很久没来了,其实也不是什么新东西,2001年底就写了很多了,主要是改正了以前版本里面的逻辑错误,整理了一下,把原来的WAN+L.A.N+DMZ改成了放在单独的linux服务器上的版本,使用LINUX服务器的兄弟们有福了,可以节省N多的脑细胞,.呵呵,有问题邮件联系
arle.necc@rainlow.com教育
#!/bin/bash
echo -e " \t\t \0.33[1;31m RainLow firewall \033[m server version 1.0rc.1 --. 09/24/2004 \n"电影
echo -e "##################.#################################.#########".
echo -e " This software may be. used and distributed accor.ding to ".
echo -e "the terms of the GNU General Pub.lic License (GPL) provided." .
echo -e "credit is given to the original. author.. ".
echo -e "\t\.t\t \033[1;31m Copyright (c) 2004 rainlow \033[m . \n"(广告)
echo -e "\t\t\t\t. All rights re.served \n\n\n".
echo -e "#######.##########################################.###########" 婚庆
# now begins the fi.rewall. 健康
echo -e "\n\t\t\t Welcome .to \033[3;31m Rainlow Firewall \033[0m .\n\n" 外贸
echo -e " \t\t\t\t \033[1;32m
http://www.rainlow.com \033[m \n" .
P.ATH=/bin:/sbin:/usr/bin:/usr/sbin:/.usr/local/bin:/usr/local/sbin 美容
. /etc/init..d/functions--- 印刷
exit._failure() --- 印刷
{
echo -en " \t \033[3;031m [ F.AILED ] \03.3[0m \n"虚拟主机
echo -en " \033[3;031m ->;. FATAL: $FAILURE \033[0m .\n"外贸
echo -en " \033[3;031m ->; ** ABORTED. **..\033[0m \n" 外汇
exit 1
}
check_root()
{
ROOT_ID=0
echo "Check.ing if you. are root...." 外汇
if. [ "$UID" = "$ROOT_ID" .]服务器
then
. echo -e "\n\t OK ! conti.nue....\n" 健康
e.cho -e "\a" .
else
echo -e " Sorry,you are not root and .not. permitted to do this option....\n"(广告)
. echo -e "\a" 杀毒
FAILURE="you can not r.un this co.mmand ,you must. be root to do this".
. exit_failure 健康
fi
}
check_.enviroment() 外汇
{
echo -e "\t\t \033[1;31m Now Checki.ng software envrioment. \033[m \n" 建材
OS=.`uname -s`--------------彩票
_OS=$OS
if [ "$_OS". != ."Linux" ];then教育
FAILURE="Sorry this version can only work u.nder linu.x "虚拟主机
exit_failure.--------------彩票
else
ec.ho -en "\t\t \033[1;32m. PASS \033[m \n"<性病>
fi
KERNELMAJ=`.un.ame -r | sed -e 's,\..*,,'`.
KERNELMIN=`uname. -.r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`.
if. [ "$KERNELMAJ" -lt 2. ] ; then教育
. FAILURE="Sorry you kernel .is too old,please upgrade it first!"--- 印刷
ex.it_failure 婚庆
fi
if [ "$KERNELMAJ" -eq 2 -a. "$KERNEL.MIN" -lt 4 ] ; then教育
FAILURE="only kernel greater than 2..4 is sup.ported"电脑
exit_failu.re.
fi
if ((`.iptables -V 2>;&1 | .grep -c "Command not found"` )); then 电脑
FAILURE="can not find. iptables command you. must install ipta.bles first" 学习
exit_failure .投资
fi
.if !(( `which modprobe 2>;&1 | grep -c "which: no modpr.obe i.n"` )) && ( [ -a /proc/modules ] || ! [ -a /proc/version ] ); .then 女人
if (( `lsmod |. grep -c "ipchains"` ).); then 教育
. rmmod ipc.hains >; /dev/null 2>;&1 域名
fi
fi
}
wait()
{
ech.o | awk. '{printf "||" ,$1}'学习
. for .x in `seq 1 10`;电脑
do
sle.ep 1.
. echo "#" | awk '{print.f "%s",$1}' 婚庆
. done( 游戏 )
. echo -en "\n" . .
}
iptables()
{
/sbin/ipta.bles "$@".
}
mp()
{
./sbin/modprobe "$@"服务器
}
load_module()
{
if [ -e /lib/modules/`un.ame -r`/kernel/net/ipv4/netfilt.er/ip_tables.o ].
then
. echo -e "\n\tLoading iptables modules please wai.t....".
.. mp ip_tables(广告)
mp ipt_L.OG 建材
mp ipt_ow..ner( 游戏 )
. . mp ipt_MASQURADE 女人
. mp ip.t_REJECT 健康
mp ipt_.conntr.ack_ftp.
. mp ipt_conntrack_ir.c 建材
. mp ipta.ble_filter 女人
. .mp iptable_nat 建材
. mp ipt.able_mangle健康
. mp ip_conn.track服务器
. mp ipt._limit 乙肝
. mp ip.t_state.
mp ip.t._unclean<性病>
. mp ipt_TCPMSS..
. mp ipt_TOS--- 印刷
. mp ipt_TTL教育
.m.p ipt_quota 健康
. mp ipt._iplimit 杀毒
. . mp ipt_pkttype(广告)
. mp. ipt_ipv4options电影
. . mp ipt_MARK 电子
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n.."虚拟主机
else
echo -e "\tSorry,no iptables modules f..ound !!".
fi
}
ip_stack_adj.ust()--------------彩票
{
if [ -e /proc/sys/net/ipv4/..ip_forward ]电影
then
echo. -e "enable ip_forward.p.lease wait...."健康
echo 0 >;/proc/sy.s./net/ipv4/ip_forward.
echo -e "\t\.t\t\t \033[3;032m [ OK ] \03.3[0m\n"健康
fi
if .[ -e /pro.c/sys/net/ipv4/ip_default_ttl ]教育
then
echo -e "changing defaul.t ttl....." 汽车
echo 88 >;/proc/sys/net/ipv4/ip_default_t..tl投资
echo -e "\t\t.\t\t \033[3;.032m [ OK ] \033[0m\n" 鲜花
fi
ec.ho .-e "\n\t disable dynamic ip support...." 美容
ech.o 0 >; /proc/sys/net/ip.v4/ip_dynaddr 电子
echo -e "\t\t\t.\.t\033[3;032m [ OK ] \033[0m\n"域名
if [ -e ./proc/sys/net/ipv4/ip_no_pmt.u_disc ]--------------彩票
then
echo -e ."disable path mtu discov.ery.please wait...."虚拟主机
echo 0 >;/p.roc/sys/net/i.pv4/ip_no_pmtu_disc.
echo -e "\.t\t\t\t \033[.3;032m [ OK ] \033[0m\n" 汽车
fi
if [ -e ./proc/s.ys/net/ipv4/ipfrag_high_thresh ].
then
echo -e "changin.g ipfrag_high_thresh.please. wait...."--- 印刷
echo 5800 >;/proc/sys/net/ip.v4/.ipfrag_high_thresh外贸
ech.o -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n"..
fi
if [ -e /pro.c/sys/net/ipv4/ipfrag_low_.thresh ]投资
then
echo -e "changing ipfr.ag_low_thre.sh.please wait...." 健康
echo 2048 .>;/proc/sys/net./ipv4/ipfrag_low_thresh[成人用品]
echo -e ."\t\t\t\t \.033[3;032m [ OK ] \033[0m\n"域名
fi
if [ -e /.proc/.sys/net/ipv4/ipfrag_time ]学习
then
echo -e "changing. ipfra.g_low_thresh.please wait...."学习
echo 20 >;/p.roc/sys/net/i.pv4/ipfrag_time.
echo -e "\.t\t\t\t. \033[3;032m [ OK ] \033[0m\n" 建材
fi
if [ -e /proc/sy.s/net/ipv4/ipfrag_secret_inter.val ] 女人
then
echo -e "changing i..pfrag_secret_interval.please wait....".
echo 600 .>;/proc/sys/net/ipv.4/ipfrag_secret_interval 乙肝
echo -e "\t\t\t\t \033[3;.03.2m [ OK ] \033[0m\n" 健康
fi
if [ -e /proc/s.ys/net/i.pv4/tcp_syn_retries ](广告)
then
e.cho -e "changing tcp_syn_retries.ple.ase wait...."(广告)
echo 4 .>;/proc/sys/net/ipv4/tcp_.syn_retries 外汇
echo -e "\t\t\t\t .\033[3;032m [ OK ] \033.[0m\n".
fi
if [ -e. /proc/s.ys/net/ipv4/tcp_synack_retries ] 乙肝
then
echo -e "changing tcp_synack_retries.plea.se wai.t...." 建材
echo 4 >;/proc/sys/net/ipv4/tcp_.synack_retrie.s 汽车
echo -e ".\t\t\t\t \033[3;03.2m [ OK ] \033[0m\n" 杀毒
fi
if [ -e /proc/sys/net/ip.v.4/tcp_keepalive_time ].
then
echo -e. "changing tcp_keepalive_time.p.lease wait...."投资
echo 300 >.;/proc/sys/net/ipv4/tcp_keepaliv.e_time 乙肝
echo -e "\t\t\t\t \033[3;.032m [ OK ] \0.33[0m\n"学习
fi
if [ -e /proc/sys/net/ipv4/tc.p._keepalive_probes ].
then
echo -e "changing tc.p_.keepalive_probes.please wait....".
echo 4 >;/proc/sy.s/net/ip.v4/tcp_keepalive_probes 乙肝
echo -e "\.t\t\t\t \033[3;032m [ OK ] \0.33[0m\n" 建材
fi
if [ -e /proc/sys/net/ipv4/t.cp_keepalive._intvl ].
then
echo -e "changing tcp_ke.epalive_.intvl.please wait...."虚拟主机
echo 60 >.;/proc./sys/net/ipv4/tcp_keepalive_intvl 电子
echo -e "\t\t\t\t \033[3;032m [ OK ] \0.33.[0m\n" 女人
fi
if [ -e /proc/sy.s/net/ipv4/tcp._retries1 ]虚拟主机
then
echo -e "changing tcp_retries.t.please .wait...."教育
echo 3 >;/proc/sys/net./ipv4/.tcp_retries1.
echo -e "\t\t\t\t. \033[3;032m [ OK ] \033[0m.\n".
fi
if [ -e /pr.oc/sys/net/ipv4/tcp_retries.2 ].
then
echo .-e "c.hanging tcp_retriest.please wait...." 健康
echo 15 >;/pr.oc/sys/net/ipv4/tcp_re.tries2电脑
echo -.e "\t\t\t.\t \033[3;032m [ OK ] \033[0m\n".
fi
if. [ .-e /proc/sys/net/ipv4/tcp_orphan_retries ]投资
then
echo -.e "disable tcp_orphan._retriest.please wait...." 杀毒
echo 0 >;/proc/.sys/net/ipv4/tcp_orphan_r.etries 鲜花
ech.o -e "\t\t\t\t \033[3;032m [. OK ] \033[0m\n"域名
fi
if [ -e /proc/sys/net./ipv4/tcp_max_tw_bucke.ts ]
then
echo -e "changing tcp_.max_tw_bucke.tst.please wait....".
echo 40.00 >;/proc/sys/net/ipv4/tcp_max_tw_buckets. 电子
echo -e "\t\t\t\.t \033[3;032m [ OK ] \0.33[0m\n"<性病>
fi
if [ .-e /proc/sys./net/ipv4/tcp_tw_recycle ].
then
echo -e "changing tcp_recy..cle.please wait...."学习
echo 1 >;/pro.c/s.ys/net/ipv4/tcp_tw_recycle.
echo -e ".\t\t\t.\t \033[3;032m [ OK ] \033[0m\n"[成人用品]
fi
i.f [ -e /proc/sys/net/ipv4./tcp_tw_reuse ] 汽车
then
echo. -e "changing tcp_tw._reuse.please wait...."服务器
ech.o 1 >;/proc/sys./net/ipv4/tcp_tw_reuse.
echo. -e "\t\t\t\t \033[3;032m [ OK ]. \033[0m\n"[成人用品]
fi
if. [ -e /proc/sys/net/ipv4/tcp._max_orphans ][成人用品]
then
echo -e "chang.ing tcp_max_orphans.please wait.....".
echo 2000 >;/proc/sys./net/ipv4/tcp_.max_orphans外贸
echo -e "\t\t\.t\t \.033[3;032m [ OK ] \033[0m\n"[成人用品]
fi
if [ -e /proc./sy.s/net/ipv4/tcp_max_syn_backlog ] 杀毒
. . . 乙肝
then
echo -e "chan.ging tcp_max_syn_backlog.please .wait....".
echo 8000 >;/proc/sys/net/.ipv4/tcp_max_.syn_backlog(广告)
echo -e "\.t\t\t\t \033[3;0.32m [ OK ] \033[0m\n"[成人用品]
fi
if [ -e /proc/.sys/net./ipv4/tcp_window_scaling ] 外汇
. . . 投资
then
echo .-e "enable tcp_window_scaling.pl.ease wait...."服务器
echo 1 >;/pro.c/sys/ne.t/ipv4/tcp_window_scaling健康
echo -e "\t\t\t\t \033[3;032m. [ OK ] \03.3[0m\n".
fi
if [.. -e /proc/sys/net/ipv4/tcp_timestamps ] 乙肝
. . . 鲜花
then
echo -e "disable tcp_timestam.ps.please wai.t....".
ec.ho 0 >;/proc/sys/ne.t/ipv4/tcp_timestamps 美容
echo -e "\t\t\t\t \033[3;032m [ OK. ] \033[.0m\n" 建材
fi
for x in /proc/sys/net./ipv4/conf/*/rp_.filter服务器
do
echo 1 >; ${x.}教育
done
if [ .-e /proc./sys/net/ipv4/tcp_syncookies ] 健康
then
echo -e "\n\tEnabl.e the .syncookies flood protection".
echo 1 >; /p.roc/sys/net/ipv4./tcp_syncookies虚拟主机
e.cho -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n".[成人用品]
fi
if [. -e /proc/sys/net/ipv4/ip_conntrack_ma.x ].
then
echo -e "\n\tSetting the maximum number of connect..ions to track.... " 美容
echo "80000" >; /.proc/sys/net./ipv4/ip_conntrack_max健康
echo -e "\.t\t\t\t .\033[3;032m [ OK ] \033[0m\n"学习
fi
if [ -e /proc/.sys/net./ipv4/ip_local_port_range ].
then
echo -e " \n\tSetting local por.t range fo.r TCP/UDP connection...." 建材
ech.o -e "32768\t61000" >; /proc/sys/net/ipv4/.ip_local_port_range<性病>
echo -e "\t\t\t\t \033[3;032m [ OK ] .\033.[0m\n" 女人
fi
if [ -e ./.proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] 电子
then
echo -e "\n\tEnable bad error mess.age pr.otection.......".
echo 1 .>; /proc/sys/net/ipv4/icmp_ignore_bogus_er.ror_responses健康
echo .-e "\t\t\t\t \.033[3;032m [ OK ] \033[0m\n".
fi
if [ -e. /proc/sys/net/ipv4/t.cp_ecn ] 美容
then
echo -e "\n\tDisabling tcp_e.cn,please. wait..." 美容
e.cho 0. >;/proc/sys/net/ipv4/tcp_ecn( 游戏 )
echo -e "\t.\t\t\t \.033[3;032m [ OK ] \033[0m\n" 杀毒
fi
if [ -e /pr.oc/sys/net/ipv4/tcp_.reordering ].
then
echo -e "\n\tchangling tcp_r.eordering,ple.ase wait..."[成人用品]
echo 0 >;/proc/sys/net/ipv4/tc.p_reor.dering.
echo -e "\t\t\t\t \.033[3;032m [ OK .] \033[0m\n"电影
fi
if. [ -e /pro.c/sys/net/ipv4/tcp_wmem ] 外汇
then
echo -e "\n\tchanging tcp_wmem,p.lease wait...." 乙肝
echo "4096 16384 131072". >;/proc/sys/n.et/ipv4/tcp_wmem 建材
echo -e "\t\t\t.\t \033[3;.032m [ OK ] \033[0m\n".
fi
if [ -e /proc/sys/net./ipv4/tcp_rmem. ] 建材
then
echo -e "\n.\tchanging tcp_r.mem,please wait..."教育
echo "409.6 87380 174760" >;/proc/sys/net/ipv4/tcp_.rmem.
echo -e "\t\t\t\.t. \033[3;032m [ OK ] \033[0m\n" 乙肝
fi
if [ -e /proc/sys/net/ipv4/tcp_me.m. ]服务器
then
echo -e. "\n\tchanging tcp_mem,please wait....".
ec.ho "97280 97792 98304." >;/proc/sys/net/ipv4/tcp_mem 婚庆
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\.n".<性病>
fi
if [ -e /proc/sys/net/ip.v4/tcp_adv_win_scale ].电影
then
echo -e "\n\tchanging tcp_adv_w.in_scale,please wai.t...".
echo.. 2 >;/proc/sys/net/ipv4/tcp_adv_win_scale 健康
echo -e "\.t\t\t\t .\033[3;032m [ OK ] \033[0m\n"健康
fi
if [ -e /proc/sys./net/.ipv4/tcp_rfc1337 ] 婚庆
then
echo -e. "\n\tchanging tcp_rfc1.337,please wait..." 汽车
e.cho 0 >;/proc/sys/net/ipv4/tcp_rfc1.337 杀毒
e.cho -e "\t\t\t\t \.033[3;032m [ OK ] \033[0m\n" 婚庆
fi
if [ -e /proc/sys/net/ipv4/conf/all/accept._redirect.s ] 健康
then
echo -e "\n\tDisabing ICMP redirects,please. wait.....".
echo 0 >; /proc/sys/n.et/ipv4/c.onf/all/accept_redirects外贸
e.cho -e "\t\t\t\t \033[3;0.32m [ OK ] \033[0m\n" 鲜花
fi
if [ -.e /proc/sys/net/ipv4/conf/all/accept_sou.rce_route ]虚拟主机
then
echo -e "\n\tDisa.bling source routing of packets,pl.ease wait...." 电子
for i in /proc./sys/net/ipv4/conf/*/accept_sour.ce_route.
do
. echo 0 >; $i<性病>
done
. echo -e ".\t\t\t\t \033[3;032m [ OK ] \033[0m\n"外贸
fi
if. [ -e /proc/sy.s/net/ipv4/icmp_echo_ignore_broadcasts ].
then
echo -e "\.n\tIgnore any. broadcast icmp echo requests......" 建材
echo 1 >; /proc/sys/net/ipv4/icmp._echo_ignore_broadcasts..
echo -e "\t\t\t\t \033[3;03.2m. [ OK ] \033[0m\n"虚拟主机
fi
if [ -e /proc/sys/net/ipv4/.icmp_destunreach_rat.e ].
then
echo -e "modif.y icmp_destunreach_rate and icmp_echoreply_ra.te.."学习
echo 5 >; /proc../sys/net/ipv4/icmp_destunreach_rate虚拟主机
echo 5 .>; /pro.c/sys/net/ipv4/icmp_echoreply_rate.
echo 5 >; /proc/.sys/net/ipv4/.icmp_ratelimit.
echo -e "\t\t\t\.t \033[3;032m [ OK ] \033[0.m\n"学习
fi
if [ -e /proc./sys/net/ipv4/b.ootp_relay ]电脑
then
echo -e "\n\tDisable the bootp_relay........"[成人用品]
echo 0 >; /pro.c/sys/net/ip.v4/conf/all/bootp_relay 建材
echo .-e "\t\t\t\t \033[3;032m [ OK ] \033[0m.\n".
fi
#
if [ -e /proc/sys/.net/ipv.4/tcp_timestamps ]健康
then
echo. -e "\n\tDi.sable the tcp_timestamps......"(广告)
echo 0 >; /proc/sys/ne.t/ipv4/tcp_timestamp.s<性病>
e.cho -e "\t\t\t\t \0.33[3;032m [ OK ] \033[0m\n"--------------彩票
fi
if [ -e /proc/sys/net/ipv4/tcp_fin_t..imeout ] 女人
then
echo -e "\n\.tSetting up tcp_fin_timeout....."(广告)
echo 30 >; /proc./sys/.net/ipv4/tcp_fin_timeout.
echo -e "\t\t\t\t \033[3;03.2m [ OK. ] \033[0m\n".
fi
if [. -e /proc/sys/net/ipv4/tcp_wi.ndow_scaling ]投资
then
echo -e "\n\t.Disabling tcp_window_scaling...."..
echo 0 >; /proc/sys/net/.ipv4/tcp_wind.ow_scaling--- 印刷
ec.ho -e "\t\t\t\t \033.[3;032m [ OK ] \033[0m\n" 建材
fi
i.f [ -e /proc/sy.s/net/ipv4/tcp_sack ].
then
echo -e "\n\tDi.sablin.g tcp_sack...." 汽车
echo 0 >; /proc./sys/ne.t/ipv4/tcp_sack.
echo -e "\t\t\t\t \0.33[3;032m [ OK ] \0.33[0m\n"健康
fi
if .[ -e /proc/sys/.net/ipv4/tcp_abort_on_overflowe ]健康
then
echo -e "\n\t Enabling .tcp_ab.ort_on_overflow" 建材
echo 1 >; /p.roc/sys/net/ipv4/tcp_abort_on_o.verflow--------------彩票
echo -e "\t\t\t\t \033[.3;03.2m [ OK ] \033[0m\n"
fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogu.s_error_respo.nses ]学习
then
echo -e ".\n\t Enabling icmp_i.gnore_bogus_error_responses"健康
echo 1 >; /proc/s.ys/net/ipv4/icmp_ignore_bogus_error_r.esponses<性病>
echo -e "\t\t\t.\t \033[3;032m. [ OK ] \033[0m\n" 乙肝
fi
i.f [ -e /proc/sys/net/ipv4/forwar.ding ]<性病>
then
echo -e "\n\.t disab.ling forwarding" 婚庆
echo 1 >; /proc/sys./net/ip.v4/forwarding 婚庆
echo -e "\t\t\t\t \033[3;032m [ OK ]. \033[0m\n." 健康
fi
if [ -e /proc/sys/net/.ipv4/mc_f.orwarding ] 鲜花
then
echo -e "\n\t disabl.i.ng mc_forwarding"外贸
echo 1 >; /proc/sys/net/i.pv4/.mc_forwarding 杀毒
echo -e "\t\t\.t\t \033[3;032m [ OK .] \033[0m\n".
fi
if [ -e /.proc/sys/net/ipv4/conf.ig/all/log_martians ].
then
echo -e "\n\t.not LOG pack.ets with impossible addresses to kernel log...."虚拟主机
echo 0 >;. /proc/sys/.net/ipv4/conf/all/log_martians 美容
echo -e ."\t\t\t\.t \033[3;032m [ OK ] \033[0m\n"外贸
fi
for x in /proc/sys/net/ipv4/conf/*/log_m.art.ians; do投资
echo 1 >.; $x 女人
done
if [ -e /.proc/sys/n.et/ipv4/conf/all/proxy_arp ] 女人
then
echo -e. "\n\tdisable proxy_arp.....".
echo 0 >; /proc/sys/net/ipv4./conf./all/proxy_arp 乙肝
echo -e "\t\t\t\t \033[3;03.2m [ OK ] \03.3[0m\n"投资
fi
if [ -e /proc/s.ys/net/ipv4/conf/all./send_redirects ]电影
then
echo. -e "\n\tdisable send_redirects....."<性病>
e.cho 0 >; /proc/sys/net/ipv4/conf/all/send_redirect.s服务器
echo -e "\t\.t\t\t \03.3[3;032m [ OK ] \033[0m\n" 电子
fi
if .[ -e /proc/sys/net/ipv4/conf/all./secure_redirects ] 汽车
then
ech.o -e "\n\tenable secure_red.irects...."<性病>
echo 1 >; /proc/sys/net/ipv4./conf/all/secure_.redirects外贸
echo .-.e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n".
fi
echo 1 >;/proc/sys./net/ipv4/icmp._echo_ignore_all<性病>
}
unload_mod.ule()服务器
{
for MODULE in ipt_TTL iptable_mangle ipt_ma.rk ipt_MARK ipt_MASQUERADE ip_nat_irc ..ip_nat_ftp ipt_LOG \虚拟主机
. . ipt_limit ipt_REJECT ip_conntrack_ir.c ip_conntrack_ftp ipt_state iptable_nat iptable_filter ip_tables; do学习
. if (( `lsmod | grep -c "$MODUL.E"` )); then(广告)
rmmod $MODULE .>; /dev/null .2>;&1 杀毒
fi
done
}
load_config()
{
FW_LOCA.TE=/etc/firew.all( 游戏 )
if [ ! -e "$FW._LOCAT.E" ]电影
then
. mk.dir $FW_LOCATE健康
fi
if [ ! -f /et.c/firewall/firewall.co.nf ] .
then
echo "can not find firewall..conf,creating one with .default .setting..."学习
echo -e " UPLI.NK=eth1 \n UPIP=211.137.58.48 \n INTERFACES=lo eth0 \n LOAD_MODULES=no \n LOG_ILLEGAL_FLAGS=yes .\n DENY.IP=10.0.0.1 10.0.0.255 .\n DENYUDPPORT=7 9 19 107 137 138 139 161 199 369 \n TCP_PORT_LOG=13.5 137 138 139 445 500 1433. 3.306 515 513 \n O.PEN_TCP= 21 22 \n OPEN_UDP= \n LAN_IF=eth0 \n MALFORMED_PACKET_LOG=no \n MANAGE_IP=61.1.29.112.46 \n DISABLE_ALL_LOG=no \n " >; /etc/firewall/firewall..conf--- 印刷
fi
echo -e "\t\t\t Loading the firewall co.nfiguration........\n".
.UP.LINK=`grep "UPLINK" /etc/firewall/firewall.conf | cut -d = -f 2 `.
UPIP=`grep "UP.IP" /etc/firewall/firewall.conf | cut -.d = -f 2` 婚庆
INTERFACES.=`grep ."INTERFACES" /etc/firewal.l/firewall.conf | cut -d = -f 2`外贸
LOAD_MODULE..S=`grep "LOAD_MODUL.ES" /etc/firewall/firewall.conf | cut -d = -f 2`电脑
LOG_I.LLEGAL_FLAGS=`grep "LOG_ILLEGAL_FLAGS" /etc/fir.e.wall/firewall.conf | cut -d = -f 2` 健康
OPEN_TCP=`grep "OPE.N_TCP" /etc/firewall/firewall.conf | cut -d .= -f 2`[成人用品]
OPEN_UDP=`grep ."OPEN_UDP" /.etc/firewall/firewall.conf | cut -d = -f 2`投资
TCP_PORT_LOG.=`grep "TCP_PORT_LOG".. /etc/firewall/firewall.conf | cut -d = -f 2`.
DENYIP=`g.rep "DENYIP" /etc/firewall/firewall.conf | .cut -d = -f 2` 电子
. UDP_PORT_LOG=`grep "UDP_PORT_LOG" /etc/fi.rewall/firewa.ll.conf | cut -d = -f 2`[成人用品]
MALFORMED_PACKET_LOG=` grep "MALFORED_PACKET_LOG" /etc/firewall/fi.rewall.c.onf | cut -d = -f .2 `.
M.ANAGE_IP=` g.rep "MANAGE_IP" /etc/firewall/firewall.conf .| cut -d = -f 2 `--- 印刷
DISABLE_ALL_LOG=` grep "DISABLE_ALL._L.OG" ./etc/firewall/firewall.conf | cut -d = -f 2 ` 美容
if [ "$DISABLE_ALL_LOG" .== "yes" ].; then--------------彩票
MALFORMED_PACKET_LOG=..no 乙肝
U.DP_PORT_LOG=.
.TCP_PORT_LOG=<性病>
LOG_.ILLEGAL_FLAGS=no 电子
fi
}
check_root
c.heck_enviroment教育
# if [ "$NAT" ==. ".DHCP" ]; then教育
# if [ -z "$UPIP" ].; then..
# echo " [ WA.IT ]" 美容
# echo -n "->; $UPLINK has no IP address. Waiting for DHCP..".
# for COUNT in 1 2 3 4 5 6 .7 .8 9 10; do 外汇
# sleep .1--- 印刷
# ec.ho -n "*#" 健康
# UPIP=`if.config .${UPLINK} | grep .inet | cut -d : -f 2 | cut -d " " -f 1` 美容
# . if [ -n "$UPIP" ]; .then虚拟主机
# e.cho " [ FOU.ND ]" 健康
# . break健康
# else
# . . if [ "$COUNT" == "10" ]; then外贸
#. echo " [ MISSIN.G ]".
# echo "->; WARNING: IP address for $UP.LINK not .found. ".
# fi
# fi
# done
# fi
#fi
i.f [ "$1" = "start" ] 美容
then
echo "Starting firewall........".
ip_st.ack_adjust[成人用品]
.load_config.
echo -e "Now prepareing the k.ernel to use for a fir.ewall ,please wait......".
#if .[ "$NAT" = " dyna.mic " ]服务器
# then
# echo -e "\n\tEnable .dynamic ip suppor.t...." [成人用品]
# echo .1 >; ./proc/sys/net/ipv4/ip_dynaddr.
#. echo -e "\t\t\t\t\033[3;032m [ OK ]. \033[0m\n".
# fi
#echo 0 >; /proc/sys/.n.et/ipv4/conf/all/bootp_relay .
#depmod -a
#.define the load modules fu.nction 电子
if [ "$LOAD_MODULES" = "..yes" ].
then
. if [ -e /lib/modules/`uname -r`/kernel./net/ipv4/netfilter/ip_tab.les.o ]外贸
then
echo -e "\n\tLoading iptabl.es modules. please wait....".
. . mp ip_tables教育
mp ipt_LO.G.
. .mp ipt_owner 乙肝
. . mp ipt_MASQURADE.
. .mp ipt_REJECT外贸
. . mp ipt_conntrack_ftp<性病>
.. mp ipt_conntrack_irc学习
mp ipt.able_filt.er 鲜花
. mp iptable_.nat--- 印刷
. mp ipt.able_mangle.
mp ip_.conntra.ck--- 印刷
. . mp ipt_limit 健康
. . mp ipt_state<性病>
. . mp ipt_unclean 美容
mp .i.pt_TCPMSS[成人用品]
. mp ipt_TOS学习
mp. ipt_TTL健康
mp i.pt_qu.ota教育
. . mp ipt_iplimit.
. . mp ipt_pkttype 汽车
. .mp ipt_ipv4options服务器
mp. ipt_.MARK.
. echo -e "\t\t\t\t \033[3.;032m [ OK ] \033[0m\n" 外汇
else
. echo -e "\tSo.rry,no iptables modules found !!" 汽车
fi
fi
#prepare the. firewa.ll tables for use学习
iptables -t. filter -P I.NPUT DROP投资
iptables -.t filter -.P FORWARD DROP 杀毒
iptables -t. filte.r -P OUTPUT DROP 乙肝
ip.tables -t filter -F .INPUT--------------彩票
iptables -t. filter -F FORWAR.D健康
iptabl.es -t. filter -F OUTPUT 建材
iptab.les -F -t nat电脑
iptable.s -F -t mangle 电子
iptables -Z
iptables -X
iptables -N .CHECK_FLAGS 杀毒
iptables -.F CHECK_FLAGS.
iptables -N tcpHandl.er.
iptables -F tcp.Handler.
i.ptables -N udpHandler.
iptable.s -F udpHandler外贸
iptab.les -N icmpHandler.
ipt.ables -F icmpHandler教育
iptables -N DROP-A.ND-LOG.
iptabl.es -F DROP-AND-LOG 外汇
iptables -N syn-floo.d.
ipta.bles -F syn-flood电脑
echo -e "\tOK,the kernel is now prep.ared to use for building a fi.rewall!!!"[成人用品]
echo -e "\n\t startin.g firewall ,.Waitting ........................"投资
echo -e "\n\tC..reating a drop and log chain....."投资
iptables -A DROP-AND-LOG -j LOG -.-log-level 6 . 外汇
iptables -A DROP.-AND-LOG -j. DROP虚拟主机
echo -e. "\t\t\t\t \033[3;032m [ OK ]. \033[0m\n"--------------彩票
#design a chain for syn-flood. pr.otect 乙肝
echo -e "\t define a chai.n for .syn-flood pretect.." 建材
iptables. -A syn-flood -m limit --lim.it 4000/s --limit-burst 6000 -j RETURN.
iptables -A syn-fl.ood -j .DROP 女人
iptables -A INPUT -i ${UPLINK} .-p tcp --syn -j syn-.flood.
echo -e "\t\t\t\t. \033[3;032m [ OK. ] \033[0m\n"--------------彩票
iptables -A tcpHand.ler -p tcp -m limit --l.imit 4000/s --limit-burst 6000 -.j RETURN 女人
ipta.bles -A tcpHandler -p tcp -.j LOG --log-prefix " Drop TCP exceed connections ."服务器
i.pt.ables -A tcpHandler -p tcp -j DROP.
iptables -A udpHandler -p u.dp -m limit .--limi.t 200/s --limit-burst 400 -j RETURN 汽车
iptables -A udpHandler -p udp -j LOG --log-pr.efix. "Drop UDP exceed connection.s" 建材
iptable.s -A udpHan.dler -p udp -j DROP虚拟主机
iptab.les -A icmpHandler -p icmp -m limit --limit 2.00/s --limit-burst 400 -j RETU.RN外贸
iptables -A icmp.Handler -p icmp -j LOG .--log-prefix "Drop ICMP e.xceed connections".
iptables. -.A icmpHandler -p icmp -j DROP( 游戏 )
#define a chain for .log. malformed packages电影
if [ "$MALF.ORMED._PACKET_LOG" = "yes" ] 外汇
then
echo -e "\tN.ow logging malformed packages."[成人用品]
iptables -A INPUT -.i ${UPL..INK} -m unclean -m limit --limit 2/m -j LOG --log.-level 6 --log-prefix "DROP malformed packet:" 健康
iptables -A INPUT -i ${UPLINK.} -m u.nclean -j DROP 女人
ec.ho -e "\t\t\t\t \033[3;032m [ OK ] \033[0m.\n"域名
fi
# drop malformed packag.es
# ip.tables -A INPUT -i ${.UPLINK} -m unclean -j DROP 建材
echo -e "\tNow starting the check_flag rul.es,.please wait...."服务器
echo -e. "\tLogging illegal TCP flags.....".
if [ " $LOG_I.LLEGA.L_FLAGS " = " yes " ]外贸
then
. . iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -m limit --li.mit 3/m -j LOG --log-level 6 --log-prefix "INVALID .ALL FIN :" --log-tcp-options --log-ip.-options 美容
ipta.bles -A CHEC.K_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j D.ROP虚拟主机
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp -.-tc.p-flags ACK,FIN FIN -m li.mit --limit 3/m -j LOG --log-level 6 --log-pr.efix "INVA.LID ACK,FIN FIN :" --log-tcp-options --log-ip-options投资
iptables -A CHECK_.FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK.,FIN .FIN -j DROP 汽车
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp. --tcp-flags ACK,PSH PSH -m limit --limit 3/m -j LOG --log-level 6 --log-p.refix "INVALID ACK,PSH. P.SH:". --log-tcp-options --log-ip-options健康
iptables -A CHECK_FL.AGS -i ${UP.LINK} -p tcp --tcp-flags ACK,PSH P.SH -j DROP.
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -m limit --limit 3/m -j LOG --log-level 6 --lo.g-pre.fix "INVALID ACK,.U.RG URG:" --log-tcp-options. --log-ip-options 外汇
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags. ACK,URG. UR.G -j DROP(广告)
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp. --tcp-flags A.LL FIN.,URG,PSH -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " INVAILD NMAP SCAN " --l.og-tcp-options --lo.g-ip-options域名
iptables -A CHECK_FL.AGS -i ${UPLINK.} -p tcp --tcp-flags. ALL FIN,URG,PSH -j DROP 汽车
ipta.b.les -A CHECK_FLAGS -i ${UPLINK} -p tcp --tc.p-flags SYN,RST. SYN,RST -m limit --limit 3/m -j LOG --log.-level 6 --log-prefix " SYN/RST SCAN" --log-tcp-options --log-ip-options 美容
iptables -A CHECK_FLAGS -i ${UPLIN.K} -p t.c.p --tcp-flags SYN,RST SYN,RST -j DROP健康
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp -.-tcp-fl.ags FIN,RST FIN,RST -m limit --limit 3/m -j LOG --log-level 6 --log-p.refix " FI.N/RST SCAN" --log-tcp-options. --log-ip-options投资
iptables -A CHECK_FLA.GS -i ${UPLINK} -p tc.p --tcp-flags FIN,RST FIN,RS.T -j DROP[成人用品]
iptables -A CHECK_FL.AGS -i ${UPLINK} -p tcp --tcp-flags.. SYN,FIN SYN,FIN -m limit --limit 3/m -j LOG --log-level 6 --log-prefix " S.YN/FIN SCA.N " --log-tcp-options --log-ip-options 鲜花
iptables -A C.HECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,F.IN. -j DROP.
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -m limit --limit 3/m -j L.OG --log-level 6 --log-prefix ." Bogu.s TCP FLAG 64 " .--log-tcp-options .--log-ip-options 汽车
iptables .-A CHE.CK_FLAGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP.
i.ptables -A CHECK_FLAGS -i ${UPLINK} -p tc.p --tcp-option 128 -m li.mi.t --limit 3/m -j LOG --log-level 6 --log-prefix " Bog.us TCP FLAG 128 " --log-tcp-options --log-ip-options教育
iptables -A CHECK_FLAGS -i ${UPLINK}. -p. tcp --tcp-option 128 -j DROP 建材
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --t..cp-flag.s ALL ALL -m limit --limit 3./m -j LOG --log-level 6 --log-prefix "Merry Xmas Tree:" --log-tcp-op.tions --log-ip-options 健康
iptabl.es -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-fla.gs .ALL ALL -j DROP 杀毒
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST.,A.CK,FIN,URG -m. limit. --limit 3/m -j LOG --log-level 6. --log-prefix "XMAS-PSH:" --log-tcp-options --log-ip-options.
iptables -.A CHECK_FLA.GS -i ${UPLINK} -p .tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP.
iptables .-A CHECK_FLAGS -i ${UPLINK} .-p tcp --tcp-flags ALL .NONE -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "NULL._SCAN" --log-tcp-options --log-ip-options 女人
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-.flags ALL NONE. -j .DROP( 游戏 )
. iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SY.N,AC.K,FIN,RST RST -m .limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID SCAN:" --.log-tcp-options --log-ip-options 电子
iptables -A CHECK_FL.AGS -i ${UPLINK} -p tcp --.tcp-flags SYN,ACK,FIN,RST RST -j. DROP.
else
. iptables -A CHECK_FLAGS -i. ${UPLINK} -p tcp --tcp-f.lags ALL FIN -j DROP.
iptables -A CHECK_FL.A.GS -i ${UPLINK} -p tcp -.-tcp-flags ACK,FIN FIN -j DROP虚拟主机
iptables -A CHECK_FLAGS -i ${UPLI.N..K} -p tcp --tcp-flags ACK,PSH PSH -j DROP服务器
iptabl.es -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp.-flags ACK,URG .URG -j DROP 杀毒
iptables. -A CHECK._FLAGS -i ${UPLINK} -p tcp --.tcp-flags ALL FIN,URG,PSH -j DROP学习
iptables -A CHE.CK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,RST SYN,.RST -j. DROP虚拟主机
. iptables -A CHECK_FLAGS -i ${UPLINK} -.p tcp --tcp-flags FIN.,RST FIN,RST -j DROP--- 印刷
iptables -A CHECK_FLAG.S. -i ${UPLINK} -p t.cp --tcp-flags SYN,FIN SYN,FIN -j DROP电影
. iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-option. 64 -j DRO.P( 游戏 )
iptabl.es -A CHECK_FLAGS -i ${UPLINK} -p t.cp --tcp.-option 128 -j DROP 婚庆
. iptables -A CHECK_FL.A.GS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP 建材
ipt.ables -A CHECK_FLAGS .-i ${UPLINK} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG. -j DROP学习
. iptables -A CHECK_FLAGS -i $.{UPLINK} -p tcp .--tcp-flags ALL NONE -j DROP
iptables -A CH.ECK_FLAGS -i ${UPL.INK} -p tcp --tcp-flags SYN,ACK,FIN,RST RST. -j DROP虚拟主机
echo -e "\t\.t\t\t \033.[3;032m [ OK ] \033[0m".
fi
#DROP packa.ges with .a invalid FLAG服务器
ipta.bles -A INPUT -i ${UP.LINK} -p tcp -j CHECK_FLAGS .
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \n\tFinished che.ck_f.lags r.ules...."电脑
echo -e "\tNow starting the i.nput rules,pleas.e wait......."外贸
#for i in $OP.EN_TCP_QUOTA.; do
# printf " firewall ->;port $i tcp open wi.th quot.a $QUOTA..." --- 印刷
#iptables -A INPUT .-i $UPLINK .-p. tcp --syn -m state --state NEW -m limit .--limit 2/s --dport $i -m quota --quota $QUOTA -j ACCEPT 女人
#iptables -A I.NPUT -i $UPLIN.K -p tcp --dport $i -j DROP.
#done
#.for .i in $OPEN_UDP_QUOTA; do虚拟主机
# echo " fir.ewall ->;port $i udp open with quota $Q.UOTA..." 汽车
#iptables -A INPUT -i $UPLINK -p udp. -m state --state .NEW -m limit --limit 2/s --dport $i -m quota --quota $QU.OTA -j ACCEPT健康
#iptables -A I.NPUT -i $UPLINK -.p udp --dport $i -j DROP 婚庆
#done
#b.uild a chain fo.r deny ip or ip range.
for x in ${.DENYIP}域名
do
iptables -A INPUT -i ${UPLINK} -p tcp -s ${x} -m state --state NEW -j LOG --log-prefix "INVAILD{x} TCP IN:"http://upload.bbs.csuboy.com/Mon_1004/126_6899_00bc4ff17adaaa0.gif[/img]--- 印刷
iptabl.es -A INPUT -i ${UPLINK} -p tcp -s ${x} -m stat.e --state .NEW -j DROP.
iptables -A INPUT -i ${UPLINK} -p tcp --syn -s ${x} -j LOG --log-prefix "INVAILD{x} SYN IN:"http://upload.bbs.csuboy.com/Mon_1004/126_6899_00bc4ff17adaaa0.gif[/img].
iptables -A INPUT -i ${UPLINK} -p tc.p --syn -s ${x.} -j DROP.
iptables -A INPUT -i ${UPLINK} -p ALL -s $.{x} -m limit --limit 6/m -j LOG --lo.g-level 6 --log-prefix "DEN.YED IP ${x} IN:".
ip.tables -A INPUT -i ${UPLINK} -p ALL -s ${x} -j. DROP服务器
iptables -A FORWARD -s ${x} -m state .--state NEW,ESTABLISH.ED,RE.LATED -j LOG --log-level 6 --log-prefix "D.ENYED ${x} FORWARD:"外贸
iptables -A FORWARD -s ${x} -m state --state NEW,EST.ABL.I.SHED,RELATED -j DROP 美容
iptables -A FORWARD -d ${x} -m stat.e --state NEW,ESTABLI.SHED,RELATED -j LOG --log-level 6 --log-prefix "D.ENYED ${x} .FORWARD:"虚拟主机
iptable.s -A FORWARD -d ${x} -m st.ate --state NEW,ESTABL.ISHED,RELATED -j DROP.
done
#buil.d a chain for the tcp port or port range you wan.t to log --------------彩票
for x .in ${TCP_PORT_LOG}( 游戏 )
do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j LOG --log-prefix "INVALID{x} SYN IN:"http://upload.bbs.csuboy.com/Mon_1004/126_6899_00bc4ff17adaaa0.gif[/img].
iptables -A IN.PUT -i ${UPLINK} -p tcp --dport ${x} --syn -j .DROP 建材
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m .state --state NEW -j LOG --log-prefix "IN.VAILD${x}PORT IN:."教育
iptable.s -A INPUT -i ${UPLINK} -p tcp --d.port ${x} -m state --state NEW -j DRO.P 美容
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "ORThttp://upload.bbs.csuboy.com/Mon_1004/126_6899_4f4b5a14d6d2379.gif[/img]{x} attempt:" --log-tcp-options --log-ip-options --log-tcp-sequencehttp://upload.bbs.csuboy.com/Mon_1004/126_6899_00bc4ff17adaaa0.gif[/img]投资
iptables -.A INPUT -i ${UPLIN.K} -p tcp --dport ${x} -j DROP 投资
done
#bulid a chain for the ud.p port or. port range you want to deny域名
for. x in ${UDP_PORT_LOG} 美容
do
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m limit --limit 3/m -j LOG --log-prefix "INVAILD PORT{x} UDP IN:" http://upload.bbs.csuboy.com/Mon_1004/126_6899_00bc4ff17adaaa0.gif[/img]--- 印刷
. iptables -A INPUT -i ${UPLINK} -p udp --dport ${x.} -j DROP学习
done
#iptables -A INPUT -i ! .${UPLINK} -j .ACCEPT<性病>
#iptables. -A INPUT -i ${LAN} -p tcp -s ${M.ANAGE_IP} -j ACCEPT外贸
for x in ${MANA.GE_IP}服务器
do
iptab.les -t filter -A INPUT -p tcp -s ${x} --dport 22 -j ACCEPT..
iptables. -t .filter -A OUTPUT -p tcp -d ${x} -j ACCEPT服务器
done
#build a c.hain for the tcp port .or port range you want to open on .this firewll.
for x in ${OPEN_TCP.}
do
ipt.ables -A. INPUT -p tcp --dport ${x} --syn -j ACCEPT.
iptables -A INPUT. -p tcp --dport ${x} -j A.CCEPT 乙肝
.iptables .-A INPUT -p tcp --dport ${x} -.m state --state NEW,ESTABLISHED,RELATED -j ACCEPT电脑
done
#build a cha.in for t.he udp port or port rang.e you want to open on this firewall( 游戏 )
for x in ${OPEN_U.DP} 外汇
do
iptables -A INPUT -p udp --.dport .${x} -j ACCEPT虚拟主机
iptables -A INPUT .-p udp --dport ${x} -m state --state NEW,ESTABLISH.ED,RE.LATED -j ACCEPT(广告)
done
#build a ch.ain to drop and log IG.MP 建材
iptables -A INPUT -p igmp -m limit --limit 2/m. -j LOG --log-level 6. --log-pref.ix "DROP IGMP"电影
ip.tables -A .INPUT -p igmp -j DROP虚拟主机
#drop and log invalid ip ra.ng.e 美容
iptables -A. INPUT -i ${UPLINK} -s 192.168.0.0/2.4 -j DROP-AND-LOG 服务器
iptables -A INPUT -i ${.UPLINK} -s. 10.0.0.0/8 -j DROP电脑
iptables -A INPUT -i ${UPLINK} -s 17.2.12.0.0/16 -j. DROP-AND-LOG[成人用品]
ip.tables -A INPUT -i ${UPLINK} -s 224.0.0.0/4 -j DROP-AND-LOG.电影
i.ptables -A INPUT -i ${UPLINK} -s 2.40.0.0.0/5 -j DROP-AND-LOG 乙肝
iptables -A INPUT -i ${UPLINK} -s 169.254.0..0/16. -j DROP-AND-LOG 女人
iptable.s -A .INPUT -i ${UPLINK} -s 192.0.2.0/24 -j DROP-AND-LOG 外汇
iptabl.es -A INPUT -i ${.UPLINK} -p ! udp -d 224.0.0.0/4 -j DROP 健康
iptables -A INPUT -i. ${UPL.INK} -p udp -d 224.0.0.0/4 -j ACCEPT健康
iptables -A INPUT -i ${UPLINK} -d 127.0..0.1 -j DROP.-AND-LOG.
iptables -A INPU.T -i ${UPLINK} -s 127.0.0.1 -j. DROP-AND-LOG.
iptables -A IN.PUT -i ${UPLINK} -s 0.0.0.0 -.j DROP-AND-LOG 乙肝
iptables -A INPUT -i ${UPLINK} -s 255..255.255.255 -j DROP-AND-.LOG 健康
#dr.op and log invalid ma.nage ip in 电子
#.iptables -A lan-input -p tcp --dport 2..3 -i ${LAN_IF} -s ! ${MANAGE_IP} -j LOG --log-lev.el 6 --log-prefix " INVALID MANAGE_IP IN:"投资
#i.ptables -A lan-input -p tcp --dpo.rt 23 -i ${LAN_IF} -s ! ${.MANGLE_IP} -j DROP.
#buil.d .a chain for ipsec vpn --- 印刷
#iptables -A INPUT -.p udp -i ${UPLINK} --sport 500 --dport 500 -j ACCE.PT.
#iptabl.es -A INPUT -p 50 -i ${UPLIN.K} -j ACCEPT 外贸
#i.ptables -A INPUT -p 51 -i ${UPLINK}. -j ACCEPT 电子
#iptables -.A I.NPUT -p 47 -i ${UPLINK} -j ACCEPT 乙肝
#iptables -A FORWARD -p udp. -i ${UPLINK} --sport 500 --dport 5.00 -j ACCEPT 外汇
#iptables -A FORWARD -p 50 .-.i ${UPLINK} -j ACCEPT .
#iptables -A FOR.WARD -p 51 -i ${UPL.INK} -j ACCEPT 建材
#i.ptables -A FORW.ARD -p 47 -i ${UPLINK} -j ACCEPT域名
ipt.ables -A INPUT -i lo -j A.CCEPT.
iptables -A INPUT -p tcp --t.cp-f.lags ALL SYN,FIN -j DROP 健康
iptab.les -A INPUT -p icmp --icmp-type 1.3 -j DROP 女人
iptables -.A OUTPUT -p icmp --ic.mp-type 14 -j DROP.
ip.tables -A IN.PUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT .
iptables -.A INPUT -m state --state NEW,INVALID -m .limit --.limit 3/m -j LOG --log-prefix "INVALID NEW"学习
iptables .-A INPUT -m state. --state NEW,INVALID -j DROP.
iptables -A INPUT -p tcp !. --.syn -m state --state NEW -m limit --li.mit 3/m -j LOG --log-level 6 --log-prefix "DROP NEW NOT SYN.:" 健康
iptables -A INPUT -p tcp ! --syn -.m state --state NE.W -j DROP 乙肝
iptables -A INPUT -p tcp --syn -j LOG --log-prefix "INVALID .SY.N REQUIRE:" 建材
iptables -A INPUT. -p tcp --s.yn -j DROP( 游戏 )
echo -.e "\t Logging INVALID IC.MP packages:"(广告)
iptables -A INPUT -i ${UPLINK} -p icmp ! --icmp-.type echo-reply -m limit --limit 20/m -.j LOG --log-level 6 --log-prefix "IN.VAILD ICMP .IN:" 乙肝
i.ptables -A INP.UT -i ${UPLINK} -f -p icmp -j LOG --log-pr.efix "Fragmented incoming ICMP: ".
iptables -A INPUT -i ${UPLINK} -f -p icmp. -j DRO.P( 游戏 )
iptables. -A INPUT .-p icmp --icmp-type source-quench -d $UPIP -j ACCEPT.
iptables -A. INPUT -p icmp --icmp-ty.pe parameter-problem -j ACCEPT[成人用品]
iptables -A INPUT -p icmp --icmp-type destinatio.n-unreachable -j. ACCEPT 健康
iptables -A INPUT -p icmp --icmp-type time-exceeded -j AC.CE.PT.
#iptables -A INPUT -i ${.UPLINK} -p icmp -j REJECT -.-reject-with icmp-n.et-unreachable.
#ipt..able.s -A INPUT -p udp -i ${UPLINK} -j LOG --log-prefix "INVAILD UDP IN:".
#.iptables -.A INPUT -i ${UPLINK} -p udp -j REJECT --reject-w.ith icmp-port-unreachable 健康
#iptables -.A INPUT -i ${U.PLINK} -p tcp -j LOG --log-prefix "INVAILD TCP IN:."[成人用品]
#ip.tables -A I.NPUT -i ${UPLINK} -p tcp -j REJECT --reject-with tcp-reset 女人
iptables -A INPUT -i. $.{UPLINK} -s 0/0 -f -m limit --limit 2/m -j LOG --.log-level 6 --log-prefix "INVAILD FRAGMENT:".
ipta.bles -A INPUT -i ${UPLINK.} -s 0/0 -f -j DROP 外汇
ip.tables -A. INPUT -i ${UPLINK} -j DROP 外汇
echo -e "\t\t\t\t \0.33[3;032m [ OK ] \033[0m \n\tThe. input rules has been .successful applied ,continure...".
echo -e "\t Now starting FORWARD rul.es ,please .wait ....."--------------彩票
iptables .-..A FORWARD -p igmp -m limit --limit 2/m -j LOG --log-level 6 --log-prefix "DROP IGMP:".
iptables. -A FORW.ARD -p igmp -j DROP.
i.ptables -A FORWARD. -f -m limit --limit 1/s --limit-burst 10 -j ACCEPT 汽车
iptables -A FORWARD --fragment -p icmp -j LOG --log-prefi.x "F.ragmented. forwarded ICMP: "学习
iptables -A FORWARD --fr.agment -p i.cmp -j DROP 汽车
iptables -A FORWARD -p i.cmp --icmp-type fragmentation-needed -j A.CCEPT.
iptables -A FOR.WARD -p icmp --icmp-type parameter-proble.m -j ACCEPT 杀毒
iptables -A FORWARD -p icm.p --icmp-type source-que.nch -j ACCEPT外贸
iptables -A OUTPUT. -p icmp --icmp-type source-quench -j AC.CEPT电影
iptables -A FORWARD -p i.cmp .-m limit --limit 50/s --limi.t-burst 100 -j ACCEPT 女人
iptables -A FORWARD -p tcp --.tcp.-flags SYN,ACK,FIN,RST RST -m limit --limit 1./s -j ACCEPT 建材
i.ptables -A FORWARD. -p tcp --tcp-flags ALL NONE -j DROP 婚庆
iptables -A FO.RWARD -p tcp --tcp-flags ALL ALL -.j DROP 鲜花
iptables -A FO.RWARD -p tcp --tcp-flags A.LL SYN,RST,ACK,FIN,URG -j DROP( 游戏 )
iptables -A FORWARD -p tcp --tcp-.flags ALL FIN,URG,PSH -j. DROP.
iptables -A FORWARD -p tcp --tcp-fla.gs SYN,R.ST SYN,RST -j DROP 杀毒
iptables -A FORWARD -p t.cp --tcp-flags FIN,RST FIN,RST .-j DROP--- 印刷
iptables -.A FORWARD -p .tcp --tcp-flags SYN,FIN SYN,FIN -j DROP学习
iptables -A. FORWARD -p tcp --tcp-f.lags SYN,ACK,FIN,RST RST -j DROP电脑
iptables -A FO..RWARD -p tcp --tcp-flags ALL FIN -j DROP 美容
i.ptables -A FORWARD. -p tcp --tcp-flags ACK,FIN FIN -j DROP(广告)
i.ptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j. DROP 健康
i.ptables -A FORWARD. -p tcp --tcp-flags ACK,URG URG -j DROP(广告)
i.ptables .-A FORWARD -p tcp --tcp-option 64 -j DROP健康
iptables -A FORWARD -.p tcp --tcp-option 12.8 -j DROP 外汇
iptables -A .FORWARD -p tcp --syn -m limit --limi.t 2000/s -j ACCEPT.
iptables -A FOR.WARD -p. icmp --icmp-type echo-request -m limit --limit 1/s -j. ACCEPT.
iptables -A FORWARD -m state --sta.te ESTABLISHED,RELAT.ED -j ACCEPT.
iptables -A FORWARD -m state --state INV.ALID -j LOG --log-prefix "INV.ALI.D forward: ".
iptables -A FORWARD -m state -.-state INV.ALID -j DROP.
iptab.les -A FORWARD -i ${UPLINK} -p tcp -m state --state NEW -m limit --limit 4000/s --limit-burst 6000 -j LOG .--lo.g-prefix ." CONN TCP: " 外汇
iptables -A FORWA..RD -i ${UPLINK} -p tcp -m state --state NEW -j tcpHandler电影
iptables -A FORWARD -i .${UPLINK} -p udp -m state --state NEW -m limit --limit 200/s --limit.-burst 400 -j LOG .--l.og-prefix " CONN UDP:".
iptab.les -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -j udpHa.ndler.
iptables -A FORWARD -i ${UPLINK} -p. icmp -m state --sta.te NEW -m limit --limit 200/s --limit-burst 400. -j LOG --log-.prefix " CONN ICMP: "--- 印刷
iptables -A FORWAR.D -i ${UPLINK} -p .icmp -m state. --state NEW -j icmpHandler.
echo -e "\t\t\t\t \033[.3;032m [ OK ] \033.[0m \n.\tThe forward rules has been successful applied,conniture..." 建材
echo -e "\tNow applying output rules,.please wait ....." 婚庆
#for i. in ${DENY_USER}--------------彩票
# do
# echo -e "\tNo world wide visit for user{i} "http://upload.bbs.csuboy.com/Mon_1004/126_6899_00bc4ff17adaaa0.gif[/img]健康
# .iptables -A OUTPUT -m owner --uid-owner ${i} -j LOG --log-prefix "DROP packet .from ${i}:".(广告)
# iptables -A OUTPUT -m. owner --.uid-owner ${i} -j DROP(广告)
# done
#ip.t.ables -A OUTPUT -p udp -o ${UPLINK} --sport 500 --dport 500 -j ACCEPT 鲜花
#iptables -A OUTPUT -.p 50 -o ${.UPLINK} -j ACCEPT学习
#iptab.les -A O.UTPUT -p 51 -o ${UPLINK} -j ACCEPT 婚庆
#iptables -A OU.TPUT .-p 47 -o ${UPLINK} -j ACCEPT--------------彩票
#if [. "$DHCP_SERVER" =. "1" ]; then<性病>
# iptables -A OUTPUT -o $LAN_INTERFACE -p u.dp -s $BROADCAST_SRC --sport 67 -d $BRO.ADCAST_DEST --dport 68 -j A.CCEPT 婚庆
#fi
iptables -A OUTPUT -o lo -j. ACC.EPT--- 印刷
iptables -A OUTPUT --fragment -p. icmp -j LOG --log-p.refix "Frag.mented outgoing ICMP: "[成人用品]
iptables. .-A OUTPUT --fragment -p icmp -j DROP.
iptables -A. OUTPUT -p icmp --icmp-ty.pe source-quench -j ACCEPT虚拟主机
ipta.bles -.A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT<性病>
iptable.s -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACC.EPT.
iptables -A .OUTPUT -p icmp --icmp-type fragmentation-needed .-j ACCEPT 婚庆
ipta.bles -A OUTPUT -p icmp --icmp-type destination-unreach.able -j DROP 婚庆
iptab.les -.A OUTPUT -p icmp --icmp-type. echo-request -m state --state NEW -j ACCEPT[成人用品]
iptables -A OUT.PUT -m stat.e --state ESTABLISHED,RELATED -j ACCEPT学习
ip.tables -A OUTPUT -m state --state INVA.LID -.j LOG --log-prefix "INVALID output: ".
iptables .-A OUTPUT -m .state --state INVALID -j DROP.
iptables -A OUTPUT -.p icmp -o ${UPLINK} -m stat.e --state NEW,ESTABLISHED,RELA.TED -j ACCEPT 鲜花
iptables -A OUTPUT -o ${UPLINK} -m sta.te --state .NEW,ESTABLISHE.D,RELATED -j ACCEPT 汽车
iptables -A OUTPUT -p icmp -m state --s.tate INVALID .-j LOG --log-prefix "INVAILD ICMP STA.TE OUTPUT:"<性病>
iptab.les -A OUTPUT -p i.cmp -m state --state INVALID -j DROP.
iptables -A OUTPUT -m state --state. NEW,INVALID -j LOG --log-prefix. "INVAILD. NEW:".
iptables -A OUTPUT -m state --state NEW.,I.NVALID -j DROP--- 印刷
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m \.n\.t The OUTPUT rules has been successful ap.plied,conniture..."( 游戏 )
#echo -e "\t Now applying. nat rules ,please wait ....." 汽车
#iptables -t nat -A PO.STROUTI.NG -o eth1 -s 192.168.1.0/24 -j MASQUERADE外贸
#iptables -t nat -A PREROUTING -d ${LAN_NET} -i $.{U.PLINK} -j DROP.
#.if [ " $R.OUTER " = " yes " ].
# then
# echo -e "\t en.abing ip_forward,please .wait...".
# . echo 1 >.;/proc/sys/net/ipv4/ip_forward.
# echo -e "\t\t\t\t \033[3;032m .[ OK ] \033[0m\n.".
# i.f [ " $NAT " = " dy.namic " ].
# then
# echo -e ".\tEnableing MASQUERADING (dynamic .ip )..." 鲜花
# . echo -e "\tDynamic PP.P connectio.n,Now getting the dynamic ip address"(广告)
# IP_ADDR=`ifconfig ppp0 | .grep in.et | cut .-d : -f 2 | cut -d " " -f 1`.
# echo -e ."\t N.ow you IP ADDRESS is : ${IP_ADDR} "<性病>
# iptables -t nat -A POSTROUTI.NG -o ${UPL.INK} -j MASQUERADE.
# iptables -t nat -A POSTROUTING -o ${UPLI.NK} -s ${DM.Z_NET} -.j SNAT --to ${IP_ADDR}.
# iptables -t nat -A POSTROUTING -o ${UPLINK.} -p tcp --tcp-.flags SYN,RS.T SYN -j TCPMSS --clamp-mss-to-pmtu虚拟主机
# . iptables -t nat -A PREROUT.ING -i ${UPLINK} -d ${IP_ADDR} -p tcp --dport 80 -j. DNAT --to ${WEB_IP}:80电脑
# . iptables -t nat -A PR.EROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 22 -j DNAT --to ${ADMI.N_IP}:22 美容
# echo -e "\t .OK,NAT setting .start succecc.." 汽车
#. elif [ " $NAT " != " " .]虚拟主机
# then
# ec.ho -e "\tEnableing SNAT (static ip)...." 健康
.# iptables -t nat -A POSTROUTING -o ${UPLIN.K} -j SNAT --to ${UPIP} 美容
# iptables -t nat -A POSTROUTING -s. ${LAN_NET} -o ${UP.L.INK} -j SNAT --to ${UPIP}.
# iptables -t nat -A POSTROUTING -o ${UPLI.NK} -p tcp. --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu.--------------彩票
# iptables -t nat -A PREROUTING -i ${UPL.INK} -p .tcp -d ${UPIP} --dport 80 -j DNAT --to .${WEB_IP}:80.
# . iptables -t nat -A. PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --d.port 88 -j DNAT --to ${ADMIN_IP}:22[成人用品]
. . 电子
# echo -e "\t\t\t\t. \033[3;032m [ OK ] \033[0m\n."[成人用品]
# fi
#fi
echo -e "\a"
echo -e "\t\t\t\t \033[3;032m [ OK ] .\033[0m\n.".
echo -e "\tAll rules has bee.n successful applied,enjo.y it...."--------------彩票
elif [ "$1." = "stop" ] || [ "$1" = "flu.sh" ] || [ "$1" = "clear" ]投资
then
echo -e ."\tStoping Firewall....." 建材
iptables .-t filter -F >.; /dev/null 2>;&1虚拟主机
. iptables .-t filter -X >; /dev/null 2>;&1 美容
iptabl.es -t nat -F >; /de.v/null 2>;&1--------------彩票
iptables -t nat -X >; /dev/null 2.>;&.1域名
iptables -t mangle -.F >.; /dev/null 2>;&1.
. . iptables -t mangle -X >; /dev/null 2>;&1外贸
. iptables -t filter -P INPUT ACCEPT >; /de.v/null 2>;&1外贸
. iptables -t filter -P OUTPUT ACCEPT >; /dev/null 2>.;&1.
. iptables -t filter -P FORWARD ACCEPT >; /dev./null 2>;&1 女人
iptables -F tcpHandler .>; /.dev/null 2>;&1( 游戏 )
. .iptables -F udpHandler >; /dev/null 2>;&1.
ipt.ables -F icmpHandler >; /dev/null. 2>;&1健康
iptables -F CHE.CK_FLAGS >; ./dev/null 2>;&1.
. iptables -F DROP-AND-LOG >; ./dev/null 2>;&1 杀毒
. iptables -F syn-flood >; /dev/nu.ll 2>;&1.
. iptables -X tcpHandler . >; /dev/null 2>;&1 健康
ipta.bles -X udpHandler . >; /dev/null 2>;&1学习
iptables -X icmpHandler >; /dev/..null 2>;&1学习
. iptables -X CHECK_FLAGS >; ./dev/null 2>;&1 健康
i.ptables -X DROP-AND-LOG >; /dev/.null 2>;&1( 游戏 )
iptables -X sy.n-flood >.; /dev/null 2>;&1--- 印刷
echo -.e "\a" 健康
. echo -e "\t\t\t\t \033[3;0.32m [ OK ] \033[0m\n" 美容
. echo -e "\t\tThe firewall has .successf.ul shuted down,be careful !".
fi
