sbi.n/modprobe. ip_nat_ftp[成人用品]
#/sbin/.modprobe ip_.nat_irc             电子

############################.#############################.##################              乙肝
#
# 3.. /proc set up.           女人
#

#
# 3.1 .Required proc confi.guration电脑
#

echo ".1" >; /proc/.sys/net/ipv4/ip_forward学习

#
# 3.2 Non-Required proc config..uration(        游戏          )
#

#echo ".1." >; /proc/sys/net/ipv4/conf/all/rp_filter.
#echo "1" >; /proc/sys/net/ip.v4/conf/all/proxy_.arp电脑
#ec.ho "1" >;. /proc/sys/net/ipv4/ip_dynaddr    美容

####.##########################################################.#############
#
# 4. rules. set up.          婚庆
#

######
# 4..1 Filter table.
#

#
# 4.1.1 S.et policies           鲜花
#

$IPTABLES -P INPUT DRO.P.
$IPTABLES -P OUTPUT DR.OP教育
$.IPTABLES -P FORWARD DROP学习

#
# 4..1.2 Create userspecified chai.ns教育
#

#
# Creat.e chain for bad tcp pack.ets          婚庆
#

$IPTA.BLES -N bad_tcp_packe.ts(广告)

#
# Create separate chains for ICM.P, TCP an.d UDP to traverse[成人用品]
#

$IPTABL.ES -N allowed             汽车
$IPTABLES -N .icmp_packets    外汇

#
# 4.1.3 Creat.e content in u.serspecified chains.
#

#
# ba.d_tcp_packets chain.
#

$IPTABLES -A b.ad_tcp_packets -p tcp --tcp-flags SYN,ACK .SYN,ACK \.
-m state --state NEW .-j REJECT -.-reject-with tcp-reset域名
$IPTAB.LES -A bad_tcp_pac.kets -p tcp ! --syn -m state --state NEW -j LOG \服务器
--l.og-prefix "New not syn:."          婚庆
$IPTABLES -A bad_tcp_pack.ets -p tcp ! --syn -m state --state N.EW -j DROP--- 印刷

#
# a.llowed chain            杀毒
#

$IPTABL.ES -A allowed -p TCP. --syn -j ACCEPT学习
$IPTABLES -A a.llowe.d -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT外贸
$IPTABL.ES -A allowe.d -p TCP -j DROP    外汇

#
# ICMP rules
#

# Changed rules t.otally电脑
$IPTABLES -A icmp_pa.ckets -p IC.MP -s 0/0 --icmp-type 8 -j ACCEPT    外汇
$IPTABLES -A icmp_packets -p ICMP -s 0/.0 --icmp-type. 11 -j ACCEPT.

#
# 4.1..4 INPUT chain健康
#

#
# .Bad TCP pack.ets we don't want    健康
#

$I.PTABLES -A INPUT -p tcp -j .bad_tcp_packets    健康

#
# Pac.kets from the Internet to this bo.x[成人用品]
#

$IPTABLES -A INPUT -p .ICMP -i $INET_IFACE -j icmp_pa.ckets          婚庆

#
# Packets .f.rom LAN, DMZ or LOCALHOST              乙肝
#

#
# From DMZ Interface to .DMZ .firewall IP          婚庆
#

$IPTABL.E.S -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT            杀毒

#
# .From LAN Interface to .LAN firewall IP    美容
#

$IPTABLES -A INPUT -p ALL -.i $LAN_I.FACE -d $LAN_IP -j ACCEPT虚拟主机

#
# Fro.m Localhost interface t.o Localhost IP's--- 印刷
#

$IP.TABLES -A INPUT -p ALL -i $LO_IFACE -s $.LO_IP -j ACCEPT教育
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s. $LAN_IP -j. ACCEPT虚拟主机
$IPTABLES -A INPU.T -p ALL -i $LO_IFACE -.s $INET_IP -j ACCEPT           女人

#
# Special rule for. DHCP .requests from LAN, which are not caught properly.
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport. 67 --sport 68 -.j ACCEPT健康

#
# All establishe.d and related packets inc.oming from the internet to the投资
# firewall
#

$IPTABLES -A. INPUT -p ALL -d $INE.T_IP -m .state --state ESTABLISHED,RELATED \.
-j ACCEPT

#
# In Microsoft Ne.tworks you will be swamped by broadcasts.. These lines电影
# .will prevent them from showi.ng up in the logs..
#

#$IPTABLE.S -A INPUT -p UDP -i $INET_IFACE -d $INET_BROADC.AST \.
#--destina.tion-port 135.:139 -j DROP.

#
# If we get DHCP requests from the Outsi.de of ou.r network, our logs will域名
# be swamped as well. This rule .will block them from getting lo.gged.             汽车
#

#$IPTABLES -A INPUT -p UDP. -i $INE.T_IFACE -d 255.255.255.255 \.
#--de.stination-port 67:68 -j .DROP             汽车

#
#. If you have a Microsoft Network on the outside o.f your firewall, you may.
# also ge.t flooded by Multicasts. .We drop them so we do not get flooded by[成人用品]
# logs
#

#$IPTABLES -A INPU.T -i $INET_IFACE -d 224.0.0..0/8 -j DROP学习

#
# Log .wei.rd packets that don't match the above.[成人用品]
#

$IPTABLES -A INPUT -m limit --limi.t 3/minute --limit-burs.t 3 -j LOG \.
--lo.g-.level DEBUG --log-prefix "IPT INPUT packet died: "    健康

#
# 4.1.5 FORWARD ch.ain.
#

#
# Bad .TCP packets we don't. want教育
#

$IPTABLE..S -A FORWARD -p tcp -j bad_tcp_packets.


#
# DMZ section
#
#. General rules电影
#

$IPTABL.ES. -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT教育
$IPTABLES -A FORWARD -i $INET_IFACE .-o $DMZ_IFAC.E -m state \.
--sta.te ESTABLISHED,RELATED -j ACC.EPT.
$IPT..ABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT--------------彩票
$IPTABLES -A FORWARD -i $.DMZ_IFACE -o .$LAN_IFACE -m state \--------------彩票
--state .ESTAB.LISHED,RELATED -j ACCEPT             电子

#
# HTTP server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFAC.E -d $D.MZ_HTTP_IP \虚拟主机
--dp.ort 80 -j allowed              乙肝
$IPTABLES .-A FORWARD -p ICMP -i $INET._IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \.
-j. icmp_packets虚拟主机

#
# DNS server
#

$IPTA.BLES -A FORWARD -p. TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \[成人用品]
--dport .53 -j allowed教育
$IPTABLES -A FORWARD -p UDP -i $INET_IF.ACE -o $DMZ_IFACE. -d $DMZ_DNS_IP \服务器
--dport 53 -j ACC.EPT            杀毒
$IPTABLES -A FORWARD -p ICMP -i $INET_IF.ACE -o $DMZ_.IFACE -d $DMZ_DNS_IP \外贸
-.j icmp_packets--- 印刷

#
# LAN section
#

$IPTABLES .-A .FORWARD -i $LAN_IFACE -j ACCEPT    外汇
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATE.D -j AC.CEPT            杀毒

#
# Log weird packets that don't m.atch the abo.ve.外贸
#

$IPTABLES -A FORWARD -m limit --limit 3/mi.nute --limit-burst 3 -j .LOG \教育
--log-level DE.BUG --log-prefix "IPT F.ORWARD packet died: "虚拟主机

#
# 4.1.6 OUT.PUT chain域名
#

#
# .Bad TCP packets we don't wan.t..
#

$IPTABLES -A O.UTPUT -.p tcp -j bad_tcp_packets.

#
# Special OUTPUT .rules .to decide which IP's to allow.           建材
#

$IPT.ABLES -A. OUTPUT -p ALL -s $LO_IP -j ACCEPT学习
$IPTABLES -A OUTPU.T .-p ALL -s $LAN_IP -j ACCEPT    健康
$IPTABLES -A OUTPUT .-p ALL -s $INET._IP -j ACCEPT电脑

#
# Log wei.rd packets t.hat don't match the above..
#

$IPTABLES -A OUTPUT -m li.mit --limit 3/minute --li.mit-burst 3 -j LOG \.
--lo.g-level DEBUG --lo.g-prefix "IPT OUTPUT packet died: "            杀毒

######
# 4.2 n.at table健康
#

#
# 4.2.1 Set poli.cies(广告)
#

#
# 4.2.2 Create user .specified cha.ins投资
#

#
# 4.2.3 Cre.ate content in user specified chain.s--- 印刷
#

#
# 4.2.4 PREROUTIN.G chain           女人
#

$IPTAB.LES -t nat -A PREROUTING -p TCP -i $INE.T_IFACE -d $HTTP_IP --dp.ort 80 \外贸
-.j DNAT --to-destination $DMZ_H.TTP_IP虚拟主机
$IPTABLES. -t nat -A PREROUTING -p TCP -i $INET_IFACE. -d $DNS_IP --dport 5.3 \--------------彩票
-j DNAT .--to-destination $DMZ_DNS._IP教育
$IPTABLES -t. ..nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \           建材
-j DNAT --to-d.e.stination $DMZ_DNS_IP电影

#
# 4.2.5 POSTROUTING .chain    美容
#

#
#. Enable simple IP Forwarding .and Network Address Translation投资
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j S.NAT --to-source $.INET_IP--------------彩票

#
#. 4.2.6 OUTPUT chain投资
#

######
# 4.3 mangle ta.ble.
#

#
# 4.3.1 Set .policies<性病>
#

#
# 4.3.2 Cre.ate u.ser specified chains虚拟主机
#

#
# 4.3.3 Create content in user .specified chain.s.
#

#
# 4.3.4 PREROUTING ch.ain服务器
#

#
# 4..3.5 INPUT chain(广告)
#

#
# 4.3.6 FORWARD ch.ain           鲜花
#

#
# 4.3.7 OUTPUT ch.ain虚拟主机
#

#
# 4.3.8 POSTROUTING .chain             电子
#

    


-------------------------------.----------------.-------------------------.--------投资

I.3. rc.UTIN.fire.wall脚本代码           建材

#!/bin/sh
#
# rc.firewall - .UTIN Firewall script for Linux 2.4.x. and iptables电脑
#
# Copyright (C) 200.1  Oskar Andreasson <bluefluxATk.offeinDOTnet>;电脑
#
# This program is free soft.ware; you can redistribute it and/.or modify.
# it under the terms of the GN.U General Public License as .published by    外汇
# the Free Software Foun.dation; version 2 of the Licen.se.    健康
#
# This program is distrib.uted in the hope that it will be .useful,            杀毒
# but WITHOUT A.NY WAR.RANTY; without even the implied warranty of[成人用品]
# MERCHANTABILITY or FI.TNESS FOR A PARTICULAR PURP.OSE.  See the虚拟主机
# .GNU General Public License. for more details.--- 印刷
#
# You should have received a copy of the GNU Gene.ral .Public License    健康
# along with this .program or fr.om the site that you downloaded it(        游戏          )
# from; if not, write to the .Free Software Foundation, Inc., 5.9 Temple服务器
# Place,. Suite 330, Boston., MA  02111-1307   USA[成人用品]
#

############################.#############.##################################.
#
# 1. Configur.ation op.tions.虚拟主机
#

#
#. 1.1 Internet. Configuration..
#

INET_IP="194.236.5.0.155"--- 印刷
INET_I.FACE="eth0"投资
INET_.B.ROADCAST="194.236.50.255"<性病>

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Networ.k con.figuration.电影
#
# your. LA.N's IP range and localhost IP. /24 means to only use the first 24学习
# bits of the 32 bit IP a.d.dress. the same as netmask 255.255.255.0    外汇
#

LAN_IP=."192.168.0.2".
L..AN_IP_RANGE="192.168.0.0/16"学习
LAN_IFACE="eth1"..

#
# 1.3 DMZ C.onfiguration.             汽车
#

#
# 1.4 Localhost Confi.gura.tion.电影
#

LO_IFACE="lo"
LO_IP=."127.0.0.1".

#
# 1.5 IPT.ables .Configuration..
#

IPT.A.BLES="/usr/sbin/iptables"             汽车

#
# 1.6 Other. Con.figuration.域名
#

###########.########################.########################################.
#
# 2. Modu.le loading.外贸
#

#
# Needed to initially .load m.odules健康
#

/sbin/depmod -.a.

#
# .2.1 Required modules.
#

/sbin/mod.probe ip_tables
/sbin/modprobe ip._conntra.ck.
/s.bin/modprobe ipta.ble_filter<性病>
/sbin/mod.pro.be iptable_mangle            杀毒
/sbin/mod.probe iptabl.e_nat    外汇
/sbin/modprobe ipt._LOG.
/sbin/mod.probe ipt_limit.
/sbin/modprobe ip.t_state服务器

#
# 2.2 Non-Req.uired modul.es外贸
#

#/sbin/modprobe ipt_ow.ner             汽车
#/sbin/modp.robe .ipt_REJECT投资
#/sbin/modprobe .ipt_MASQ.UERADE              乙肝
#./sbin/modprobe ip_c.onntrack_ftp           女人
#/sbin/modprobe i.p_co.nntrack_irc--------------彩票
#/sbi.n/modprobe ip_nat_ft.p           鲜花
#/sbin./modprobe ip_na.t_irc外贸

###########################################################.############.####(广告)
#
# 3. /proc set up...
#

#
# 3.1 .Required. proc configuration.
#

echo "1" >; /proc/sys./net/ipv4/ip_forward..

#
# 3.2 Non-.Required proc co.nfiguration    美容
#

#ec.ho "1" >; /proc/sy.s/net/ipv4/conf/all/rp_filter学习
#echo ".1" >; /proc/sys/net/ipv4/conf/all/pro.xy_arp             汽车
#..echo "1" >; /proc/sys/net/ipv4/ip_dynaddr.

####.####################################.###################################.
#
# 4.. rules set up..
#

######
# .4.1 Filter table教育
#

#
# 4.1.1 Set policie.s              乙肝
#

$IPT.ABLES -P INPUT DROP    外汇
$IPTABLES. -P OUTPUT DROP             汽车
$IPTABLES -P .FORWARD DROP教育

#
# 4.1.2. Create users.pecified chains.
#

#
# Create. chain for bad tcp packet.s教育
#

$IPTABLES -N ba.d_tcp._packets            杀毒

#
# .Create separate chains for ICMP, TCP and U.DP to traverse<性病>
#

$IPTABLES -N allow.ed           建材
$IPTA.BLES -N tcp_packets虚拟主机
$IPTABLES -N u.dp_packets.
$IP.TABLES -N icmp_packets.

#
# 4.1.3 Create con.tent. in userspecified chains域名
#

#
#. bad_tcp_packets chain电脑
#

$IPTABLES -A bad_.tcp_pa.ckets -p tcp --tcp-flags SYN,ACK SYN,ACK \投资
-m state --state NEW -j REJE.C.T --reject-with tcp-reset    美容
$IPTABLES -A bad_.tcp_packets -p tcp ! --syn -m state --state NEW -.j LOG \             汽车
--log-p.refix "New. not syn:"              乙肝
$IPTABLES -A b.ad_tcp_packets -p tcp ! --syn -m state .--state NEW -j DROP.

#
#. allowed chain.
#

$IPTABLES -A all.owed -p TCP --syn -.j ACCEPT(        游戏          )
$I.PTABLES -A allowed -p TCP -m state --state. ESTABLISHED,RELATED -j ACCEPT    外汇
$IPTABLES -.A allowed -p TCP -j DR.OP    健康

#
# TCP rules
#

$IPTABLES -A tcp_packets .-p TCP .-s 0/0 --dport 21 -j allowed.
$IPTABLES -A tcp_packets -p. TCP -s 0/0 --dp.ort 22 -j allowed--------------彩票
$I.PTABLES -A t.cp_packets -p TCP -s 0/0 --dport 80 -j allowed    健康
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1.13. -j allowed电脑

#
# UDP ports
#

#$IPTABLES -A udp_packets -p UD.P -s 0/0 --source-p.ort 53 -j ACCEPT服务器
#$IPTABLES -A udp_packets -p UDP -s 0/0 .--so.urce-port 123 -j ACCEPT              乙肝
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-por.t 2074. -j ACCEPT.
$IPTABLES -A udp._pac.kets -p UDP -s 0/0 --source-port 4000 -j ACCEPT服务器

#
# In Microsoft. Networks you will be swamped by broadc.asts. These lines.
# will prevent t.hem from showin.g up in the logs..
#

#$IPTABLES -A udp_packets -p UDP -i $I.NET_IFACE -d $INET_.BROADCAST \.
#--des.tination-port 13.5:139 -j DROP--- 印刷

#
# If we get DHCP. requests from the Outside of our net.work, our logs will.
# be swa.mped as well. This rule will block the.m from getting logged.虚拟主机
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -.d .255.255.255.255 \
#--destination-port 67:.68 -j DROP.--------------彩票

#
# ICMP rules
#

$IPT.ABLES -A icm.p_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT.
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j AC.CE.PT.

#
# 4.1.4 INPUT chain.           鲜花
#

#
# Bad TCP. packet.s we don't want.              乙肝
#

$IPTABLES -A INPUT. -p tcp -j bad_tc.p_packets.

#
# Rules for special .networks n.ot part of the Internet.
#

$IPTAB.L.ES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT健康
$IPTABLES -A INPUT -p A.LL -i $LO_IFACE -s $LAN_IP -j AC.CEPT教育
$IPTABLES -A INPUT -p ALL -i $.L.O_IFACE -s $INET_IP -j ACCEPT            杀毒

#
# Rules for incoming packets fro.m .anywhere..
#

$IPT.ABLES -A INPUT -p .A.LL -d $INET_IP -m state --state ESTABLISHED,RELATED \[成人用品]
-j ACCEPT
$IPTABLES. -A INPUT -p TCP -j .tcp_packets(        游戏          )
$IPTABLES -.A INPUT -p UDP -j u.dp_packets    外汇
$IPTAB.LES -A INPUT -p ICMP -j icmp_pack.ets.

#
# If you have a ..Microsoft Network on the outside of your firewall, you may              乙肝
# also get flooded by Mul.ticasts. We drop them so we d.o not get flooded by--- 印刷
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE. -d 224..0.0.0/8 -j DROP.

#
# Log weird packets .that don't .match the above.教育
#

$IPTABLES -.A INPUT -m limit --limi.t 3/minute --limit-burst 3 -j LOG \虚拟主机
--log-level DEBUG --log-prefix "IPT INPUT packet. died: ".--------------彩票

#
# 4.1.5 FORWARD ch.ain--- 印刷
#

#
# Ba.d TCP .packets we don't want电影
#

$IPTABLES -A. FOR.WARD -p tcp -j bad_tcp_packets[成人用品]

#
# Accept. the packets we a.ctually want to forward    外汇
#

$IPTABLES -A FORWARD .-p tcp --dport 21. -i $LAN_IFACE -j ACCEPT--------------彩票
$IPTABLES -A. FORWARD -p tcp --dport 80 -i $LAN_IFACE -j .ACCEPT教育
$IPTABLES -A FOR.WARD -p tcp --dport 110 -i $LAN_IFACE -j ACCE.PT.
$IPTABLES -A FORWARD -m state --st.ate ESTABLISHED,RELATED -j .ACCEPT           建材

#
# Log weird pack.et.s that don't match the above..
#

$IPTABLES -A FORWARD -m limit --limit 3/m.inute --limit-.burst 3 -j LOG \              乙肝
--log-level DEBUG --.log-prefix "IPT. FORWARD packet died: "

#
# 4.1.6 OUTPUT. chain           建材
#

#
# Bad TCP packe.ts we don't w.ant.             电子
#

$IPTABLES -A OUTPUT -p tcp -.j bad_tcp_packet.s虚拟主机

#
# Special OUTPUT rules to decide which IP's .to. allow..
#

$IPT.ABLES -A OUTPUT -p ALL -s $LO_IP -.j ACCEPT健康
$IPTABLES .-A OUTPUT -p ALL -s $L.AN_IP -j ACCEPT.
$IPTABLES -A OUTPUT -p ALL -s $INET_.IP -j ACC.EPT电脑

#
# Log weird .packets that don't matc.h the above.    外汇
#

$IPT.ABLES -A OUTPUT -m limit --limi.t 3/minute --limit-burst 3 -j LOG \.
--log-level DEBUG. --log-prefix "IPT .OUTPUT packet died: "            杀毒

######
# 4.2 nat table.<性病>
#

#
# 4..2.1 Set policies电脑
#

#
# 4.2...2 Create user specified chains          婚庆
#

#
#. 4.2.3 Create content in .user specified chains<性病>
#

#
# 4.2.4 P.REROUTING chain<性病>
#

#
# 4.2.5. POSTROUTING chain    美容
#

#
# Enable simp.le IP Forwarding and N.etwork Address Translation.
#

$IPTABLES -t nat -A PO.S.TROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP<性病>

#
# 4..2.6 OUTPUT chain[成人用品]
#

######
# 4.3 .mangle table    健康
#

#
# 4.3.1 Set poli.cies.
#

#
# 4..3.2 Create user specified c.hains           女人
#

#
# 4.3.3 Create content in user specif..ied chains.
#

#
# 4.3.4. PREROUTING chain域名
#

#
# 4.3.5 INPU.T chain--- 印刷
#

#
#. 4.3.6 FORWARD chain--- 印刷
#

#
#. 4.3.7 OUTPUT chain.
#

#
# 4.3.8 POSTROUTI.NG chain           女人
#http://upload.bbs.csuboy.com/Mon_1004/126_6718_c4324b8822dd492.jpg[/img][成人用品]