1600.html

著名的linux英雄站点的文档打包

          <TD><IMG height=22 src="images/spacer.gif" tppabs="http://www.linuxhero.com/docs/images/spacer.gif" width=1 
        border=0></TD></TR></TBODY></TABLE>
      <TABLE cellSpacing=10 cellPadding=0 width="100%" bgColor=#ffffff 
        border=0>
         <TR>
          <TD>
            <TABLE cellSpacing=0 cellPadding=3 width="100%" border=0>
              
              <TR>
                <TD vAlign=top align=middle width="60%">
                  <TABLE cellSpacing=0 cellPadding=0 width="100%" 
                  background="images/back.gif" tppabs="http://www.linuxhero.com/docs/images/back.gif" border=0>
                    <TBODY>
                    <TR>
                        <TD vAlign=top width="80%"> 
                          <DIV align=center>
                        <FORM action="search.html" tppabs="http://www.linuxhero.com/docs/search.html" method=get>
                            </FORM>
                        <TABLE cellSpacing=0 cellPadding=0 width="95%" 
                          border=0><TBODY>
                          <TR>
                            <TD background="images/bgi.gif" tppabs="http://www.linuxhero.com/docs/images/bgi.gif" 
                          height=30></TD></TR></TBODY></TABLE>
                        <TABLE cellSpacing=0 cellPadding=3 width="95%" 
                        align=center border=0>
                          <TBODY>
                          <TR>
                            <TD>
                              <TABLE cellSpacing=0 cellPadding=3 width="100%" 
                              border=0>
                                <TBODY>
                                <TR>
                                      <TD vAlign=top> 
<p><FONT class=normalfont><B><font color=blue>防火墙脚本</font></B></FONT><BR><FONT class=smallfont color=#ff9900>2004-04-23 15:18 pm</FONT><BR><FONT class=normalfont>作者：作者<br>来自：Linux知识宝库<br>联系方式：无名<br><br>全都是外国人写的防火墙脚本，我也来写一个，希望大家跟我一块做好<br>
<br>
DMZ部分尚不完善，其中难免有疏漏，希望大家跟我一块改进，使他功能越来越强大，使用时请将firewall-dev copy 到/etc/rc.d/init.d将  firewall.conf copy /etc/下，你只需修改firewall.conf文件就可以了。可以用firewall-dev start|stop起动和关闭防火墙，功能增加中，如你有任何改动请发一份给我，arlenecc@263.net<br>
<br>
本着GPL的原则希望有志之士跟我一块完善它，如有改动请通知我！！！！<br>
<br>
<br>
firewall-dev<br>
<br>
#!/bin/bash<br>
#          This is a firewall script with the function of  stateful and<br>
#          ip filter,  you can change it to meet you need,in a words:<br>
#          uplink means the output interface ,router means if you neet it<br>
#          to be a router or not,nat means if you are useing a dynamic ip<br>
#          address<br>
#          if you do ,then you can change it to "dynamic",interfaces means<br>
#          all the interface in you server ,services means all the services<br>
#          you server providing ,enjoy it !!!   ----- write by arlenecc<br>
#<br>
##############################################################################<br>
#                                                                            #<br>
#    Copyright (c) 2002 arlenecc          arlenecc@netease.com               #<br>
#    All rights reserved                                                     #<br>
#                                                                            #<br>
##############################################################################<br>
#<br>
#          now begins the firewall<br>
<br>
 <br>
 UPLINK=`less /root/firewall.conf | grep "UPLINK" | cut -d = -f 2 `<br>
 <br>
 UPIP=`less /root/firewall.conf | grep "UPIP" | cut -d = -f 2`<br>
   <br>
 ROUTER=`less /root/firewall.conf | grep "ROUTER" | cut -d = -f 2`<br>
 <br>
 NAT=`less /root/firewall.conf | grep "NAT" | cut -d = -f 2`<br>
 <br>
 INTERFACES=`less /root/firewall.conf | grep "INTERFACES" | cut -d = -f 2`<br>
   <br>
 SERVICES=`less /root/firewall.conf | grep "SERVICES" | cut -d = -f 2`<br>
   <br>
 DENYPORTS=`less /root/firewall.conf | grep "DENYPORTS" | cut -d = -f 2`<br>
 <br>
 DENYUDPPORT=`less /root/firewall.conf | grep "DENYUDPPORT" | cut -d = -f 2`<br>
 <br>
 LAN_IF=`less /root/firewall.conf | grep "LAN_IF" | cut -d = -f 2`<br>
 <br>
 LAN_NET=`less /root/firewall.conf | grep "LAN_NET" | cut -d = -f 2`<br>
 <br>
 DMZ_NET=`less /root/firewall.conf | grep "DMZ_NET" | cut -d = -f 2`<br>
 <br>
 DMZ_IF=`less /root/firewall.conf | grep "DMZ_IF" | cut -d = -f 2`<br>
 <br>
  DMZ_TCP_PORT=`less /root/firewall.conf | grep "DMZ_TCP_PORT" | cut -d = -f 2`<br>
 <br>
  DMZ_UDP_PORT=`less /root/firewall.conf | grep "DMZ_UDP_PORT" | cut -d = -f 2`<br>
 <br>
  WEB_IP=`less /root/firewall.conf | grep "WEB_IP" | cut -d = -f 2`<br>
 <br>
  FTP_IP=`less /root/firewall.conf | grep "FTP_IP" | cut -d = -f 2`<br>
 <br>
  H323_PORT=`less /root/firewall.conf | grep "H323_PORT" | cut -d = -f 2`<br>
 <br>
  H323=`less /root/firewall.conf | grep "H323" | cut -d = -f 2`<br>
<br>
   <br>
 <br>
<br>
<br>
   if [ "$1" = "start" ]<br>
   then<br>
        echo "Starting firewall......"<br>
<br>
echo "NOW prepareing kernel for use,please wait....."<br>
<br>
  # if [ -e /proc/sys/net/ipv4/ip_forward ]<br>
  #<br>
  #    then<br>
  #       echo 1 &gt;/proc/sys/net/ipv4/ip_forward<br>
  #    fi<br>
  if [ "$NAT" = " dynamic " ]<br>
      then<br>
          echo "Enable dynamic ip support...."<br>
          echo 1 &gt; /proc/sys/net/ipv4/ip_dynaddr<br>
         echo "    OK !!!!"<br>
  fi<br>
  if [ -e /proc/sys/net/ipv4/tcp_syncookies ]<br>
      then<br>
            echo "Enable the syn cook flood protection"<br>
            echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies<br>
            echo "     OK !!!!"<br>
  fi<br>
  if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]<br>
       then<br>
         echo "Setting the maximum number of connections to track.... "<br>
         echo "4096" &gt; /proc/sys/net/ipv4/ip_conntrack_max<br>
         echo "          OK !!!!"<br>
  fi<br>
 <br>
  if [ -e /proc/sys/net/ipv4/ip_local_port_range ]<br>
        then<br>
          echo " Setting local port range for TCP/UDP connection...."  <br>
          echo -e "32768	61000" &gt; /proc/sys/net/ipv4/ip_local_port_range<br>
          echo "            OK !!!!"<br>
  fi<br>
 <br>
  if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]<br>
       then<br>
          echo "Enable bad error message protection......."<br>
          echo 1 &gt; /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses<br>
          echo "    OK !!!! "<br>
  fi<br>
  if [ -e /proc/sys/net/ipv4/tcp_ecn ]<br>
     then<br>
         echo "Disabling tcp_ecn,please wait..."<br>
         echo 0 &gt;/proc/sys/net/ipv4/tcp_ecn<br>
         echo "     OK  !!!!  "<br>
     fi<br>
<br>
   for x in ${INTERFACES}<br>
     do<br>
          echo " Enabling rp_filter on ${x} ,please wait...."<br>
          echo 1 &gt; /proc/sys/net/ipv4/conf/${x}/rp_filter<br>
          echo "  ${x}  OK  !!!!  "<br>
     done<br>
 <br>
   if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]<br>
             <br>
             then<br>
           <br>
             echo "Disabing ICMP redirects,please wait...."    <br>
             echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects<br>
             echo "    OK  !!!!   "<br>
   fi    <br>
   <br>
   if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]<br>
<br>
       then<br>
          echo "Disabling source routing of packets,please wait...."<br>
          for i in /proc/sys/net/ipv4/conf/*/accept_source_route  <br>
             <br>
               do<br>
                  echo 0 &gt; $i<br>
                  echo "     $i    OK !!!!       "<br>
                 <br>
            done<br>
           <br>
   fi                  <br>
  if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]<br>
     then<br>
         echo "Ignore any broadcast icmp echo requests......"<br>
         echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts<br>
         echo "      OK !!!!    "<br>
  fi<br>
 <br>
 # if [ -e /proc/sys/net/ipv4/config/all/log_martians ]<br>
 #<br>
 #      then<br>
 #         echo "LOG packets with impossible addresses to kernel log...."<br>
 #         echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians<br>
 #         echo "    OK  !!!!   "<br>