[问题求助][img]http://linux.chinaunix.ne [复制链接]

DMZ部分尚不完善，其中难免有疏漏，希望大家跟我一块改进，使他功能.越来越强大，使用时请将firewall-dev copy 到/etc/rc.d/i.nit.d将  fi..rewall.conf copy /etc/下，你只需修改fir.ewall.conf文件就可以了。可以用firewall-dev start|stop起动和关闭防火墙，功能增加中，如你有任何改动请发一份给我，arlenecc@263.net             汽车

本着GPL的原则希望有志之士跟.我一块完善它，如有改动请通知.我！！！！电影


firewall-dev

#!/bin/bash
#          T.his is a firewall script with the fu.nction of  stateful and           婚庆
#          ip filter,  you c.an change it to meet you need,.in a words:域名
#          uplink means the output inte.rface .,router means if you neet it             汽车
#          t.o be a router or not,nat means .if you are useing a dynamic ip           鲜花
#.          address          婚庆
#.          if you. do ,then you can change it to &.quot;dynamic",interfaces means电影
#          all the interface i.n. you server ,services me.ans all the services            鲜花
#          you. server providing ,enjoy i.t !!!   ----- write by arlenecc.
#
#########.#.##########################################################.##########              乙肝
#               .                                .                          .   #              乙肝
#    Copyri.ght (c) 2002 arlenecc     .     arl.enecc@netease.com               #.
# .   All rights reserved      .  .                                             #           女人
#   .                                             .                    .        #.
########################################################.###############.######.#             汽车
#
#   .       now begins. the firewall .

  
  UPL.INK=`les.s /root/firewall.conf | gre.p "UPLINK" | cut -d = -f 2 `(        游戏          )
  
  UPIP=`less /root/firewall.c.onf | grep "UPIP" | cut -d =. -f 2`[成人用品]
    
  ROUTER=`less /root/firewall.conf | grep &quo.t;ROUT.ER" | .cut -d = -f 2`.
  
  NAT=`less /root/firewall.conf | grep "NAT&q.uot; | .cut -d = -f 2`投资
  
  INTERFACES=.`less /root/f.irewall.conf | grep &qu.ot;INTERFACES" | cut -d = -f 2`.
    
  SERVICES=`less /root/firewall.c.onf | grep "SERVICES" |. cut -d = -f. 2`[成人用品]
    
  DENYPORTS=`l.ess /root/firewall.conf | grep "DENYP.ORTS" | cut -d =. -f 2`电脑
  
  D.ENYUDPPORT=`less /root/firewall.conf | gr.ep "DENYUDPPORT" | cut. -d = -f 2`.
  
  LAN_IF=`less /root/firewall.conf | grep &quo.t.;LA.N_IF" | cut -d = -f 2`服务器
  
  LAN_NET=`less /root/fire.w.all.conf |. grep "LAN_NET" | cut -d = -f 2`投资
  
  DMZ_NET=`less /root/firewall.conf | grep &.quo.t;DMZ_NET" | .cut -d = -f 2`电影
  
  DMZ_IF=`less /root./firewall.conf | grep "DMZ_IF" | cut -.d = -f. 2`            杀毒
  
   DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d ..= -.f 2`<性病>
  
   DMZ_UDP_PORT=`less /r.oot/firewall.conf .| gr.ep "DMZ_UDP_PORT" | cut -d = -f 2`健康
  
   WEB_IP=`les.s /root/f.irewall.conf | grep &qu.ot;WEB_IP" | cut -d = -f 2`[成人用品]
  
   FTP_IP=`less /root/firewall.conf | gre.p ."FTP_IP" | cut -d = -f. 2`              乙肝
  
   H3.23_PORT=`less /root/firewall.con.f | grep "H323_PORT" | cut -d = -f 2`..
  
   H323=`less /root/firewall.conf | grep. "H323" | cut -d .= -f 2`              乙肝

    
  


    if [ .&q.uot;$1" = "start" ]
    then
    .     echo "Starting f.irewall......"            杀毒

echo ".NOW prepareing kernel fo.r use,please wait....."服务器

   # if [ -e /proc/sys/net/ipv4/ip._f.orward ].
   #
   #    then
   # .      echo 1 >;/proc/sys/net/ipv4/ip_forwa.rd             电子
   #    fi
   if [ "$NAT" = &q.uo.t; dynamic " ]虚拟主机
       then
           echo "Enabl.e dynami.c ip support...." --------------彩票
           ec.ho 1 >;. /proc/sys/net/ipv4/ip_dynaddr--- 印刷
          echo "   . OK !!!!&.quot;             汽车
   fi
   .if [ -e /proc/sys/net/ipv4/tcp_syncookies ].           鲜花
       then
   .          echo "Enable the syn cook flood protection".(        游戏          )
             echo 1 >; /proc/sys/ne.t/ipv4/t.cp_syncookies 健康
             ech.o &quot.;     OK !!!!".
   fi
   if [ -e /proc/s.ys/net/ipv4/ip_connt.rack_max ].
        then
          echo "Sett.i.ng the maximum number of connections .to track.... "    健康
       .   echo "4096" >; /proc/sys/net/ip.v4/ip_conntrack_max(        游戏          )
          echo "          .OK !!!!&quo.t;          婚庆
   fi
  
   if [ -e /proc/sys/net/ipv4/ip.._local_port_range ]    健康
         then
           echo " Setting local port range f.or TCP/UDP c.onne.ction...."   (广告)
           echo -e "32768\t61000" >; /p.roc/s.ys/net/ipv4/ip_local_port_rang.e[成人用品]
  .         ech.o "            OK !!!!".
   fi
  
   if [ -e /proc/sys/net/ipv4/icmp_ignore_b.ogus_error_respons.es ](广告)
        then
           echo "Enable bad error message. protection.......&.quot;    美容
           echo 1 >; /proc/sys/net/ipv4/ic.mp_ignore_bogus_error_.responses.
           echo &quot.;    OK !!!! &.quot;              乙肝
   fi
   if [.. -e /proc/sys/net/ipv4/tcp_ecn ]             电子
      then
          echo "Disabl.in.g tcp_ecn,please wait..."电影
     .     echo 0 >;./proc/sys/net/ipv4/tcp_ecn              乙肝
          echo ".     OK  !!!!  &quot.;    外汇
      fi

    for x. in .${INTERFACES}.
      do
.          echo " Enabling rp_filter on ${x} ,please wait....&quo.t;--------------彩票
  .         echo 1 >.; /proc/sys/net/ipv4/conf/${x}/rp_filter.
           ech..o "  ${x}  OK  !!!!  "(        游戏          )
      done
  
    if [ -e /proc/sys/net/ipv4/conf/all/.accept_redirec.ts ]健康
              
              .then           建材
            
              echo "Disab.ing ICMP redirects,please wait....".    学习
    .          echo 0 >; /proc/sys/net/ipv4/con.f/all/accept_redirects
              echo. "   . OK  !!!!   ".
    fi    
    
. .  if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]             汽车

        then
        .   echo &quo.t;Disabli.ng source routing of packets,please wait...."学习
           for i in /proc/sys/net/ipv4/con.f/*/.accept_source_route  --------------彩票
              
               . do学习
     . .             echo 0 >; $i电影
      .             echo "    . $i    OK !!!!       "             电子
   .               外贸
             done. .
            
    fi       .            (        游戏          )
   if [ -e /proc/sys/net/ipv4/icmp_ec.ho_ignore_bro.adcasts ].
      then
          echo ."Ignore any broadcast icmp echo re.quests......"外贸
          ec.ho 1 >; /proc/sys/net/ipv4/icmp_e.cho_ignore_broadcasts--------------彩票
          echo ".    .  OK !!!!    "(        游戏          )
   fi
  
  # if [ -e. /proc/sys/net/ipv4/confi.g/all/log_martians ]--------------彩票
  #
  #      then
  #         echo "LOG packets with impossible ad.dr.esses. to kernel log....".
  #         ech.o 1 >; /proc/sys/net/ipv4./conf/all/log_martians           鲜花
  #         echo &.quot;   . OK  !!!!   "健康
  # fi  
#echo 1 >;/proc/sys/net/ipv4/i.cmp_echo_ignor.e_all.
#modprobe ip_tabl.es虚拟主机
depmod -a


iptables .-P INPUT DROP虚拟主机
iptables -P FORWAR.D DROP域名
iptables -P OUTP.UT DROP              乙肝
iptabl.es -F INPUT投资
iptables -F .FORWARD.
iptables -F OUT.PUT.
iptables -F -t nat..
iptables -F -t man.gle健康
iptables -Z
iptables -X  
iptables -N CHECK_.FLAGS[成人用品]
iptables -F CHECK_FLA.GS.
ipta.bles -N tcpHandler            杀毒
iptables -F tcpHandle.r教育
ipt.ables -N udpHandler.
iptables -F udp.Handler    美容
iptables -N icmpHandl.er.
iptables -F icmpHan.dler外贸
iptables -N. DROP-AND-LOG.
iptables -F DRO.P-AND-LOG电影



echo ."OK,the kernel is now. prepared to use for buil.ding a firewall!!!"[成人用品]
echo "Waitting .........................."           女人
e.cho "C.reating a drop chain....."          婚庆
i.ptables -A DROP-AND-.LOG -j LOG --log-level 5     健康
iptables -A DROP-AND-LOG. -j .DROP              乙肝
echo. "     OK !!.!!"虚拟主机
echo "Now s.tarting the check_f.lag rules,please wait...."--- 印刷
    
     iptables -A CHECK_FLAGS -p tcp --tcp-flags AL.L FIN,URG,PSH -m limit --lim.it .5/minute -j LOG --log-level 6 --log-pref.ix " INVAILD NMAP SCAN " (        游戏          )
     iptabl..es -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP虚拟主机
     ip.tables -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m. limit --limit 5/minute -j LOG --log-lev.el 6 --log-pref.ix " SYN/RST "学习
     iptables -A CHECK_FLAG.S -p. tcp --tcp-flags SYN,RST SYN,RST -j DROP.
     iptabl.es -A CHECK._FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit .5/minute -j LOG --log-level 6 --log-prefix " SYN/FIN SCA.N "[成人用品]
     iptables -A CHECK._FLAGS -p tcp --tcp-flags SYN,FIN SYN,.FIN -j DROP.
  .   iptables -A CHECK_FLAGS -p tcp --tcp-option 64 -m limit --limit 5/minute -j LOG --log-le.vel 6 --log-prefix " Bogus .TCP FLAG. 64 "    外汇
     iptables -A CHECK_FLAGS -p tcp --t.cp-option 64. -j DROP.
     iptables -A CHECK_FLAGS -p. tcp --tcp-option 1.28 -m limit --limit 5/minute -j LOG --log-level 6 --log-p.refix " Bogus .TCP FLAG 128 "服务器
     iptables -A CHECK_FLAGS -p tcp --tcp.-option 128 -j DRO.P          婚庆
     iptables .-A CH.ECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit -.-limit 5/minute -j LOG .--log-level 6 --log-prefix "Merry Xmas Tree:".
     iptables -A CHECK_FLAG.S -p tcp --tcp-flags ALL ALL .-j DROP教育
.    iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG .-m limit --limit 5/..minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"(        游戏          )
     .iptables -A CHECK_FLAGS -p tcp --tcp-flags ALL. SYN,RST,ACK,FIN,URG -j D.ROP--------------彩票
     iptables -A CHECK_FLAGS -p tcp --.tcp-flags ALL NONE -m l.imit --limi.t 5/minute -j LOG --log-level 6 .--log-prefix "NULL_SCAN"(广告)
     iptables -A CHECK_FLAGS .-p tcp --tc.p-flags ALL NONE -j DROP    健康

echo "  OK !!!! Finis.hed check_flags. rules...."           女人


echo &quot.;Now starting th.e input rules,please wait.......".
    for x i.n ${DENYPORTS}             电子


         do
           iptables -A INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT{x} TCP IN:"   http://upload.bbs.csuboy.com/Mon_1004/126_7135_00bc4ff17adaaa0.gif[/img]    外汇
           ipt.ables -A INPUT -i ${UPLINK} -p tcp  --dport ${x} -m state --sta.te NEW -j. DROP.
           iptables -A INPUT -i ${UPLINK} -p tcp --syn --dport ${x} -j LOG --log-prefix "INVAILD PORT{x} SYN IN:"http://upload.bbs.csuboy.com/Mon_1004/126_7135_00bc4ff17adaaa0.gif[/img]           建材
           iptables -A INPUT. -i ${UPLINK} -p tcp --syn --dport ${x} -.j DROP电影
         done

    for .x in ${DENYUDPPORT.}.

          do
            iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -m state --state NEW -j LOG --log-prefix "INVAILD PORT{x} UDP IN:" http://upload.bbs.csuboy.com/Mon_1004/126_7135_00bc4ff17adaaa0.gif[/img]             汽车
            i.ptables -A INPU.T -i ${UPLINK} -p udp --dport ${x.} -m state --state NEW -j DROP             汽车
            iptables -A INPUT -i ${UPLINK} -p udp --dport ${x} -j LOG --log-prefix "INVALID PORT{x} UDP IN:"http://upload.bbs.csuboy.com/Mon_1004/126_7135_00bc4ff17adaaa0.gif[/img]           鲜花
      .      iptabl.es -A INPUT -i ${UPLINK} -p udp --dport ${x} -j DROP(        游戏          )
         done


#iptables -A INPUT -i ! .${UPLINK} -j A.CCEPT.



    for  x in ${SERVIC.ES}             电子
        
           .do              建材
                iptables -A .INPUT -i ${UPLINK} -p tcp --dport ${x} -m state --state ESTAB.LISHED,RELA.TED -j ACCEPT    美容
                iptables -A INPUT -i ${UPLINK} -p .tcp --dpo.rt ${x} -m state --state NEW,ESTABLISH.ED,RELATED -j ACCEPT电脑
     .      done.

    .iptables -A INPUT -i ${UP.LINK} -s 192.168.0.0/24 -j DROP-AND-LOG            鲜花
    ip.tables -A I.NPUT -i ${UPLINK} -s 10.0.0.0/8 -j DROP-AND-LOG虚拟主机
   . iptables -A INPUT -i ${UPLIN.K} -s 172.12.0.0/16 -j DROP-AND-LOG域名
    iptables -A INPUT -i $.{UP.LINK} -s 224.0.0.0/4 -j DROP-AND-LOG电影
    iptables -.A INPUT -i ${UPLINK} -.s 240.0.0.0/5 -j DROP-AND-LOG    外汇
  

#ip.tables .-A INPUT -i ${LAN} -m state --state NEW,ESTABLISHED,.RELATED -j ACCEPT服务器
ipta.bles -A INPUT -m stat.e --state ESTABLISHED,RELATED -j ACCEPT     美容
#.iptables -A INPUT -i ${UPLINK} -j LOG --log-.prefix &q.uot; INVALID INPUT "--------------彩票
iptables -A. INPUT -p tcp ! --syn -m state --state NEW -j .DROP            杀毒
iptables -A INPU.T -i ${LAN_IF} -p tcp --syn -m state --state. NEW,ESTABL.ISHED,RELATED -j ACCEPT           女人
iptables -A INPUT -i ${DMZ_IF}. -p tcp --syn -m state --state NEW,ESTABLISHED,RELATED. -j A.CCEPT教育
iptables -A INPUT -p tcp --tcp-f.lags ALL SYN,ACK -.j REJECT.
iptables -.A INPUT -p tcp -i ${LAN_IF} -d ${LAN_N.ET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD TCP FROM D.MZ:".
ip.table.s -A INPUT -p tcp -i ${LAN_IF} -d ${LAN_NET} -s ${DMZ_NET} -j REJEC.T --reject-with tcp-reset外贸
iptables -A INPUT -p udp -i ${LAN_IF} -d ${LAN_NET} -s ${.DMZ_NET} -j LOG --l.og-prefix "INVA.ILD UDP FROM DMZ:"             汽车
iptables -A INPUT -p udp -i ${LAN_IF}. .-d ${LAN_NET} -s ${DMZ_NET} -j DROP.
iptable.s -A INPUT -p icmp -i ${LAN_IF} -d. ${LAN_NET} -s ${DMZ_NET} -j LOG --log-prefix "INVAILD ICMP FROM DMZ:&quo.t;.
iptables -.A INPUT -p icmp -i ${LAN_IF} -d ${LAN_.NET} -s ${DMZ_NET} -j DROP.
iptables -A INPUT -p tcp -i ${UPLINK} --syn -j LOG --log-prefix &quo.t;INVALID SYN R.EQUIRE:&q.uot;             汽车
iptables -A INPUT -p .tcp -i ${UPLINK} --syn -j DR.OP    美容
iptable.s -A INPUT -p icmp -i ${UPLINK} -j LOG .--log-prefix "INVAILD ICM.P IN:".
iptables -A INPUT -p icmp -i ${UPLINK} -j REJE.CT --reject-with icmp-net-unreach.ab.le    外汇
iptables -A INPUT -p udp -i ${UPL.INK} -j LOG -.-log-pr.efix "INVAILD UDP IN:".
iptables -A INPUT  -i ${U.PLINK} .-p udp -j REJECT --reject-with. icmp-port-unreachable(广告)
iptables .-A INPUT -i ${UPLINK} -p tcp -j LOG --log-prefix &qu.ot;INVAILD TCP IN:&.quot;外贸
iptab.les -A INPUT -i ${UPLINK} -p tcp -j RE.JECT --reject-with tcp-reset           鲜花
iptabl.es -A INPUT -i ${UPLINK} -m state --state NEW,INVALID -.j LOG --log-prefix "NEW,INVALID sta.te:".
iptables -A INPUT -i ${UPLINK} -m st.ate --state NEW,INVALID -j. DROP    美容
iptables -A INPUT -i ${UPL.INK} -f -j LOG -.-log-prefix "INVA.ILD FRAGMENTS ${UPLINK}:"服务器
iptab.les -A INPUT .-i ${UPLINK} -f -j DROP电影
iptables -A INPUT -i ${LAN_IF.} -f -j LOG --log-prefix "INVAIL.D. FRAGMENT ${LAN_IF}:".
iptables. -A INPUT .-i ${LAN_IF} -f -j DROP(广告)
iptables -A INPU.T -i ${DMZ_IF} -f -j LOG --log-prefi.x "INVAILD. FRAGMENT ${DMZ_IF}:"    外汇
iptab.les -A INPUT -i ${DMZ_IF} -f .-j DROP--------------彩票
iptables .-.A INPUT -i ${UPLINK} -j DROP虚拟主机
e.cho "  OK !!!! The input rules has b.een successful applied ,continure......."健康

echo " Now startin.g FORWARD .rules ,please wait ....."              乙肝

ipta.bles -A FORWARD -f -m limit --limit 1/s --limit-bur.st 10 -j ACCEPT    健康
iptables -A FORWARD -p icmp -m limit --limit 1/s .--l.imit-burst 10 -j ACCEPT              乙肝
iptables -A FORWARD -p .tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j AC.CEP.T服务器
iptables -A FORWARD -p .tc.p --tcp-flags ALL NONE -j DROP虚拟主机
iptables -A FORWARD -.p tcp -.-tcp-flags ALL ALL -j DROP服务器
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,RST,A.CK,FIN,URG .-j DROP<性病>
iptables -A FORWARD -p. tcp --tcp.-flags ALL FIN,URG,PSH -j DROP            杀毒
iptables -A .FORWARD -p tcp --tcp-flags SYN,.RST SYN,RST -j DROP              乙肝
iptables -A FORWARD -p tcp --tcp-flags SYN.,FIN SYN,FIN -j D.ROP电影
iptables -A FORWARD  -p tcp --syn -m limit --limi.t 1/s -j .ACCEPT外贸
iptables -A F.ORWARD . -p icmp --.icmp-type echo-request -m limit --limit 1/s -j ACCEPT外贸
iptables -A FORWARD  -m state -.-state E.STABLISHED,RELATED -j ACCEPT              乙肝
iptables. -A FORWARD -i $.{LAN_IF} -o ${UPLINK} -m state --state NEW,ESTABLISHED,RELATED. -j ACCEPT.
iptables -A FORWAR.D  -i ${DMZ_IF} -o ${UPLI.NK} -m s.tate --state NEW,ESTABLISHED,RELATED -j ACCEPT(        游戏          )
ipta.bles -A FORWARD -i ${UPLINK}  -p tcp -m sta.te --state NEW -m limit --limit 5/minute --limit-burst 10 -.j LOG --log-prefix ". CONN TCP: "投资
iptables -A FORWARD -i. ${UPLINK}  -p tcp -m state --state NEW -j t.cpHandler              乙肝
iptables -A. FORWARD -i ${UPLINK} -p udp -m state -.-state NEW -m limit --limit 5/minute --limit-bu.rst 10 -j LOG --log-prefix &quo.t; CONN UDP:".
iptables -A FORW.ARD -i ${UPLINK} -p udp -m state --sta.te NEW -j udpHandler健康
iptables. -A FOR.WARD -i ${UPLINK} -p icmp -m state --s.tate NEW -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix " C.ONN ICMP: "外贸
iptables -A FORWARD -i ${UPLINK} -p icmp -m state --st.a.te NEW .-j icmpHandler域名
iptables -A tcpHandler -p tcp -m. .limit --limit 5/minute --limit-burst 10 -j. RETURN           建材
iptables -A tcpHandler -p .tcp -j LOG --log-pref.ix &quo.t; Drop TCP exceed connections "外贸
ipt.ables -A tcpHa.ndler -p tcp -j DROP电影
ipt.ables -A udpHandler -p udp -m l.imit --limit 5/minute --limit-burst 10 -j RETUR.N           女人
iptables -A udpHandler -p udp -j LOG --.log-prefix ."Drop UDP exceed con.nections"    健康
iptables -A udpHandl.er -p udp -j. DROP          婚庆
ipta.bles -A icmpHandler. -p icmp -m limit --limit. 5/minute --limit-burst 10 -j RETURN            杀毒
iptables -.A icmpHandler -p icmp -j LOG --log-prefix ".Drop ICMP exceed connections&qu.ot;[成人用品]
iptables -A icmpHandler.. -p icmp -j DROP           建材

iptables -A FORWARD -i $.{UPLI.NK} -o ${LAN_IF} -m state --s.tate ESTABLISHED,RELATED -j ACCEPT    健康
iptables -A FORWARD -i ${UPLINK} -o ${DMZ_IF} -m state --stat.e ESTABLISHED,RELA.TE.D -j ACCEPT             电子
ipta.bles -A FORWARD -i ${LAN._IF} -o ${UPLINK} -j ACCEPT 教育
iptab.les -.A FORWARD -i ${DMZ_IF} -o ${UPLINK} -j ACCEPT教育
#iptables -A FORWARD -o ${UPLINK} -i ${LAN}. -m state --state NEW,ESTABLISHED,RELATED -j AC.CE.PT<性病>
#iptables -A FORWARD -o ${UPLINK} -i ${DMZ} -m state. --state NEW,ESTABLISHED,R.ELATED -j .ACCEPT    健康
iptables -A. FORWARD -o ${LAN_IF} -i ${DMZ_IF} -.p tcp -j LOG --log-prefix "INVAILD TCP FORWARD FROM DMZ:&quo.t;.
iptables -A FORWARD -o ${L.AN_IF} -i ${DMZ_IF} -p tcp -j REJECT --reje.ct-wit.h tcp-reset             电子
iptables -A FORWARD -o ${..LAN_IF} -i ${DMZ_IF} -p udp -j LOG --log-prefix "INVAILD UDP FORWAR.D FROM DMZ:"            杀毒
iptables -A FOR.WARD -o ${LAN_IF} -i ${DMZ_IF} -p. udp -j DROP域名
iptables -A FORWARD -o ${LAN_IF} -i ${DMZ_I.F} -p icmp -.j L.OG --log-prefix "INVAILD ICMP FORWARD FROMDMZ:"服务器
iptables -A FORWARD -o ${LAN._IF} -i ${DMZ_IF} -p ic.mp -j DROP.
iptab.les -A FORWARD -p i..cmp -s ${LAN_NET} -d ${DMZ_NET} -m limit --limit 1/s --limit-burst 10 -j ACCEPT电影
iptables -A FORWA.RD -s ${LAN_NET} -d ${DMZ_NET} -i ${L.AN_IF} -j ACCEPT             汽车
i.ptables -A FORWARD -p tcp -d ${LAN_NET}. -s ${DMZ_NET} -i ${DMZ_I.F} ! --syn -j ACCEPT           建材
iptables -A FORWARD -p icmp --icmp-.type 0 -s ${DMZ_NET} -d ${LAN_NET} -m limit --limit 1/s --limit-bu.rst 10 -j. ACCEPT.
  

iptables -A FORWARD -.p tcp -s ${DMZ_NET} -d ${LAN._N.ET} -j LOG --log-prefix "INVAILD TCP FORWARD DATA"           建材
iptabl.es -A FORWARD -p tcp -s ${DMZ_NET} -d. ${LAN_NET} -j DROP    健康
iptables -A FORWA.RD -p. udp -.s ${DMZ_NET} -d ${LAN_NET} -j LOG  --log-prefix "INVAILD UDP FORWARD DATA"             电子
iptables -A. FORWARD -p udp -s ${DMZ_.NET} -d ${LAN_NET} -j DROP.
iptables -A FORWARD -p ic.mp -s ${DMZ_NET} -.d ${LAN_NET} -j LOG --l.og-prefix "INVALID ICMP FORWARD DATA"           鲜花
iptables -A FORWARD -p icm.p -s ${DMZ_NET} -d ${LAN_NET} -j D.ROP.
iptables -A FORWARD -m state --state. NEW,INVALID .-j DROP域名
iptable.s -.A FORWARD -j DROP.

echo "   .OK !!!! The forward rules has. been successful applied,con.niture......"           女人
echo " .Now applying output rules,please wait ....."    外汇
iptables -A OUTPUT .-m state -.-state ESTABLISHED,RELATED -j ACCEPT(        游戏          )
ip.tables -A OUTPUT -s ${LAN_NET}  -o ${UPLINK} -m state --state NEW,ESTABLISHED,R.ELATED -j ACC.EPT外贸
iptables -A OUTPUT -s ${DMZ_NET}  -o ${UPLINK} -m state --state N.EW.,ESTA.BLISHED,RELATED -j ACCEPT电脑
iptables -A OUTPUT -s ${LAN_NET}  -o ${.DMZ_IF} -m .state --sta.te NEW,ESTABLISHED,RELATED -j ACCEPT域名
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_IF} -p tcp -j LOG --log-prefix &quot.;INVA.ILD TCP OUTPUT FROM. DMZ:"              乙肝
iptables -.A OUTPUT -s ${DMZ_.NET}  -o ${LAN_IF} -p .tcp -j REJECT --reject-with tcp-reset电影
iptables -A OUTPUT -s ${DMZ_NET} .-o ${LAN_IF} -p udp -j LOG --log-prefix "INVAILD UDP OUTP.U.T FROM DMZ:"电影
i.ptables -A. OUTPUT -s ${DMZ_NET}  -o ${LAN_IF} -p udp -j DROP (广告)
iptables -A OUTPUT -s ${DMZ_NET} -o ${LAN_.IF} -p icmp -j LOG --log-prefix "INVAILD.. ICMP OUTPUT FROM DMZ:"电脑
i.ptables -A OUTPUT -s ${DMZ._NET}  -o ${LAN_IF} -p icmp -j DROP.
iptables -.A OUTPUT -o lo -j AC.CEPT.
iptables -A. OUTPUT -p icmp -m state. --state INVALID -j LOG --log-prefix &quo.t;INVAILD ICMP STATE OUTPUT:"健康
iptabl.es -A OUTPUT  -p icmp -m s.tate --state INVALID -j DROP    外汇
iptables -A OUTPUT. -m state -.-state NEW,INVALID -j LOG --log-prefix "INVAILD NEW,INVA.LID STATE:"             电子
iptables -A OUTPUT.. -m state --state NEW,INVALID -j DROP[成人用品]

ipt.ables -A O.UTPUT -j DROP.

echo "    OK !!!! The OUTPU.T rules has been s.uccessful applied,.conniture......."投资

echo ". Now applying na.t rules ,please wait ...."虚拟主机
#iptables -t nat -A POSTROUTIN.G -o eth1 -s 192..168.1.0/24 -j MASQUERADE学习
#iptabl.es -t n.at -A PREROUTING -p tcp -i eth1 --dport 23 -j REDIRECT .--to-port 14867(        游戏          )
iptables -t nat -A PREROU.TING -d $.{LAN_NET} -i ${UPLINK}  -j DROP学习
iptables -t nat -A PREROUTING -d ${DMZ_NET} -i ${UPLINK} .-.j DROP.




if [ ". $ROUTER " .= " yes " ]域名

      then
           echo " enab.ing ip_forward,pl.ease wait...".
        .   echo 1 >;/p.roc/sys/net/ipv4/ip_forward              乙肝
           echo &q.uot;OK&qu.ot;学习
              if [ " $NAT " = ." dynamic &quot.; ]电影
                   .              电子
         .         then(        游戏          )
                     echo &.q.uot;Enableing MASQUERADING (dynamic. ip )..."投资
                     echo "Dynamic PPP c.onnection,Now ge.tting the dynamic ip. address".
      .               IP_ADDR=`ifconfig ppp0 |. grep inet | cut -d : -f 2 | cu.t -d " " -f 1`.
     .                echo " Now you IP ADDRESS is : ${IP_A.DDR} "             汽车
           .          iptables -t nat -A POSTROUTING -.o $.{UPLINK} -j MASQUERADE             电子
           .          ip.tables -t nat -A POSTROUTING -o ${UPLINK}  -s ${DMZ_NET} -j SNAT --to ${IP_A.DDR}教育
  .   .                iptables -t nat -A PREROUTING -i ${UPLINK} -d ${IP_ADDR} --dport 80 -j .DNAT --to ${WEB_IP}:80             电子
                     iptables -t na.t -A PREROU.TING -i ${UPLI.NK} -d ${IP_ADDR} --dport 21 -j DNAT --to ${FTP_IP}:21    健康
                     iptables .-t n.at -A PREROUTING -i ${UPLINK}. -d ${IP_ADDR} --dport 20 -j DNAT --to ${FTP_IP}:20
            if [ " $H323 &qu.ot; = " yes &qu.ot; ]    美容
.                 then             汽车
             .          echo. "Startting H323 NAT setting......"            杀毒
                     for. port in ${H323_PORT}. --------------彩票
      .                 . do.
                  .  .                 女人
                          iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}{port} http://upload.bbs.csuboy.com/Mon_1004/126_7135_00bc4ff17adaaa0.gif[/img].
                         iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${IP_ADDR} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}{port}  http://upload.bbs.csuboy.com/Mon_1004/126_7135_00bc4ff17adaaa0.gif[/img].
  .          .             done             建材
       .      fi    .
               .      e.cho "      OK,NAT setting start succecc.."投资
              elif [ " $NAT &.quot; != &qu.ot; " ]             电子
             .       电影
            .       then外贸
      .                 echo "Enableing SNAT (static i.p)..." .
     .                              婚庆
            # iptables -t .nat -A POSTROUTING -o ${UPLINK} -.j SNAT --to. ${UPIP}.
           .   iptables -t nat -A PO.STROUTING -s ${.DMZ_NET} -o ${UPLINK} -j SNAT --to ${UPIP}.
              iptables -t nat. -A POSTROUTING -s ${LA.N_NET} -o ${UPLINK.} -j SNAT --to ${UPIP}    美容
   .           iptables -.t nat -A PREROUTING -i ${UPLIN.K} -p tcp -d ${UPIP} --dport 80 -j DNAT --to ${WEB_IP}:80.
              ipta.bles -t nat -A PREROUTI.NG -i ${UPLINK} -p tcp -d ${UPIP} --dport 20. -j DNAT --to ${FTP_IP}:20              乙肝
              iptables -t nat -A.. PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport 21 -j DNAT --t.o ${FTP_IP}:21投资
              if [ "$H323 " = &q.uot; ye.s " ]学习
                    then.--------------彩票
         .              echo "Startting H323 N.AT se.tting........"    [成人用品]
                 .      for port in $.{H323_PORT} 学习
        
    .                    d.o          婚庆
                           iptables -t nat -A PREROUTING -i ${UPLINK} -p tcp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}{port} http://upload.bbs.csuboy.com/Mon_1004/126_7135_00bc4ff17adaaa0.gif[/img].
                           iptables -t nat -A PREROUTING -i ${UPLINK} -p udp -d ${UPIP} --dport ${port} -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${H323HOST}{port}http://upload.bbs.csuboy.com/Mon_1004/126_7135_00bc4ff17adaaa0.gif[/img]    美容
    .                   done.[成人用品]
    .         fi           建材
        .            .   echo "    OK !!!!"投资

                .  fi域名
            f.i 健康
if [ " $SELF_SET " = &quot.; yes &quot.; ]            杀毒
   then
      echo &.quot;Starting .the rules you set yourself......"域名
     # fi.rewall    外汇
      ech.o "     OK !.!!!".

echo " All rules has been successful app.lied,enjoy it....."服务器



        elif [ &quo.t;$1&qu.ot; = "stop" ]<性病>

        then
            echo "Stoping Firewall......"<性病>
.  .         iptables -F INPUT    健康
          .  iptables -P INPU.T ACCEPT.
       .     iptables -P OUTPUT. ACCEPT.
          . . iptables -P FORWARD ACCEPT            杀毒
   .         iptables -F FORWAR.D    外汇
     .       iptables -F .OUTPUT.
  .     .     iptables -t nat -F POSTROUTING            杀毒
            iptables -..F tcpHandler电影
            ipt.able.s -F udpHandler域名
            iptables -F. .icmpHandler学习
.           iptables -F .CHECK_FLAGS[成人用品]
     .       iptables .-F DROP-AND-LOG             汽车
            ipta.bles -X tcpH.andler虚拟主机
         .   iptables -X udpH.andler           建材
     .       iptables -X icmpHandle.r电脑
            ipta.bles -X CHECK_FLAG.S             汽车
            i.ptables .-X DROP-AND-LOG(广告)
            echo "The firewall has .successful shuted .down.,be careful  !!!".
        fi



firewall.conf

   UPLINK=eth1
   .UPIP=192.168.2.188
   ROUTER=yes
   NAT=192.168..2.188学习
  . INT.ERFACES=lo eth0 eth1 eth2
   SE.RVICES=http ftp    美容
   DENYPORTS=.1 7 9 15 107 .135 137 1.38 .139 369 389 445 515 752 873 8080 3128 2049 5432 5999 6063 9740 20034 12345 12346 27665 27444 31335 31337  8000 1433 . 3389 7007 22  23 25 110 79             电子
  DENYUDPPORT=7 9 19 22 107 137 .138 139 161 162. 369.
  
   LAN_IF=eth0
   LAN_NET=192.16.8.1.0/24学习
   DMZ_NET=192..168.3.0/24(        游戏          )
   DMZ_IF=eth2
.  DMZ_TCP_PORT=20 21 25 53 80 11.0             汽车
   DMZ_UDP._PORT=53电影
   WEB_IP=192..168.3.1.
   FTP_IP=19.2.168.3.2[成人用品]
   H323_PORT=
   H323=no

#h.ere you can add the block rules yourself ,but be sure you do a.ll these setting otherwise ,it will not work at .all !!!![成人用品]
SELF_SET=
BLOCK_TYPE=
PROTO=
INTE_IF=
SRC=
DST=
DPORT=
ACTION=
ACTION_TYPE=
#here you can add the icmp block rules yourself,Be sure you do all .these sett.ing otherwise ,it will not work a.t all !!!!.
ICMP_IF=
ICMP_SRC=
ICMP_DST=
ICMP_ACTION=
ICMP_TYPE=

写得这么麻烦作什么呢？

看起来都累呀！更别提用了

不过还不错
：）

不会吧，还有人嫌麻烦？？你只需要改一下firewall.conf 文件里的几个配置参数就能用了，不要太方便，而且功能也很全面，不过没有VPN功能，那位高人来加一加？？

非常值得花时间是理解一下，努力！

能不能把你的脚本做一个基本的介绍，让大家知道具体的功能。

就是就是，我顶一下下！

就是一个基于iptables的基于状态检测的包过滤防火墙，对客户机和服务器同样适用，用本脚本可以直接启动和关闭防火墙，防火墙开始先对系统内核做一些适用于防火墙的改进，然后针对一些常见的扫描方式进行探测如有扫描发生就阻止并记入日志，然后是非法外部SYN连接请求阻止并记入日志，外部ip碎片攻击检查阻止并记录，用户自行设定的开放的端口和禁止的端口，当然是基于状态检测的，还有半连接的阻止，SYN连接请求的限速，防止各种洪水攻击，IP欺骗功击的防范，还有DMZ功能，和针对拨号的动态ip地址的获取和双向的地址映射，还有基于固定ip的专线方式的双向地址映射，在设定文件里面都可以设定的，如果是动态ip它会帮你获的拨号后的动态ip，可选路由和和伪装两种方式。。。等等了，也说不了那么明白，大家自己看吧，不过有一点，如果有什么建议或改动请一定告诉我，我会不断完善的　　arlenecc@263.net

看不懂，哈哈。
能不能加上"批注"啊。
那可就太好了。

各位，各位，给点意见呀