自由建客的防火墙脚本

Web、Mail、Ftp、DNS、Proxy、VPN、Samba、LDAP 等基础网络服务
回复
头像
自由建客
帖子: 13468
注册时间: 2008-07-30 23:21
系统: Debian stable AMD64

自由建客的防火墙脚本

#1

帖子 自由建客 » 2018-07-28 21:59

晒一下,没什么高级功能,大概也就是比较浅显易懂吧

代码: 全选

#!/bin/sh
### BEGIN INIT INFO
# Provides:		iptables
# Required-Start:	checkroot
# Required-Stop:
# Default-Start:	S
# Default-Stop:	
# Short-Description:
### END INIT INFO

Loop_Iface=lo

Lan_Iface=br0
Lan_Ip4Net="192.168.168"
Lan_Ip4="${Lan_Ip4Net}.3/24"
Lan_Gateway="${Lan_Ip4Net}.254"

Vnat_Iface=br1

##############################################################################
# ### mangle ###

StartMangle()
{
	iptables -t mangle -F
	iptables -t mangle -X

	iptables -t mangle -A FORWARD -o "$Lan_Iface" -p tcp --tcp-flags RST,SYN SYN -j TCPMSS --clamp-mss-to-pmtu
}

StopMangle()
{
	iptables -t mangle -F
	iptables -t mangle -X
}

##############################################################################
# ### nat ###

StartNat()
{
	iptables -t nat -F
	iptables -t nat -X

	#iptables -t nat -A POSTROUTING -o "$Lan_Iface" -j MASQUERADE
	iptables -t nat -A POSTROUTING -o "$Lan_Iface" -j SNAT --to-source "${Lan_Ip4%/*}"
}

StopNat()
{
	iptables -t nat -F
	iptables -t nat -X
}

##############################################################################
# ### filter ###

StartFilter()
{
	iptables -F
	iptables -X
	iptables -P INPUT DROP
	iptables -P OUTPUT DROP
	iptables -P FORWARD DROP

	iptables -N SYNFLOOD

	iptables -N LAN_IN
	iptables -N LAN_OUT
	iptables -N LAN_FRW
	iptables -N LAN_SSH

	iptables -N VNAT_IN
	iptables -N VNAT_OUT
	iptables -N VNAT_FRW

	# ====================================================================
	# BUILT-IN

	iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A INPUT   -m state --state INVALID -j DROP
	iptables -A OUTPUT  -m state --state INVALID -j DROP
	iptables -A FORWARD -m state --state INVALID -j DROP

	iptables -A INPUT  -i "$Loop_Iface" -j ACCEPT
	iptables -A OUTPUT -o "$Loop_Iface" -j ACCEPT

	iptables -A INPUT -p tcp --tcp-flags ACK,RST,SYN,FIN SYN -j SYNFLOOD

	iptables -A INPUT   -i "$Lan_Iface"  -j LAN_IN
	iptables -A OUTPUT  -o "$Lan_Iface"  -j LAN_OUT
	iptables -A FORWARD -i "$Lan_Iface"  -j LAN_FRW

	iptables -A INPUT   -i "$Vnat_Iface"  -j VNAT_IN
	iptables -A OUTPUT  -o "$Vnat_Iface"  -j VNAT_OUT
	iptables -A FORWARD -i "$Vnat_Iface"  -j VNAT_FRW

	# ====================================================================
	# SYNFLOOD
	iptables -A SYNFLOOD -p tcp -m limit --limit 25/second --limit-burst 50 -j RETURN
	iptables -A SYNFLOOD -j DROP

	# ====================================================================
	# LAN

	# LAN_SSH
	iptables -A LAN_SSH -m recent --set --name LAN_SSH --rsource
	iptables -A LAN_SSH -m recent --update --name LAN_SSH --seconds 60 --hitcount 4 --rsource -j DROP
	iptables -A LAN_SSH -j ACCEPT

	# --------------------------------------------------------------------
	# samba
	iptables -A LAN_IN  -p tcp --dport 445 -j ACCEPT
	iptables -A LAN_OUT -p tcp --dport 445 -j ACCEPT
	iptables -A LAN_IN  -p tcp --dport 139 -j ACCEPT
	iptables -A LAN_OUT -p tcp --dport 139 -j ACCEPT
	iptables -A LAN_IN  -p udp --dport 137:138 -j ACCEPT
	iptables -A LAN_OUT -p udp --dport 137:138 -j ACCEPT

	# dns, dhcp, ntp client
	iptables -A LAN_OUT -p udp --dport 53 -j ACCEPT
	iptables -A LAN_OUT -p tcp --dport 53 -j ACCEPT
	iptables -A LAN_OUT -p udp --sport 68 --dport 67 -j ACCEPT
	iptables -A LAN_OUT -p udp --dport 123 -j ACCEPT

	# ping, traceroute
	iptables -A LAN_IN  -p icmp --icmp-type 8 -m limit --limit 1/second --limit-burst 5 -j ACCEPT
	iptables -A LAN_OUT -p icmp --icmp-type 8 -j ACCEPT
	iptables -A LAN_OUT -p udp --dport 33434:33534 -j ACCEPT

	# ssh server
	iptables -A LAN_IN -p tcp --dport 22 -m state --state NEW -j LAN_SSH

	# other
	iptables -A LAN_OUT -p tcp --sport 1024: -j ACCEPT
	iptables -A LAN_OUT -p udp --sport 1024: -j ACCEPT

	# LAN END
	iptables -A LAN_IN  -j DROP
	iptables -A LAN_OUT -j DROP
	iptables -A LAN_FRW -j DROP

	# ====================================================================
	# VNAT

	# samba
	iptables -A VNAT_IN  -p tcp --dport 445 -j ACCEPT
	iptables -A VNAT_OUT -p tcp --dport 445 -j ACCEPT
	iptables -A VNAT_IN  -p tcp --dport 139 -j ACCEPT
	iptables -A VNAT_OUT -p tcp --dport 139 -j ACCEPT
	iptables -A VNAT_IN  -p udp --dport 137:138 -j ACCEPT
	iptables -A VNAT_OUT -p udp --dport 137:138 -j ACCEPT

	# dns, dhcp, ntp server
	iptables -A VNAT_IN -p udp --dport 53 -j ACCEPT
	iptables -A VNAT_IN -p tcp --dport 53 -j ACCEPT
	iptables -A VNAT_IN -p udp --sport 68 --dport 67 -j ACCEPT
	iptables -A VNAT_IN -p udp --dport 123 -j ACCEPT

	# ping, traceroute
	iptables -A VNAT_IN  -p icmp --icmp-type 8 -m limit --limit 1/second --limit-burst 5 -j ACCEPT
	iptables -A VNAT_OUT -p icmp --icmp-type 8 -j ACCEPT
	iptables -A VNAT_IN  -p udp --dport 33434:33534 -m limit --limit 5/second --limit-burst 5 -j ACCEPT
	iptables -A VNAT_OUT -p udp --dport 33434:33534 -j ACCEPT

	# to LAN
	iptables -A VNAT_FRW -o "$Lan_Iface" -j ACCEPT

	# VNAT END
	iptables -A VNAT_IN  -j DROP
	iptables -A VNAT_OUT -j DROP
	iptables -A VNAT_FRW -j DROP
}
# StartFilter()

# ============================================================================
StopFilter()
{
	iptables -F
	iptables -X
	iptables -P INPUT ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD ACCEPT
}

##############################################################################
case "$1" in
	start|restart|force-reload)
		StartMangle
		StartNat
		StartFilter
		;;
	stop)
		StopMangle
		StopNat
		StopFilter
		;;
	stopfilter)
		StopFilter
		;;
	status)
		printf '%s\n' "#### mangle ####"
		iptables -t mangle -L -nv --line-numbers
		printf '\n\n%s\n' "#### nat ####"
		iptables -t nat -L -nv --line-numbers
		printf '\n\n%s\n' "#### filter ####"
		iptables -L -nv --line-numbers
		;;
	*)
		echo "Usage: $0 {start|stop|stopfilter|restart|force-reload|status}" >&2
		exit 2
		;;
esac

exit 0
头像
daf3707
论坛版主
帖子: 12730
注册时间: 2007-06-13 15:57
来自: 在他乡

Re: 自由建客的防火墙脚本

#2

帖子 daf3707 » 2018-07-30 13:22

我怎么觉得一点也不易懂,完全看不懂
cooleo
帖子: 8
注册时间: 2020-04-02 23:58

Re: 自由建客的防火墙脚本

#3

帖子 cooleo » 2020-04-06 11:28

我怎么觉得一点也不易懂,完全看不懂
回复