#!/bin/bash
echo -e ." \t\t \033[1;31m RainLow firewall \033[m version 1.0rc1 -- .24/11/.2002 \n" 电脑
echo -e "###########.############################.#####################" 女人
echo. -e " This software may be us.ed and distributed according to " 美容
echo -e "the terms of. the GNU General Public L.icense (GPL) provided" .
echo -e "credit is given to .the original author. " .[成人用品]
echo. -e "\t\t\t \033[1;31m Copyright (c) 200.2 rainlow \033[m \n" .
echo -e "\t\.t\t\t Al.l rights reserved \n\n\n" 鲜花
echo -e "####.###################################################.#####" 建材
# now begins the .firew.all 服务器
ech..o -e "\n\t\t\t Welcome to \033[3;31m Rainlow Firewall \033[0m \n\n"
echo -e " \t\t\t\t \033[1;32m
http://www.rainlow.com \033[m \n" 虚拟主机
exit_failure() { . 杀毒
echo " \t \033[3;.031m [ .FAILED ] \033[0m \n" 健康
echo "->.; FATAL: .$FAILURE" <性病>
echo "->; .Firewall configuration ** ABORTED **.." 学习
exit 1
}
#check if you are. root 域名
ROOT_ID=0
echo "Now ch.eck if you are roo.t...." 女人
if [ "$UID." = ."$ROOT_ID" ] 电影
then
echo -e "\n\t OK ! you are root,contin.u.e....\n" 女人
echo -e "\a"
else
echo -e " Sorry,you are not root and not permitted .to do this .option...\n" .
echo -e "\a"
FAILURE="yo.u cann`.t run this command ,you must be root to do this" 乙肝
exit_failure
fi
if ((`iptables -V 2>;&.1 | grep -c "Command not found"` )); the.n 外贸
FAILURE.="cann`t fi.nd iptables command ,you must install iptables" 学习
exit_failure
fi
#no.w readin.g the configure file 杀毒
FW_LO.CATE=/etc/firewall --------------彩票
if .[ ! -e "$FW_LOCATE" ] 建材
then
mkdir $FW_L.OCATE .
fi
if [ ! -f /etc/firewall/firewall.conf ..] 女人
then
echo "can not find firewall.conf,c.reating one with default setting...." 服务器
e.cho -e " UPLINK=eth2 \n UPIP=211.167.105.15 \n ROUTER=yes \n NAT=211.167.105.15 \n INTERFACES=lo eth0 eth1 eth2 \n LOAD_MO.DULES=no \n SERVICES= \n QUOTA=2097152 \n OPEN_TCP_QUOTA.=80 21 20 25 110 \n OPE.N_UDP_QUOTA= \n LOG_ILLEGAL_FLAGS=yes \n DENYIP=10.0.0.1 10.0.0.255 \n DENYUDPPORT=7 9 19 22 107 137 138 139 161 162 369 \n TCP_PORT_LOG=135 137 138 139 443 1433 .3306 8080 8000 515 513 \n OPEN_TCP= \n OPEN_U.DP= \n .LAN_IF=.eth0 \n LAN_NET=192.168.1.0/24 \n DMZ_NET=.172.16.3.0/24 \n DMZ_IF=eth1 \n DMZ_TCP_.PORT=20 21 25 53 80 110 \n DMZ_UDP_PORT=53 \n WEB_IP=172.16.3.1 \n FTP_IP=172.16.3.8 \.n .DNS_IP=172.16.3.3 \n MAIL_IP=172.16.3.10 \n H323_PORT= \n H323=no \n H323HOST=172.16.3.18 \n MALFORMED_.PACKET_L.OG=no \n TUNNEL=yes \n TUNNEL_TYPE.=gre \n TUNNEL_NAME=netx \n LOCAL.=61.129.112.46 \n LOCA.L_LANIP=10..0.2.1 \n REMOTE_LANIP=192..168.1.199 \n GATEWAY=211.167.105.15 \n REMOTE_SUBNET=192.168.1.0/24 \n MANAGE._IP=192.168.1.188 \n " >; /etc/firewall/firewall.conf 鲜花
fi
ech.o -e "\t\t\t Loading the firewall configuration.......\n" .[成人用品]
UP.LINK=`grep "UPLINK" /etc/firewall/firewall.conf | cut -d. = -f 2 ` 虚拟主机
UPIP=`grep "UPIP" /et.c/firewall/firewall.conf | cut -d. = -f 2` 美容
ROUTER=`grep "R.OUTER" /etc/firewall/firewall..conf | cut -d = -f 2` 健康
NAT=`grep. "NAT" /etc/firewall/firewall.conf .| cut -d = -f 2` 美容
INTERFACES=`grep "INTERFACES" /etc/firewall/fire.wall.co.nf | cut -d = -f 2` 域名
LOAD_MODULES=`grep "LOAD_MODULES" /etc/fi.rewall/firewal.l.conf | cut .-d = -f 2` .
LOG_ILLEGAL_FLAGS=`grep "LOG_I.LLEGAL_FLAGS" ./etc/firewa.ll/firewall.conf | cut -d = -f 2` .
OPEN_TCP=`grep "OPEN_TCP" /etc./.firewall/firewall.conf | cut -d = -f 2` 健康
OPEN_UDP=`grep "OPEN_UDP" /etc/firewall/firewall.conf.. | cut -d = -f 2` 投资
TCP_PORT_LOG=`grep "TC.P_PORT_LOG" /etc/firewall/firewall.conf | cu.t .-d = -f 2` .
DENYIP=`grep "DENYI.P" /etc/firewall/f.irewall.conf | cut -d = -f 2` .
DENYUDP.PORT=`grep "DE.NYUDPPORT" /etc/f.irewall/firewall.conf | cut -d = -f 2` 虚拟主机
LAN_IF=`grep "LA.N_IF" /etc/firewall/firew.all.conf | cut -d = -f 2` [成人用品]
LAN_NET=`grep "LAN_NET" /etc/f.irewall/firewall.conf | cut -d = -f .2` 电脑
DMZ_NET=`grep "DMZ_NET" /etc/firewall/firew.all.conf | cut. -d = -f 2` 外贸
DMZ_IF=`gre.p ." DMZ_IF" /etc/firewall/firewall.conf | cut -d = -f 2` --- 印刷
DMZ_TCP_PORT=`grep ."DM.Z_TCP_PORT" /etc/firewall/fir.ewall.conf | cut -d = -f 2` 虚拟主机
DMZ_U.DP_PORT=` grep "DMZ_UDP_PORT" /etc/firewall/firewall.co.nf | cut. -d = -f 2` [成人用品]
WEB_IP=.` grep "WEB_IP" /etc/fire.wall/firewall.conf | cut -d = -f 2` .
FTP_IP=` grep "FTP_IP" /etc/fi.rewall/firewall.conf | cut -d = -f .2` 女人
SSH_IP=`grep ."SSH_IP" /etc/fir.ewall/firewall.conf | cut -d = -f 2` 域名
TELNET_IP=`grep "TELNET_IP" /etc./firewall/firewall.conf. | cut -d = -f 2` 建材
WE.B_M_IP=`grep "WEB_M_IP" /etc/firewall/firewall..conf | cut -d = -f 2` .
H323._PORT=` grep "H323_PORT" /etc/firewall/fi.rewall.conf | cut -d = -f 2` 建材
H323=` grep "H323" /etc/firewall/firewall.conf | cut -d = -f. .2` 虚拟主机
DNS_IP=` grep "DNS_IP" /etc/firewall/firewall.conf.. | cut -d = -f 2` 汽车
H323HOST=` grep "H323HOST" /etc/fir.ewall/firewall.conf | cut -d =. -f 2` 女人
MALFORMED_PACKET_LOG=` grep "MALFORED_PACKET_LOG" ./etc/f.ir.ewall/firewall.conf | cut -d = -f 2 ` 服务器
QUOTA=` grep "QUOTA" /et.c/firewall/firewall.conf. | cut -d = -f 2 ` .
OPEN_.TC.P_QUOTA=` grep "OP.EN_TCP_QUOTA" /etc/firewall/firewall.conf | cut -d = -f 2 ` 电子
OPEN_.UDP_QUOTA=`gre.p "OPEN_UDP_QUOTA" /etc/firewall/firewall.conf | cut -d =. -f 2 ` 外汇
MANAGE_IP=` grep "MANAGE_.IP" /etc/firewall/fire.wall.conf | cut -d = -f 2 ` 教育
MAIL_IP=` grep "MAIL_IP" /etc/firewall/firewall.c.onf | .cut -d = -f 2 ` .
if [ "$NAT" =.= "DHCP" ]; the.n 健康
if [ -z. "$UPIP" ]; then .
e.cho " [ WAIT ]" 婚庆
ech.o -n ."->; $UPLINK has no IP address. Waiting for DHCP" 电脑
for C.OUNT in 1 2 3 4 5 6 7 8 9 10;. do ( 游戏 )
sleep 1
echo -n "*#"
UPIP=`ifconfig ${UPLINK} | grep inet | cut -d : -.f 2 | cut -d " " -f 1`. 健康
if [ -n "$UPIP" .]; then 杀毒
echo ". [ FOUND ]" 电子
break
else
if [ "$COUNT" == "10". ]; then. 乙肝
echo " [ MISSING ]." 婚庆
echo. "->; WARNING: IP address f.or $UPLINK not found. " ( 游戏 )
fi
fi
done
fi
fi
if !(( `which modprobe 2>;&.1 | grep -c. "which: no modprobe in"` )) && ( [ -a. /proc/.modules ] || ! [ -a /proc/version ] ); then 健康
if (( `lsmod | grep -c "ip.chains"`. )); then .
rmmod ipchains >;. /d.ev/null 2>;&1 电子
fi
fi
#.define the iptables funct.ion 服务器
iptables()
{
/sbi.n/iptables "$@" 健康
}
if [ "$1." = "start" ] (广告)
then
echo "Starting fi.rew.all......" 学习
echo -e "N.ow prepareing the kernel to use for a firewa..ll ,please wait....." 域名
if [ -e /proc/sys/.net/i.pv4/ip_forward ] 外贸
then
echo -e. "enable ip_f.orward.please wait...." 健康
echo. 1 >;/proc/sys/net/ipv4/.ip_forward .
echo .-e "\t\.t\t\t \033[3;032m [ OK ] \033[0m\n" [成人用品]
fi
if [ "$NA.T" = " dynamic. " ] 外贸
then
echo -e "\n\.tEnable dyna.mic ip support...." 教育
e.cho 1 >; /pro.c/sys/net/ipv4/ip_dynaddr 虚拟主机
echo -e "\t\t\t\t\03.3[3;03.2m [ OK ] \033[0m\n" 美容
fi
if [ -e /p.roc/.sys/net/ipv4/tcp_syncookies ] 汽车
then
echo -e "\n\tEnable the syncoo.kies flood .protection" [成人用品]
echo 1 >; /pro.c/sys/net/ipv4/tcp_syncookie.s 外汇
echo -e "\t\t\t\t \033[3;032m. [ OK ] \033[0m\n." 鲜花
fi
if [. -e /proc./sys/net/ipv4/ip_conntrack_max ] 杀毒
then
echo -e "\n\tSetting the. maximum number of conn.ections to track.... " 乙肝
echo "16384" >; /p.roc/sys/net/ipv4./ip_conntrack_max 外汇
echo -e "\t\t\t\t \033[3;032m .[ OK ] \03.3[0m\n" 外贸
fi
if [ -e /proc/sys/net/i.pv4/ip_local_port_range ]. (广告)
then
e.cho -e " \n\tSett.ing local port range for TCP/UDP connection...." .
echo -e "32768\t61000" >; /proc./sys/net/ipv4/ip_local_.port_range (广告)
echo -.e "\t\t\t\t. \033[3;032m [ OK ] \033[0m\n" [成人用品]
fi
if [ -e /proc/sys/net/i.pv4/icmp_ignore_bogus_error_respons.es ] .
then
e.cho -e "\n\tEnable bad error message pr.otection......." 女人
echo 1 >; /proc/sys/net/ipv4/icmp_ign.ore_bogus_error_.responses ( 游戏 )
ech.o -e "\t\t\t\t \033[3;032m [ OK. ] \033[0m\n" 外汇
fi
if [ -e /proc/sys/net/ipv4/tcp_ec..n ] 杀毒
then
echo -e ".\n\tDisabling tcp_ecn.,please wait..." ( 游戏 )
echo 0 >;./proc./sys/net/ipv4/tcp_ecn 健康
echo -e "\.t\t\t\t \033.[3;032m [ OK ] \033[0m\n" 电脑
fi
f.or x in ${INTERFACES} .
do
echo -e " \n\tEnabl.ing rp_filter on $.{x} ,please wait...." .
echo 1 >; /proc/sys/net/ipv4/conf/$.{x}./rp_filter 外汇
echo -e "\t\t\t\t \033[3;032m [ OK ] ..\033[0m\n" 电影
done
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects .]. .
then
echo -e "\n\tDisabing ICMP redirects,please .wait....." .
echo 0 >; /.proc/s.ys/net/ipv4/conf/all/accept_redirects 美容
ec.ho -e "\t\t\t\t \033[3;032m [. OK ] \033[0m\n" 健康
fi
if [ -e /proc/sys/net/ipv4/conf/all/a.ccep.t_source_route ]
then
echo -e "\n\tDisabling .source routing of packets,please wai.t...." 杀毒
for i in /proc/sys/net/ipv4/conf/*./accept._source_route [成人用品]
do
echo 0 >; $i
done
echo -e "\.t\t\t\t \033[3;032m [ OK ] \033[0.m\n" --- 印刷
fi
if [ -e /proc/sys/net/ipv4/.icmp_echo_ignore_bro.adcasts ] 汽车
then
e.cho -e "\n\tIgnore any broadcast icmp echo reques.ts......"
echo 1 >; /proc/sys/net/ipv4/icmp_echo_i.gnore_broadc.asts 教育
echo -e "\t\t\t\t. \033.[3;032m [ OK ] \033[0m\n" 虚拟主机
fi
if [ -e /proc/sys/net/ipv4/icmp_destunreach_r.ate. ] .
then
ech.o -e "modify icmp_des.tunreach_rate and icmp_echoreply_rate.." <性病>
echo 5 >.; /proc/sys/net/ipv.4/icmp_destunreach_rate (广告)
echo 5 >;. /proc/sys/net/ipv4/icmp_e.choreply_rate .
echo -e "\t\t\t\t \033[3.;032m [ OK ] \033[0m\.n" --------------彩票
fi
#echo 0 >; /proc/sys/ne.t/ipv4/conf/.all/bootp_relay .
if .[ -e /p.roc/sys/net/ipv4/tcp_timestamps ] .
then
echo -e "\n..\tDisable the tcp_timestamps......" 域名
echo 0 >; /proc./sys./net/ipv4/tcp_timestamps .
echo -e "\t\t\t\t \033[3;032m [ OK .] .\033[0m\n" <性病>
fi
if [ -e /proc/sys/net/i.pv4/tcp_fin_.timeout ] .
then
echo -e "\n\tSe.tting up tcp_fin._timeout...." [成人用品]
echo 30 >; /proc/sys/n.et/ipv4/t.cp_fin_timeout 鲜花
echo -e "\t\t\t\.t \033[3;032m .[ OK ] \033[0m\n" 健康
fi
if .[ -e /proc/sys/net./ipv4/tcp_keepalive_time ] 服务器
then
echo -e "\n\tSetting u.p the tcp_keepaliv.e_time...." 汽车
echo 1800 >; /proc/sys/net/ipv4/tcp_keepalive_tim.e. 建材
echo -e. ."\t\t\t\t \033[3;032m [ OK ] \033[0m\n" 教育
fi
if [ -e /proc/.s.ys/net/ipv4/tcp_window_scaling ] 婚庆
then
echo -e ."\n\tDisa.bling tcp_window_scaling...." 健康
echo 0 >; /proc/sys/net/ipv4/t.c.p_window_scaling 教育
echo -e "\t\.t\t\t \033[3;032m [ OK ] \0.33[0m\n" (广告)
fi
if .[ -e /proc/sys./net/ipv4/tcp_sack ] 电影
then
echo -e "\n\.tDisabling tcp_s.ack...." 汽车
ech.o 0 >; /proc/s.ys/net/ipv4/tcp_sack 美容
echo -e ."\t\t\t\t \033[3;032.m [ OK ] \033[0m\n" 外汇
fi
if [ -e. /proc/sys/net/ipv4/ip.frag_time ] 健康
then
e.cho -e "\n\tSetting up the ipfrag_t.ime...." --- 印刷
ech.o 20 >; /proc/sys/net/ip.v4/ipfrag_time .
ec.ho -e "\t\t\t\t \033[3;.032m [ OK ] \033[0m\n" 乙肝
fi
if [ -e /proc/sys/net/.ipv.4/tcp_max_syn_backlog ] 虚拟主机
then
echo -e ".\n\tSetting up the tcp_max._syn_backlog...." 婚庆
echo 1280 >; /proc/s.ys/net/ipv4/tcp_max_syn_bac.klog 健康
echo -e "\.t\t\.t\t \033[3;032m [ OK ] \033[0m\n" 电脑
fi
if [ -e /proc/.sys/net/ipv4/tcp_abort_on_overflow.e ] --- 印刷
then
echo -e "\n\t Enabling .tcp_abort_on_ov.erflow" <性病>
echo 1 >; /proc/sys/net/ipv.4/tcp_abort_on_ov.erflow 外贸
ech.o -e "\t\t\t\t \033[3;032m [ OK ] \033[0m\n." 域名
fi
if [ -.e /proc/sys/net./ipv4/config/all/log_martians ] .
then
e.cho -e "\n\tLOG packets with impossible addresses to kernel log....." 汽车
echo 1 >; /proc/sys/net/ipv4/conf/all/lo.g._martians 健康
echo 0 >; /proc/sys/net/ipv4/.conf/$.LAN_IF/log_martians 鲜花
echo 0 >; /proc/sys/net/ipv4/conf/$DMZ._.IF/log_martians 学习
echo -e ."\t\t\t\t \033[3;03.2m [ OK ] \033[0m\n" 电子
fi
if .[ -e ./proc/sys/net/ipv4/conf/all/secure_redirects ] 电脑
then
echo -e "\n\tena.ble secure_redirects....." 建材
echo .1 >; /proc./sys/net/ipv4/conf/all/secure_redirects 汽车
ec.ho -e "\t\t\t\t \.033[3;032m [ OK ] \033[0m\n" 域名
fi
#echo 1 >;/proc/sys/net/ip.v4/icmp._echo_ignore_all
#including all n.eeded m.odules 美容
#depmod -a
#defi.ne the load modules functio.n .
mp()
{
/.sbin/modprobe "$@" 电子
}
if [ "$LOAD.._MODULES" = "yes" ] 外贸
then
if [ -e /lib/modules/`uname .-r`/kernel/net/ip.v4/netfilter/ip_tables.o ] ( 游戏 )
then
echo -e "\n\tLoading iptables modules please wait......" 虚拟主机
mp ip_tables
mp ipt_LOG
mp ipt_owner
mp ipt_MASQ.URADE 外贸
mp ipt_REJECT
mp ipt_con.ntrack_ftp 建材
mp ip.t_conntrack_irc 外贸
m.p iptable_filter 汽车
mp ipta.ble_nat 投资
mp iptable_mangl.e .
mp ip_conntr.ack .
mp ipt_limit
mp ipt_state
mp ipt_un.clean 美容
mp ipt_TCPMSS
mp ipt_TOS
mp ipt_TTL
mp ipt_quota
mp ipt_iplim.it [成人用品]
mp i.pt_pkttype 电影
mp ipt_ipv4optio.ns .
mp ipt_MARK
echo -.e ".\t\t\t\t \033[3;032m [ OK ] \033[0m\n" .
else
e.cho -e "\tSorry,no iptables modules found. !!" 汽车
fi
fi
#pr.epare the firewall tables fo.r use 鲜花
iptables -P INPU.T DROP 学习
i.ptables -P FORWARD DROP 域名
iptables -P OUTPUT DROP. .
iptables -F. INPUT 电脑
iptab.les -F FORWARD 汽车
ipt.ables -F OUTPUT --------------彩票
iptabl.es -F -t nat .
iptabl.es -F -t mangle 外贸
iptables -Z
iptables -X
iptables -.N CHECK_FLAGS 教育
iptables -F CHE.CK_FLAGS 电脑
iptable.s -N tcpHandler .
iptables -F .tcpHandler 外贸
iptables -N udp.Handler .
iptables -F ud.pHandler ( 游戏 )
iptables -N icmpHandler. 域名
iptables -F icmpHan.dler .
iptables -N DROP-.AND-LOG 外汇
iptables -.F DROP-AND-LOG 鲜花
iptables -N .syn-flood (广告)
iptables -F. syn-flood .
ip.tables -N lan-input 外汇
iptab.les -F lan-input 外贸
iptables -N d.mz-input .
iptables -F dm.z-input 电子
echo -e "\tOK,the kernel is now. p.repared to use for building a firewall!!.!" 电影
echo -e "\n\t start.ing firewall ,Waitting ........................." 电影
echo -e "\n\tCreating a drop and log c.hain......" .
iptables. -A DR.OP-AND-LOG -j LOG --log-level 6 建材
iptab.les -.A DROP-AND-LOG -j DROP 婚庆
echo -e. "\t\t\t\t \033[.3;032m [ OK ] \033[0m\n" .
#des.ign a chain for syn-flood protec.t 健康
#e.cho -e "\t define a chain for syn-flood pretect..." .
#iptables -A INPUT -i ${UP.LINK} -p tcp --sy.n -j syn-flood 电脑
#iptables -A syn-fl.ood -m limit --limit 1/s --limit-burst 4 -j. RETURN .
#ipt.ables -A syn-.flood -j DROP 健康
#echo -e "\t\t\t\t \03.3[3;032m [ OK ] \03.3[0m\n" .
#define a chain. for log malf.ormed packages 婚庆
if [ "$MALFOR.MED_PA.CKET_LOG" = "yes" ] 婚庆
then
echo -e "\tNow logging mal.formed pac.kages" .
iptables -A INPUT .-i ${UPLINK} -m unclean -m limit --limit 2/m -j .LOG --log-level 6 --log-prefix "DRO.P malformed packet:" 建材
# iptable.s .-A INPUT -i ${UPLINK} -m unclean -j DROP ( 游戏 )
echo -e "\t\t\t\t. \033[3;032m [ OK ] \033[0m.\n" 女人
fi
# drop malforme.d packa.ges 婚庆
iptables -A INPUT -i ${UPLINK} -m unclean .-j. DROP .
echo. -e "\tNow starting the check_flag rules,please wait....." .
echo -e "\tLogging illegal TCP flags......" 电脑
if [ ". $LOG_ILLEGAL_FLAGS " = " yes ". ] 美容
then
iptabl.es -A CHECK_FLAGS -i ${UPLINK} -p tcp --.tcp-flags ALL FIN -m li.mit .--limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ALL FIN :" --log-tcp-options --log-ip-options .
iptables -A .CHECK_FLAGS -i ${UPLINK} -p tcp .--tcp-flags ALL FIN -j DROP [成人用品]
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-fl.ags. ACK,FIN FIN -m limit --limit 3/m -.j LOG --log-level 6 --log-prefix "INVALID ACK,FIN FIN :" --log-tcp-opt..ions --log-ip-options [成人用品]
iptables -A. CHECK_FLAGS -i ${UPLINK} -p tcp --tcp.-flags ACK,FIN FIN .-j DROP .
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp..-flags ACK,PSH. PSH. -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "INVALID ACK,PS.H PSH:" --log-tcp-options --log-ip-options 教育
i.ptab.les -A CHECK_.FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DROP .
iptables -A CHEC.K_FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,URG URG -m lim.it --l.imit 3/m -j LOG --log-level 6 --log-prefix "INVALID. ACK,URG URG:" --log-tcp-options --lo.g-ip-options --- 印刷
iptables -A CHECK_FLAGS .-i .${UPLINK} -p tcp --tcp-flags. ACK,URG URG -j DROP <性病>
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-fl.ags ALL FIN,URG,PSH -m limit --limit 3/m -j LOG --log-level .6 --log-prefix " INVAILD NMAP SCAN " -.-log-tcp-options --log-ip-opt.ion.s 杀毒
ip.tables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags A.LL FIN,.URG,PSH -j DROP 教育
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tc.p-flags. SYN,RST SYN,RST -m lim.it --limit 3./m -j LOG --log-level 6 --log-prefix " SYN/RST SCAN." --log-tcp-options --log-ip-options .
ipt.ables -A CHECK_FLAGS -i. ${UPLINK}. -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 婚庆
iptables -A CHECK_FLAGS -i ${UP.LINK} -p tcp --tcp-flags SYN,FIN SYN,FIN .-m limit .--limit 3/m -j. LOG --log-.level 6 --log-prefix " SYN/FIN SCAN " --log-tcp-options --log-ip-options --------------彩票
iptab.les -A CHEC.K_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,FIN SYN,FIN .-j DROP 电脑
iptables -A CHECK_FLA.GS -i ${UPLINK} -p tcp --tcp-option 64 -m limit --limit 3/m -j LOG --log-level 6 --log.-p.refix " Bogus TCP FLAG 64 " --log-tcp-options --log-ip-.options .
iptables -A CHECK_.FL.AGS -i ${UPLINK} -p tcp --tcp-option 64 -j DROP 乙肝
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-.o.ption 128 -m limit --limit 3/m -j .LOG --log-level 6 --log-prefix " Bogus TCP FLA.G 128 " --log-tcp-options --log-ip-options 投资
iptables -A CHECK_FLAGS -i ${UPLI.NK} -p .tcp --tcp-option 128 -j DROP 杀毒
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL ALL -m limi.t --limi.t 3/m -j LOG --log-level 6 --log-prefix "Merry Xmas .Tree:" --log-tcp-options --l.og-ip-options 健康
iptables -A. CHECK_FLAGS -i ${UPLINK.} -p tcp --tcp-flags ALL ALL -j DROP 电脑
iptables .-A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-.flags ALL .SYN,RST,ACK,F.IN,URG -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "XMAS-.PSH:" --log-tcp-options --log-ip-options 汽车
i.ptables -A CHECK_FLAGS -i ${UPLINK} -p tcp -.-tcp-flags ALL SYN,RST,ACK,FI.N,URG -j DROP 婚庆
iptables -A .CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags ALL NONE -m limit --lim.it 3/m -j LOG --.log-level 6 --log-p.refix "NULL_SCAN" --log-tcp-options --log-ip-options 乙肝
iptables -A CHEC.K_FLAGS -i ${UPLINK} -p tcp --tcp.-flags ALL NONE -j DROP .
i.ptables -A CHECK_FLAGS -i ${UPLINK} -p tcp --tcp-flags SYN,ACK,FIN,RST RS.T -m limit --limit 3/m -j .LOG --.log-level 6 --log-prefix "INVALI.D SCAN:" --log-tcp-options --log-ip-options 杀毒
iptables -A CHECK_FLAGS -i ${UPLINK} -p tcp .--tcp-flags .SYN,ACK,FIN,RST RST -j. DROP .
else
iptable.s -A CHECK_FLA.GS -i ${UPLINK} -p tcp --tcp-flags ALL FIN -j DROP 虚拟主机
iptables -A CHECK._FLAGS -i ${UPLINK} -p tcp --tcp-flags ACK,F.IN FIN. -j DROP 电影
iptables -A CHECK_FLAGS -.i .${UPLINK} -p tcp --tcp-flags ACK,PSH PSH -j DR.OP 电子
iptables .-A CHECK_FLAGS -i ${.UPLINK} -p tcp --tcp-fl.ags ACK,URG URG -j DROP ( 游戏 )
iptables -A CHECK_F.LAGS -i ${U..PLINK} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP --------------彩票
iptables. -A CHECK_FLAGS -i ${UPLINK} -p .tcp .--tcp-flags SYN,RST SYN,RST -j DROP 女人
iptables -A CHECK_FLAGS .-i ${UPLINK} -p tcp --tcp-fl.ags SYN,FIN SYN,FIN -j. DROP 美容
ipt.ables -A CHECK_FLAGS -i ${UPLIN.K} -p tcp --tcp-option 64 -j DROP 电脑
iptable.s -A CHECK_FLAGS -i ${UPLINK} -p tcp --t.cp-option 128 -j DROP .
i.ptables -A CHECK_FLAGS -i .${UPLINK} -p tcp --tcp-flags ALL ALL -j DROP .
iptables. -A CHECK_FLAGS -i ${U.PLINK} -p tcp .--tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP .
iptables -A CHECK_FLAGS -.i ${UPLINK} -p tcp --tcp-flags ALL .NONE -j DROP 杀毒
iptables -A CHECK_FL.AGS -i ${UPLINK} -p tcp --tcp-flags S.YN,ACK,FIN,RST RST -j DROP. [成人用品]
echo. -e "\t\t\t\t \033[3;032m. [ OK ] \033[0m" 电影
fi
echo -e "\t\t\t\t \.033[3;032m [ O.K ] \033[0m \n\t.Finished check_flags rules...." 电影
echo -e "\tNow starting the input rules,please wait........." .
#for i in $OPEN_TCP_QUO.TA; d.o .
# .printf " firewall ->;p.ort $i tcp open with quota $QUOTA..." .
#ip.tables -A INPUT -i $UPLINK -p tcp --syn -m state ..--state NEW -m limit --limit 2/s --dport $i -m quota --quota $QUOTA -j ACCEP.T .
#iptables -A INPUT. -i $UPLINK -p tcp --dport $i. -j DROP .
#done
#for. i in .$OPEN_UDP_QUOTA; do 汽车
# echo " firewall ->;p.ort $i udp open with quota $QUOTA...". 外贸
#iptables -A INPUT -i $UPLINK -.p udp -m state --state NEW -m limit --l.imit 2/s --dport $i -m quota --q.uota $QUOTA -j ACCEPT 电子
#iptables -A INPUT -i $UPLINK -p udp --dport $i -j D.ROP. ( 游戏 )
#done
#build a cha.in for deny ip or i.p range .
for x in ${DENYIP}. 外汇
do
iptables -A INPUT -i ${UPLINK} -p tcp -s ${x} -m state --state NEW -j LOG --log-prefix "INVAILD{x} TCP IN:" http://upload.bbs.csuboy.com/Mon_1004/126_6638_00bc4ff17adaaa0.gif[/img].
ip.tables -A INPUT -i ${UPLINK} -p tcp -s ${x.} -m state --state NEW -j DROP 杀毒
# iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x.} -m stat.e --state NEW -j D.ROP 健康
iptables -A INPUT -i ${UPLINK} -p tcp --syn -s ${x} -j LOG --log-prefix "INVAILD{x} SYN IN:" http://upload.bbs.csuboy.com/Mon_1004/126_6638_00bc4ff17adaaa0.gif[/img]电脑
iptables -A INPUT -i ${UP.LINK} .-p tcp --syn -s ${x} -j DROP 外汇
iptables. -A INPUT -i ${UPLINK} -p ALL -.s ${x} -m limit --limit 6/m -j LOG --log-level 6 --log-prefix. "DENYED IP ${x} IN:" 虚拟主机
iptables -A INPUT -i ${UPLINK} -p ALL -s ${x} .-j DR.OP .
done
#build a chain for the tcp .p.ort or port range you want to log 女人
f.or x in ${TCP_PORT_LOG} <性病>
do
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} --syn -j LOG --log-prefix "INVALID{x} SYN IN:" http://upload.bbs.csuboy.com/Mon_1004/126_6638_00bc4ff17adaaa0.gif[/img]外贸
ipta.bles -A INPUT -i ${UPLINK} -p tcp. --dport ${x} --syn -j DROP .
iptables -A INPU.T -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD.${x}PO.RT IN:" .
iptables -A INPUT -i ${UPLI.N.K} -p tcp --dport ${x} -m state -.-state NEW -j DROP 鲜花
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m limit --limit 3/m -j LOG --log-level 6 --log-prefix "ORThttp://upload.bbs.csuboy.com/Mon_1004/126_6638_4f4b5a14d6d2379.gif[/img]{x} attempt:" --log-tcp-options --log-ip-options --log-tcp-sequence http://upload.bbs.csuboy.com/Mon_1004/126_6638_00bc4ff17adaaa0.gif[/img].
iptables -A INPUT -i ${UPLINK} -p tcp --.dport. ${x} -j DROP 外汇
done
#bulid a chain for the udp po.rt or port range y.ou want to deny 汽车
for x in ${DENYUDPPORT}. 健康
do
iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m limit --limit 3/m -j LOG --log-prefix "INVAILD PORT{x} UDP IN:" http://upload.bbs.csuboy.com/Mon_1004/126_6638_00bc4ff17adaaa0.gif[/img]电脑
iptables -A INPUT -i. ${UPLINK} -p .udp --dport ${x} -j DROP 汽车
done
#iptables -A INPUT -i .! ${UPLINK} -j ACC.EPT .
i.ptables -A INPUT -i lo -j A.CCEPT 虚拟主机
iptables -A INPUT -i ${LAN} .-s ${MANAGE_IP} .-j ACCEPT .
#build. a chain for the tcp .port or po.rt range you want to open on this firewll .
for. x in ${OPEN_TCP} --------------彩票
do
iptables -A IN.PUT -i ${UPLINK} -p tcp --dport ${x}. --syn -j ACCEPT <性病>
iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m stat.e. --state NEW,ESTABLISHED,R.ELATED -j ACCEPT 女人
done
#build a chain for the udp port or port range. y.ou want to open. on this firewall .
for x in ${OPEN_UDP} .--------------彩票
do
iptables -.A .INPUT. -i ${UPLINK} -p udp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT [成人用品]
done
#build .a chain to drop an.d log IGMP .
iptables -A INPUT -i ${UPLINK} -p igmp -m. li.mit --limit 2/m -j LOG --log-level 6 --log-prefix "DRO.P IGMP packages:" 服务器
iptables -.A INPUT -i ${UPLINK}. -p igmp -j DROP .
#..drop and log invalid ip range [成人用品]
ip.tables -A INPUT -i ${UPLIN.K} -s 192.168.0.0/24 -j DROP-AND-LOG 健康
iptables -A INPUT -i ${UP.LINK} -s 10.0.0.0/.8 -j DROP 学习
i.ptables -A INPUT -i $.{UPLINK} -s 172.12.0.0/16 -j DROP-AND-LOG 教育
iptables -A INPUT -i ${.UPLINK} -s 224.0.0..0/4 -j DROP-AND-LOG [成人用品]
ipt.ables -A INPUT -i ${UPLINK} -s 240.0.0.0/5 -j. DROP-AND-LOG 健康
iptables -A INPUT -.i ${UPLI.NK} -s 169.254.0.0/16 -j DROP-AND-LOG --------------彩票
iptables. -A INPUT -i ${.UPLINK} -s 192.0.2.0/24 -j DROP-AND-LOG ( 游戏 )
iptables -A INPUT -i ${UPLINK} -p ! udp -d 224..0..0.0/4 DROP .
iptables -A INPUT -i ${UPLINK} -p udp -d 224.0..0.0/4 ACC.EPT 教育
iptables -A INP.UT -i $.{UPLINK} -d 127.0.0.1 -j DROP-AND-LOG .
iptables -A INPUT -i ${UPLINK} -s 127.0.0.1 -.j DR.OP-AND-LOG .
iptables -A INPUT -i ${.UPLINK} -s 0.0.0.0 DROP-AND-L.OG 学习
iptables -A INPUT.. -i ${UPLINK} -s 255.255.255.255 -j DROP-AND-LOG [成人用品]
#drop and lo.g invalid manage ip .in 健康
#iptables -A lan-input -p tcp --dport 23 -i ${LAN_IF} -s ! ${MANAG.E_IP} -j LOG --.l.og-level 6 --log-prefix " INVALID M.ANAGE_IP IN:" 电子
#iptables -A lan-input -p tcp -.-dport 23 -i $.{LA.N_IF} -s ! ${MANGLE_IP} -j DROP 学习
#build a chain for ipsec. .vpn .
iptables -A INPU.T -p udp -i ${UPLINK} --sport 500 --d.port 500 -j ACCEPT 外汇
iptables -A INPUT -p 50 -i .${UPLINK}. -j ACCEPT 电影
ip.tables -A INPUT -p 51 -i ${U.PLINK} -j ACCEPT 学习
iptables -.A INPUT -p 47 -i. ${UPLINK} -j ACCEPT .
iptables -A INPUT -i $.{.UPLINK} -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT. .
iptables -A INPUT -i .${UPLINK} -m state --state NEW,INVALID -m lim.it --limit 3/m -j LOG --log-.prefix "INVALID NEW packages" --- 印刷
iptab.les -A INPUT -i ${UPLINK} -m state --sta.te NEW,INVALID -j DROP .
iptables -A INPUT -i ${UPLINK}. -p tcp ! --syn -m state. --state NEW -m .limit --limit 3/m -j LOG --log-level 6 --log-prefix "DROP NEW NOT SYN:." .
iptables -A INPUT -i ${UP.LINK} -p tcp ! --syn -m state --stat.e NEW -j DROP 外贸
iptables -A INPUT -p tcp -i ${UPLIN.K} --syn -j LOG --log-prefix "INV.ALID SYN .REQUIRE:" 外汇
iptables -A INP.UT -p tcp -i .${UPLINK} --syn -j DROP .
echo -e "\t Logging .INVALID ICMP. packages:" 学习
iptables -A INPUT -i ${UPLINL} -p icmp ! --icmp-type echo-re.ply -m limit --limit 20./m -j LOG --log-level 6 --log-pref.ix "INVAILD ICMP IN:". 女人
iptables -A INPUT. -i. ${UPLINL} -f -p icmp -j LOG. --log-prefix "Fragmented incoming ICMP: " 投资
iptables -A INP.UT -i ${UPLINL} -f -p icmp -j DROP. 杀毒
iptables -A INPUT -p i.cmp --icmp-ty.pe source-quench -d $UPIP -j ACCEPT 健康
iptables -A INPUT -p icmp --icmp-type. parameter-problem. -j ACCEPT --- 印刷
ipta.bles -A INPUT -p icmp --icmp-type destination-u.nreachable -j ACCEPT 婚庆
ipta.bles -A INPUT -p icmp. --icmp-type time-exceeded -j ACCEPT <性病>
iptables -A INPUT -i ${UPLINK} .-p .icmp -j REJECT --reject-with icmp-net-unreachab.le 鲜花
iptable.s -.A INPUT -p udp -i ${UPLINK} -j LO.G --log-prefix "INVAILD UDP IN:" .
iptables -A INPUT -i ${UPLINK} -p u.dp -j. REJEC.T --reject-with icmp-port-unreachable .
iptables -A INPUT -i ${UP.LINK} -p tc.p -j LOG --log.-prefix "INVAILD TCP IN:" 建材
iptables -A INPUT -i ${UPLINK} -p tcp -j REJ.ECT .--reject-with tcp-reset .
iptables -A. INPUT. -i ${UPLINK} -s. 0/0 -f -m limit --limit 2/m -j LOG --log-level 6 --log-.prefix "INVAILD FRAGMENTS ${UPLINK}:" 电脑
iptables -A INPUT -i ${U.PLINK} -s 0/0 -f -j .DROP --------------彩票
iptables -A .INPUT -i .${UPLINK} -j DROP
ech.o -e "\t.\t\t\t \0.33[3;032m [ OK ] \033[0m \n\tThe input rules has been successful applied ,continure..." 杀毒
echo -e "\t Now starting FORWARD rules ,please wait ......." 女人
iptables -A FOR.WARD -f -m l.imit --limit 1/s --limit-burst 10 -j ACCEPT 汽车
iptables -A FORWARD. --fragment -p icmp -j LOG --log-prefix "Fragmented forwarded .ICMP.: " 建材
iptables -A FORWARD --fragment -p i..cmp -j DROP 建材
ipta.bles -A FORWARD -o ${UPLINK} -p icmp --icmp-type echo-request -s $LAN_N.ET -m state --state NEW -j AC.CEPT 美容
ip.t.ables -A FORWARD -o ${UPLINK} -p icmp --icmp-type echo-request -s $D.MZ_NET -m state --state NEW -j ACCEPT 电脑
ipt.ables -A. FORWARD -o $LAN_IF -p icmp --icmp-type t.ime-exceeded -d $LAN_NET -j ACCEPT 婚庆
iptables -A FORWARD -o $DMZ_IF -p icmp ..--icmp-type time.-exceeded -d $DMZ_NET -j ACCEPT .
i.ptables -A FORWARD .-p icmp --icmp-type fragmentation-needed -j ACCEPT .
iptables -A. FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT. 汽车
iptables -A OUTPUT -p icmp .--icmp-type source-quench -j. ACCEPT (广告)
iptab.les -A .FORWARD -p icmp -m limit --limit 1/s --limi.t-burst 10 -j ACCEPT 外贸
iptables -A FORWARD -p tcp --tcp-.flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j .A.CCEPT .
i.ptables -A FORWARD. -p tcp --tcp-flags ALL NONE -j DROP 教育
iptables -A FORWARD -p tcp --tcp-flags .ALL. ALL -j DROP .
iptables -A FORWARD -p. tcp. --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP --------------彩票
iptables -.A FORWARD -p tcp --tcp-flags A.LL FIN,URG,PSH -j DROP .
iptables -A FORWARD. -p tcp --tcp-fla.gs SYN,RST SYN,RST -j DROP 建材
iptables -A FORWARD -p tcp --tcp-flags SYN,.FIN SYN,FI.N -j DROP .
iptables -A FORWARD -p tcp --.syn -m limit --limit 1/s .-j ACCEPT [成人用品]
iptables -A F.ORWARD -p icmp --icmp-type echo-request ..-m limit --limit 1/s -j ACCEPT 外贸
iptables -A FORWARD -m state --state .ESTABLISH.ED,RELATED -j ACCEPT [成人用品]
iptabl.es -A FORWARD -m state --state INVALID -j LO.G --log-prefix "INVAL.ID forward: " 乙肝
ipta.bles -A FORWARD -m state --state INVALID .-j DROP 女人
ip.tables -A FORWARD -i lo -j ACC.EPT .
iptables -A. FORWARD -i ${LAN_IF} -o ${UPLINK} -m st.ate --state NEW,ESTABLISHED,RELA.TED -j ACCEPT --- 印刷
iptables -A FORWARD -i ${DMZ_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELA.TED. -j ACCEPT ..
iptables -A FORW.ARD -i ${UPLINK} -p tcp -m state ..--state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG. --log-prefix " CONN TCP: " .
iptables -A FORWARD -i ${UPLINK}. -p tcp -m state --state NE.W -j tcpHandler .
i.ptables -A FORWARD -i ${UPLINK} -p udp -m state --state NEW -m li.mit --limit 5/minute --limit-burst 10 -j LOG --lo.g-prefix " CO.NN UDP:" .
i.ptables -A FORWARD -i ${UPLINK} -p u.dp -m state --state NEW -j udpHandler 婚庆
iptables -A FORWARD -i ${UPL.INK} -p icmp -m state -.-state NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " CONN ICM.P.: " [成人用品]
iptables. -A FORWARD -i ${UPLI.NK} -p icmp -m state --state NEW .-j icmpHandler [成人用品]
iptables -A tcpHandler -p tcp -m limit --limit 5/minute. --l.imit-burst 10 -j .RETURN .
i.ptables -A tcpHandler .-p tcp -j LOG --log-pr.efix " Drop TCP exceed connections " --------------彩票
iptables -A tcp.Hand.ler -p tcp -j DROP 健康
iptables -A u.dpHandler -p udp -m li.mit --limit 5/minute --limit-bu.rst 10 -j RETURN 外汇
iptables -A udpHandler -p ud.p -j. LOG --log-prefix "Drop UDP exceed co.nnections" 服务器
iptabl.es -A udpHandler -p udp -j .DROP 域名
iptables -A icmpHandler -p icmp -m limit --limit 5/m.inute --l.imit-burst 10 -j RETU.RN 虚拟主机
ipt.ables -A icmpHandler -p icmp -j L.OG --log-prefix "Drop ICMP exceed connec.tions" (广告)
iptables -A icmpHandler .-p icmp -j. DROP .
iptables -A FORWARD -i ${UPLINK} -o ${LAN_IF} -d ${LAN_NET} -.m state. --sta.te ESTABLISHED,RELATED -j ACCEPT 美容
iptables -A FORW.ARD -i .${UPLINK} -o ${DMZ_IF} -d ${DMZ_NET} -m state --state ESTA.BLISHED,RELATED -j ACCEPT 电脑
iptables -A FORWARD -i ${LAN_IF} -o .${UPLINK}. -j ACCEPT .
iptab.les -A FORWARD -i ${DMZ_IF} -o ${.UPLINK} -j ACCEPT .
#iptab.les -A FORW.ARD -o ${UPLI.NK} -i ${LAN} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 投资
#iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -.m state --state N.EW,ESTABLISHE.D,RELATED -j ACCEPT --- 印刷
iptables -.A FORWAR.D -o ${LAN_IF} -i ${DMZ_IF} -d ${LAN_NET} -p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FRO.M DMZ:" 乙肝
iptables -A FORWAR.D -o ${LA.N_IF} -i ${DMZ._IF} -d ${LAN_NET} -p tcp -j REJECT --reject-with tcp-reset ( 游戏 )
iptables -A FORW.ARD -o ${LAN_IF} -i ${DMZ_IF} -d ${LAN._NET} -p udp -j L.OG --log-prefix "INVAILD UDP FORWARD FROM DMZ:" 建材
iptables -A FORWARD .-o ${LAN_IF} -i ${DMZ_IF} -d ${LAN_NET} -p udp -j DROP. 健康
iptables -A. FORWAR.D -o ${LAN_IF} -i ${DMZ_IF} -d ${LAN_NET} -p icmp -j LOG --log-prefix "INVAILD ICMP FOR.WARD FROMDMZ:" 域名
iptables -A FORWARD -o .${LAN_IF} -i ${DMZ_I.F}. -d ${LAN_NET} -p icmp -j DROP .
ip.tables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NE.T}. -i ${DMZ_IF} --sport 53 -j ACCEPT
#iptables -A FORW.ARD -p tcp -s ${DMZ_NET} -d ${L.AN_NET} ! --syn -i ${DM.Z_IF} -j ACCEPT .
iptables -A FORWARD -p icmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --.limit 1/s --lim.it.-burst 10 -j ACCEPT 域名
iptables -A FORWARD .-s ${LAN_NET} -d ${DMZ_NET} -i ${LA.N_IF} -j ACCEPT 杀毒
iptables -A .FO.RWARD -p tcp -d ${LAN_NET} -s ${DMZ_NET} -i $.{DMZ_IF} ! --syn -j ACCEPT 鲜花
iptables -A FORWARD -p icmp --icmp-type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s. --l.im.it-burst 10 -j ACCEPT 鲜花
iptables -A FORWARD -p tcp -s ${DMZ_NE.T} -d ${LAN_NET} -j LOG --lo.g-prefix "INVAILD TCP FORWARD D.ATA" 外汇
iptables -A FORWARD -p tcp -s ${DMZ_NET}. -d $.{LAN_NET} -j DROP ( 游戏 )
iptables -A FORWARD -p udp -s ${DMZ_NET} -d ${LAN_NET} -j LOG --l.og-pr.efix. "INVAILD UDP FORWARD DATA" 鲜花
iptable.s -A FORWARD -p udp -s ${DMZ_NET}. -d ${LAN_NET} -j DROP 投资
iptables -A FORWARD -p i.cmp -s ${DMZ_NET} -d ${LAN_NET} -j LOG. --log-pre.fix "INVALID ICMP FORWARD DATA" <性病>
iptables -A .FORWAR.D -p icmp -s ${DMZ_NET} -d ${LAN_NET} -j DROP 鲜花
iptables -A F.ORWARD -m state --state NEW,IN.VALID -j DROP 学习
ip.tables -A FORWARD. -j DROP --------------彩票
echo -e "\t\t\.t\t \033[3;032m [ OK ] \033[0m \n\tThe forward rul.es has been successful applied,co.nniture..." 投资
echo -e "\.tNow applying output rules,.please wait ...." 杀毒
for i in ${DE.NY_USER} [成人用品]
do
echo -e "\tNo world wide visit for user{i} " http://upload.bbs.csuboy.com/Mon_1004/126_6638_00bc4ff17adaaa0.gif[/img].
iptables -A OU.TPUT -m owner --uid-owner ${i} -j LOG. --log-prefix "DROP packet from ${i}:." 婚庆
iptables -A OUTPUT -m owner --uid-owner $..{i} -j DROP .
done
iptables -A OUTPUT .-p udp -o ${.UPLINK} --sport 500 --dport 500 -j ACCEPT 汽车
iptables -A OUTPUT -p 50 -o $.{UPLINK.} -j ACCEPT .
i..ptables -A OUTPUT -p 51 -o ${UPLINK} -j ACCEPT 虚拟主机
iptables -.A OUTPUT -p 47 -o ${UPLI.NK} -j ACCEPT 乙肝
iptables -A OUTPUT. --fragment -p icmp -j LOG --log-prefix "Fragmented outgoing I.CMP: ." .
iptables -A OUTPUT -.-fragment -p icmp -j DRO.P (广告)
iptables .-A OUTPUT -p icmp --icmp-type source-.quench -j ACCEPT .
iptables -A OUTPUT ..-p icmp --icmp-type parameter-problem -j ACCEPT 服务器
iptables -A. OUTPUT -p icmp --icmp-typ.e destination-unreachable -j ACCEPT (广告)
iptables -A OUTPUT -p icmp --icmp-type fragment.ation-needed -j ACCEPT. --- 印刷
iptables. -A OUTPUT -p .icmp --icmp-type destination-unreachable -j DROP 健康
iptables -A OUTPUT -p icmp --ic.mp-type echo-req.uest -m s.tate --state NEW -j ACCEPT <性病>
iptables -A OUTPUT -m state --state ESTABLISHED,RE.LATED -j AC.CEPT .
i.ptables -A OUTPUT -.m state --state .INVALID -j LOG --log-prefix "INVALID output: " 健康
ipt.ables -A OUTPUT -m state --state INVALID -j .DROP 虚拟主机
iptables -A OUTPUT -p udp -o ${UPLINK} --.sport 500 --dport 500 -j ACC.EPT 乙肝
iptables -A OUTPUT -p 5.0 -o ${UPLINK.} -j ACCEPT 健康
iptables -A OUTPUT -p. 51 -o ${UP.LINK} -j ACCEPT 鲜花
ip.tables -A OUTPU.T -p 47 -o ${UPLINK} -j ACCEPT .
iptables -A OUTPUT -p i.cmp -o ${UPLINK} -m state --state .NEW,ESTABLISHED,RE.LATED -j ACCEPT 电影
iptables -A OUTPUT -o ${UPLINK} -m state --state NEW,EST.AB.LISHED,RELA.TED -j ACCEPT 学习
iptable.s -A OUTPUT -s ${DMZ_NET} -d ! $.{LAN_NET} -o ${DMZ_I.F} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ( 游戏 )
i.ptables -A OUTPUT -s ${DMZ_NET} -o ${DMZ_IF} -d ${LAN_NET} .-m state --state ESTABLISHED,RELATED -.j ACCEPT ( 游戏 )
iptables -A OUTPU.T -s ${DMZ_NET} -o $.{DMZ_IF} -d ${LAN_NET.} -m state --state NEW -j DROP 乙肝
iptables. -A OU.TPUT -s ${LAN_NET} -d ${DMZ_NET} -o ${.LAN_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 健康
iptables -A OUTPUT -s ${DMZ_NET} -d .${LAN_NET} -p tcp -j LOG --log-prefix "I.NVAILD T.CP OUTPUT FROM DMZ:" 健康
ipta.bles -A OUTPUT -s ${DMZ_.NET} -d ${LAN_NET} -p tcp -j .REJECT --reject-with tcp-reset 外汇
iptab.les -A .OUTPUT -s ${DMZ_NET} -d ${LAN_NET} -p udp -j LOG -.-log-prefix "INVAILD UDP OUTPUT FROM DMZ:" 建材
i.ptables -A OUTPUT -s ${DMZ_NET} -d ${LAN_NET}. -p udp -j DROP 电子
iptables -A OUTPUT -s ${.DMZ_NET} -d ${LAN_NET} -p icmp -j LOG --log-prefix "I.NVAILD ICMP .OUTPUT FROM DMZ:" --- 印刷
iptables -A OUTPUT -.s ${DMZ_NET} -.d ${LAN_NET} -p icmp -j DROP .
iptables .-A OUTPUT -o lo .-j ACCEPT 虚拟主机
iptables -A OUTPUT -p icmp -m .state --state INVALID -j LOG --log-prefix ."INVAILD ICMP STATE OUTPUT:". [成人用品]
ip.tables -A OUTPUT -p icmp -m state --state .INVALID -j DROP 域名
iptables -A OUTPUT -m state --state. NEW,INVALID -j LOG --log-prefix. "INV.AILD NEW:" ( 游戏 )
iptables -A OUTPUT -m state. --state NEW,INVALID. -j DROP .
iptables -A. OUTPUT .-j DROP 健康
echo -e "\t\t\t\t \033[3;032m [ OK ] \033[0m. \n\t The OUTPU.T rules has been successful applied,co.nniture..." ( 游戏 )
echo -.e "\t .Now applying nat rules ,please wait ...." 外贸
#iptables -t na.t -A. POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE <性病>
iptables -.t nat -A PREROUTING -d ${LAN_NET.} -i ${UPLINK} -j DROP 服务器
iptables -t nat -A PR.EROUTIN.G -d ${DMZ_NET} -i ${UPLINK} -j DROP 电影
if [ " $R.OUTER " = " yes " ] ..
then
echo -e "\t enabing ip_forward,please wait...".. --------------彩票
echo 1 >;/proc/sys/n.et/ipv4/ip_forw.ard 电脑
echo -e "\t\t\t\t \033[3;032m [ OK ] \033..[0m\n" .
if [. " $NAT ." = " dynamic " ] 美容
then
echo -e. "\tEnableing MASQU.ERADING (dynamic ip )..." .
echo .-e ".\tDynamic PPP connection,Now getting the dynamic ip address" 健康
IP_ADDR=`ifc.onfig ppp0 | grep inet | cut -d : -f 2 | cut -d " ". -f 1` .
echo -e "\t Now you I.P ADDRESS is : .${IP_ADDR} " .
iptables -t nat -A POSTR.OUTING -o ${U.PLINK} -j MASQUERADE 女人
iptables -t nat -A PO.STROUTING -o ${UPLINK.} -s ${DMZ_NET} -j SNAT --to. ${IP_ADDR} .
iptables -t nat -A POSTROUTING -o ${UPLINK} -p tcp --tcp-flags SYN,RST SYN .-j TC.PMSS --clamp-mss-to-p.mtu 婚庆
iptables -t n.at -A PREROUTING -i ${UPLIN.K} -d ${IP_ADDR} -p tcp --d.port 80 -j DNAT --to ${WEB_IP}:80 域名
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 21 -j DN.AT. --to ${FTP_IP.}:21 投资
iptables -t n.at -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_.ADDR} --dport 20 -j D.NAT --to ${FTP_IP}:20 ( 游戏 )
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR.} --dport 22 -j DNAT --to ${SS.H_IP}:22. 电脑
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport 14867 -j DNAT .-.-to ${TELNET_IP}:1.4867 健康
iptables -t nat -A .PREROUTING -i ${UPLINK} -p tcp -d ${IP_.ADDR} --dport 4867 -j DNAT --to ${WEBMAIL_IP}:.4867 投资
iptables -t nat -A PREROUTING. -i ${UPLINK} -p tcp -d ${IP_ADDR} --dp.o.rt 25 -j DNAT --to ${MAIL_IP}:25 .
iptables -.t nat -A PREROUTING -i. ${UPLINK} -p tcp -d ${IP_ADDR} --dport 110 -j DNAT --to. ${MAIL_IP}:110 美容
iptables -t na.t .-A PREROUTING -i ${UPLINK} -p tcp -d ${IP_.ADDR} --dport 53 -j DNAT --to ${DNS_IP}:53 电脑
iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_.ADDR} --dport 53 -j DNAT --to ${DNS_IP}:.53.
if. [. " $H323 " = " yes " ] 鲜花
then
echo -e ."\tStartting H323 .NAT setting......" 投资
for port in ${H323_.PORT} 电影
do
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}{port} http://upload.bbs.csuboy.com/Mon_1004/126_6638_00bc4ff17adaaa0.gif[/img]<性病>
iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}{port} http://upload.bbs.csuboy.com/Mon_1004/126_6638_00bc4ff17adaaa0.gif[/img] 鲜花
done
fi
echo -e "\t OK,NAT s.etting. start succecc.." 电影
el.if [ " $NAT " != " " ] .
then
echo -e "\tEnableing SNAT .(s.tatic ip)..." .
# ipt.a.bles -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP} 电影
iptables -.t nat -A POSTROUTING -s ${DMZ_NET} -o ${UPLINK} -j S.NAT --to ${UP.IP} .
iptables -t nat -A POSTROUTING -s ${LAN_NET} -o ${UPLI.NK} -j SNAT --to. ${U.PIP} 服务器
iptables -t nat -A POST.ROUTING -o ${UPLINK} -p tcp --tcp-flags. SYN,RST S.YN -j TCPMSS --clamp-mss-to-pmtu 投资
iptab.les -t nat -A PREROUTING -i ${UPLINK} -p tcp -.d .${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80 健康
iptables -t nat -A PREROUTIN.G -i ${UPLINK} -p tcp -d ${UP.IP} --dp.ort 20 -j DNAT --to ${FTP_IP}:20 (广告)
iptab.les -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} -.-dport 21 -j DNAT --to ${FTP_IP.}:21 [成人用品]
iptables .-t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 22 -j DNAT. --t.o ${SSH_IP}:22 ( 游戏 )
iptables -t nat -A PREROUT.ING -i ${.UPLINK} -p tcp -d ${UPIP} --dport 14867 -j .DNAT --to ${TELNET_IP}:14867 鲜花
iptables -t .nat -A PREROUTING -i ${UPLINK} -p .tcp -d ${UPIP} --dport 4867 -j DNAT --to ${WEBMAIL_IP}:48.67 鲜花
iptables -t nat .-A PREROUTING -i. ${UPLINK} -p tcp -d ${UPIP} --dport 25 -j DNAT --to ${MAIL_.IP}:25 女人
iptables -t nat -A PREROU.TING -i. ${UPLINK} -p tcp -d ${UPIP} --dport 110 -j DNAT --to $.{MAIL_IP}:110 ( 游戏 )
iptables -t nat -..A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 53 -j DNAT .--to ${DNS_IP}:53 杀毒
iptables -t nat -A PREROUTI..NG -i ${UPLINK} -p udp -d ${UPIP} --dport. 53 -j DNAT --to ${DNS_IP}:53 学习
if [ "$H323. " .= " yes " ] .
then
echo. -e "\tStartting H323 NAT setting........."
for port in ${H3.23_PORT} 外贸
do
iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}{port} http://upload.bbs.csuboy.com/Mon_1004/126_6638_00bc4ff17adaaa0.gif[/img].
iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}{port} http://upload.bbs.csuboy.com/Mon_1004/126_6638_00bc4ff17adaaa0.gif[/img] 美容
done
fi
echo -e ."\t\.t\t\t \033[3;032m [ OK ] \033[0m\n" [成人用品]
fi
fi
if [ ." $.SELF_SET " = " yes " ] 美容
then
echo -e "\n\tSt.arting the r.ules you set yourself......" 电影
# selfset
echo -.e "\t\t\t\t \033[3;032m [ OK ] \033[0.m\n" 杀毒
fi
echo -e "\a"
echo -e "\t\t\t\t \03.3.[3;032m [ OK ] \033[0m\n" 电脑
echo -e "\tAll. rules h.as been successful applied,enjoy it...." <性病>
elif [ "$1" =. "stop" ] || [ "$1" = "f.lush" ] || [ "$1" = "clear" ] 乙肝
then
echo -e "\tStoping Firewall......" 教育
iptables -F INPUT .>; /d.ev/null 2>;&1
iptables -P INPUT ACCEP.T >.; /dev/null 2>;&1 域名
iptables -P OUT.PUT ACCEPT >; /.dev/null 2>;&1 .
iptables -P FORWARD ACCEPT >; /dev/nul.l 2>;&.1 .
iptables -F FORWA.RD >; /dev/null 2.>;&1 服务器
iptables -F O.UTPUT >; /dev/nu.ll 2>;&1 汽车
iptabl.es -t nat -F POSTROUTING .>; /dev/null 2>;&1 .
iptables .-F tcpHandler >; /dev/null 2>;&.1 [成人用品]
iptables -F udpHandler >; /dev/nul.l .2>;&1 .
i.ptables -F icmpHandler >; /dev/null .2>;&1 --------------彩票
iptables -F CHECK_FLAGS >; /dev/n.ull 2>.;&1 女人
iptables -F DR..OP-AND-LOG >; /dev/null 2>;&1 .
iptab.les -F syn-flood >; /d.ev/null 2>;&1 投资
iptables -F lan-.input >; /dev/null 2>;&.1 (广告)
ip.tables -.F dmz-input >; /dev/null 2>;&1 电影
iptables -X tcpHandler >.; /dev/null 2>;.&1 杀毒
iptables -X udpHandler >; /dev./nul.l 2>;&1 电脑
iptables -X icmpHandler >; ./dev/null 2.>;&1 .
i.ptables -X CHECK_FLAGS >.; /dev/null 2>;&1 外汇
ip..tables -X DROP-AND-LOG >; /dev/null 2>;&1 域名
iptables -X syn-flood >; /d.ev/nu.ll 2>;&1 [成人用品]
iptables -X .lan-input >; /dev/null 2.>;&1 美容
iptables -.X dmz-input >; /dev/null 2>;.&1 杀毒
echo -e "\a"
echo -e "\t\t\.t\t \033[3;032m [ OK ] .\033[0m\n" .
echo -e "\t\tTh.e firewall has successf.ul shuted down,be careful !" 女人
fi
----.--------------.------------------------------------------------------.----------------.
# Ra.inLow firewall version 1.0rc1 -- 2.4/11/2002 投资
# This so.ftware may be used and distribut.ed according to --------------彩票
#the t.erms o.f the GNU General Public License (GPL) provided 域名
#credi.t is .given to the original author. .
# Cop.yright (c) .2002 rainlow ( 游戏 )
# All rights reserved .电脑
######################.################################.###### 域名
echo -e "\n\.t\t\t Welcome to \033[3;031m RainLow Sec.urity Group \033.[0m\n\n" 健康
echo -e " \t\t\t\t \033[1;32m
http://www.rainlow.com \033[m \n" 电影
# me.ans the .interface you connected to internet,i.f you use ADSL you should set 虚拟主机
# it to ppp0
UPLINK=eth2
# means i.f you use fixed IP address you .can set here] 学习
UPIP=.211.167.105.15 服务器
# m.eans if you want to use this fire.wall as a router
ROUTER=yes
#If you use adsl set this to "dynamic",if you use DDN or any kinds of f.ixed IP you set it to ." " a.nd set upip ,if you use D.HCP,you just set it to "DHCP" [成人用品]
N.AT=211.167.105.15 ( 游戏 )
# .means the inte.rface you have .
INTERFACES.=lo eth0. eth1 eth2 建材
#means if you want to .load all mod.ules needed for this program .
LOAD._MODULES=no 杀毒
# means what kind of .services you want to provide. 电子
SERVICES=
# Open ports/service.s to the WWW, with. a quota limit of incoming "n"Megs,. when the quot.a is reached, the rule doesnt ma.tch anymore. Ex; 1Meg=1048576, 2Megs=echo $[1048576 * 2], etc... 婚庆
QUOTA=2097152
O.PEN_TCP._QUOTA=80 21 20 25 110 汽车
OPEN_UDP_QUOTA=. .
#means if you want to log the ill.egal tc.p flags 汽车
LOG_ILL.EGAL_FLAGS=yes 杀毒
# mea.ns th.e IP address you want to DENY <性病>
DENYIP=10..0.0.1 10..0.0.255 电影
# means the UDP port you w.an.t to filter .
DENYUDPPORT=7 9 .19 22 107 137 138 139 161 162 369 ..
#means the tcp ..port you want to log if some one try to come in 杀毒
TC.P_PORT_LOG=135 .137 138 139 443 1433 3306 8080 8000 515 513 [成人用品]
#.means tcp ports you want to ope.n,please only use this if you are prov.ide services on firewall,dangerous 虚拟主机
OPEN_TCP=
#means udp ports you want to open.,please only use this if you are provide servi.ces on. firewall,dangerous 美容
OPEN_UDP=
#
# means the interface y..ou connected to LAN 电脑
LAN_IF=eth0
# means the LAN n.et 建材
LAN_NET.=192.168.1.0/24 教育
# means the DM.Z net .
DMZ_.NET=172.16.3.0/24 .
# means the DMZ i.nt.erfaces .
DMZ_IF=eth1
# m.eans the tcp port you wan.t to provide in DMZ 乙肝
DMZ_TCP_PORT= 21 25 53 8.0 110. 健康
# means t.he udp port you want to open .in DMZ ( 游戏 )
DMZ_UDP_PO.RT=53 鲜花
#m.eans .the ipaddress of telnet server in DMZ net .
TELNET_IP=172.1.6.3.8 --- 印刷
TELNET_PORT=1.4867 (广告)
#means the ipaddress of ssh serv.er in .DMZ net --- 印刷
SSH_IP=172.16..3.18 .
SSH_PORT=22
WEB_.M_IP=172.16.3.20 .
WEB_M_PO.RT=4867 域名
#means the ipaddress of .www server. in DMZ net [成人用品]
WEB_IP=172.1.6.3.8 .
WEB_PORT=80
# means. the ip address of ftp server in DMZ .net 婚庆
FTP_IP=17.2.16.3.8 杀毒
FTP_PORT=21
FTP_DATA=20
# means the. ip address o.f DNS server in DMZ net 美容
DNS_IP=17.2.16.3.3 健康
DNS_PORT=53
#means the ip addre.ss of mail serve.r in DMZ net 婚庆
MAIL_IP=172.16.3..20 .
SMTP_PORT=25
POP_PORT=110
# means the H323 port .you want to .open if you use video device in DMZ 健康
H323_PORT=
# if you use vide..o device in DMZ you can set it to yes .
H323=no
# means the h323 .services you used in. DMZ .
H323HOST=172.16.3..18 建材
#means if. you will lo.g malformed packets 电影
MALFOR.MED_PACKET_LOG=no 健康
#The bellow is the setting .of a ipi tunnel o.r GRE tunnel 学习
#means if you w.ill bulid a tunnel with somewhere else. 电子
TUNNEL=yes
# Type of tu.nnel (gre or. ipip) 女人
T.UNNEL_TYPE=gre 学习
# Name of the t.unnel 建材
T.UNNEL_NAME=netx (广告)
# Address o.f yo.ur External Interface (only required for gre tunnels) 外汇
LOCAL=.61.129.112.46 .
# Address of t.he local system -- this is the addres.s of one of your 外汇
# local interfaces (or for a mobile host, the address that t.his system ha.s 电影
# when atta.ched to the local network.). 汽车
#
LOCAL_LANIP=.10.0.2.1 域名
# Address of the .Remote system -- this is t.he address of one of the 健康
# remote systems local interf.aces (.or if the remote system is a m.obile host, 服务器
# the address that it uses when attached to the .local n.etwork). 健康
REMOTE_LA.NIP=192.168.1..199 (广告)
# .Internet address of t.he Remote system 鲜花
#
GATEWAY=211.167.105.15. (广告)
# Rem.ote sub-network -- if the remote sys.tem is a gateway for a 虚拟主机
# private subnetwork. that you wish t.o (广告)
# acc.ess, enter it her.e. If the remote 服务器
# system is a s.t.and-alone/mobile host, leave this .
# empty
RE.MOTE_SU.BNET=192.168.1.0/24 汽车
#means the ipaddress you want to manage the. fi.rewall <性病>
M.ANAGE_IP=192.168.1.188 投资
#here you can add the block rules .yourself ,but be sure you d.o all these s.etting# otherwise ,it will not work at all !!!! .
SELF_SET=
BLOCK_TYPE=
PROTO=
INTE_IF=
SRC=
DST=
DPORT=
ACTION=
ACTION_TYPE=
#here you can add the icmp block rules you.r.self,Be sure you do all these setting otherwise ,it will not w.ork at all !!!! 投资
ICMP_IF=
ICMP_SRC=
ICMP_DST=
ICMP_ACTION=
ICMP_TYPE=
--------------------------.------------------------------------.---------------.---------------学习
#!/bin/sh
RCDLINKS="2,S45 .3,S45 6.,K45" 汽车
#####.#######################################.#.################################### [成人用品]
# Script to create a gre or GRE/ipip tunnel .-- RainLow Firewall ..
#
# Modified -. arlenecc --- 印刷
# In.corporated in.it {start|stop} syntax and iproute2 usage 服务器
#
# This pro.gram is under. GPL 虚拟主机
#
#
#
# Modify the following vari.ables to match your .configuration [成人用品]
#
# chkc.onfig: 2345 26 89 虚拟主机
# d.escripti.on: GRE/IP Tunnel --- 印刷
#
#.##############################################################.######.########### 女人
TUNNEL=`grep "TUNNEL" /etc/firewall/firew.all.conf | cut -d =. -f 2` 建材
TUNNEL_TYPE=`grep "TUNNEL._TYPE" /e.tc/firewall/firewall.c.onf | cut -d = -f 2` 虚拟主机
TUNNEL_NAM.E=`grep "TUNNEL_NAME" /etc/firewall/fir.ewall.conf | cu.t -d = -f 2` 健康
LOCAL=`grep "LOCAL" ./etc/fire.wall/firewall.conf | cut -d = -f 2` 投资
LOCA.L_.LANIP=`grep "LOCAL_LANIP" /etc/firewall/firewall.conf | cut. -d = -f 2` 杀毒
REMOTE_LANIP=`grep "REMOTE_LANIP" ./etc/fire.wall/firewal.l.conf | cut -d = -f 2` 教育
GATEWAY=`grep "GATEWAY" /etc/firewall/firewall.conf | cut. -d = -f .2` 学习
REMOTE_SUBNET=`grep "REMOTE_SUBNET" /etc/firew.all/firewall..conf | cut -d = -f 2.` [成人用品]
PATH=$PATH:./s.bin:/usr/sbin:/usr/local/sbin .
load_mod.ules () { .
case $TUNNEL_.TYPE in [成人用品]
ipip)
echo "Loading. IP-ENCAP Mo.dule" 服务器
modprobe ipip
;;
gre)
e.cho "Loading GRE Module". .
modpro.be ip_gre 健康
;;
esac
}
do_stop() {
if [. -n "`ip link show $TUNNEL._NAME 2>;/dev/null`" ]; then 虚拟主机
echo "Stopping $.TUNNEL_NAME". ( 游戏 )
ip lin.k set dev $TU.NNELNAME down ( 游戏 )
fi
if [ -n "`ip addr show $TUNNEL_N.AME 2.>;/dev/null`" ]; then 建材
echo "Del.et.ing $TUNNEL_NAME" --- 印刷
ip tunnel .del $TUNNEL_NAM.E .
fi
}
do_start() {
#N.OTE: Comment out the next line if y.ou have built gre/ipip into your. kernel 汽车
load_modules
if [ -n "`ip link show $TUNNEL_..NAME 2>;/dev/null`" ]; then .
do_stop
fi
echo. "Adding $TUNNEL_NAME." 杀毒
case $TUNNEL_.TYPE in 电影
gre)
ip tunnel a.dd $TUNNEL_NAME mode gre remote $GATEWAY local $LOCAL tt.l 255 服务器
;;
*)
ip tunnel add $TUNNEL_NAM.E mode i.pip remote $GATEWAY .
;;
esac
echo "Starting $.TUNNEL._NAME" 建材
ip lin.k set dev $TUNNE.L_NAME up 鲜花
case $.TUNNEL_TYPE in 乙肝
gre)
ip addr. add $LOCAL_LANIP .dev $TUNNEL_NAME 电子
;;
*)
ip addr add $LOCAL_LANIP p.eer $REMOTE_LANIP dev .$TUNNEL_NAME <性病>
;;
esac
#
# As with all interfaces, th.e 2.4 kernels will. add the obvious host .
# rout.e for this point-to-poin.t interface ( 游戏 )
#
i.f [ -n "$REMOTE_S.UBNET" ]; then --------------彩票
echo "Adding Ro.utes" 建材
case $TUNNEL_TYP.E in 教育
gre)
ip route add $RE.MO.TE_SUBNET dev $TUNNEL_NAME .
;;
ipip)
ip route add $REMOTE_SUBNET via $GATEWAY dev $.TUNNEL_NAME onlink . 外汇
;;
esac
fi
}
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart)
do_stop
sleep 1
do_start
;;
*)
ec.ho "Usage: .$0 {start|stop|restart}" <性病>
exit 1
esac
exit 0
