📄 lss_firewall_iptables.sh
字号:
#! /bin/sh# init.d/masterfw## System startup script for packet filters on a three-homed SuSE 7.1# Linux firewall (Internal network, DMZ network, External network).## IMPORTANT BACKGROUND ON THIS EXAMPLE: the internal network is numbered# 192.168.100.0/24; the DMZ network is 208.13.201.0/29; and the external# interface is 208.13.201.8/29. The firewall's respective interface IP# addresses are 192.168.100.1, 208.13.201.1, and 208.13.201.9.## All traffic originating on the internal network is hidden behind the # firewall, i.e. internal packets destined for DMZ hosts are given the # source IP 208.13.201.1 and those destined for the Internet are given# the source IP 208.13.201.9. ## In the interest of minimizing confusion here, traffic between the DMZ and # the Internet is not "NATted," (though it's certainly a good idea # to use NATted RFC 1918 IP addresses on your DMZ, or even to NAT non-RFC # 1918 addresses in order to add a little obscurity to your security ;-)## Structurally based on SuSE 7.1's /etc/init.d/skeleton, by Kurt Garloff## Please remember that this script is just a model to use for developing# your own firewall rules; such scripts should never be dropped blindly# onto a system.## The following 9 lines are SuSE-specific#### BEGIN INIT INFO# Provides: localfw# Required-Start: $network $syslog# Required-Stop: $network $syslog# Default-Start: 2 3 5# Default-Stop: 0 1 2 6# Description: Start localfw to protect local heinie### END INIT INFO# /End SuSE-specific section # Let's save typing & confusion with some variables.# These are NOT SuSE-specific in any way. NET_INT=192.168.100.0/24NET_DMZ=208.13.201.0/29IFACE_INT=eth0IFACE_DMZ=eth1IFACE_EXT=eth2IP_INT=192.168.100.1IP_DMZ=208.13.201.1IP_EXT=208.13.201.9WOOFGANG=208.13.201.2IPTABLES=/usr/sbin/iptables test -x $IPTABLES || exit 5 # The next 42 lines are SuSE-specific # Source SuSE config# (file containing system configuration variables, though in SuSE 8.0 this# has been split into a number of files in /etc/rc.config.d). /etc/rc.config # Determine the base and follow a runlevel link name.base=${0##*/}link=${base#*[SK][0-9][0-9]} # Force execution if not called by a runlevel directory.test $link = $base && START_LOCALFW=yestest "$START_LOCALFW" = yes || exit 0 # Shell functions sourced from /etc/rc.status:# rc_check check and set local and overall rc status# rc_status check and set local and overall rc status# rc_status -v ditto but be verbose in local rc status# rc_status -v -r ditto and clear the local rc status# rc_failed set local and overall rc status to failed# rc_reset clear local rc status (overall remains)# rc_exit exit appropriate to overall rc status. /etc/rc.status # First reset status of this servicerc_reset # Return values acc. to LSB for all commands but status:# 0 - success# 1 - misc error# 2 - invalid or excess args# 3 - unimplemented feature (e.g. reload)# 4 - insufficient privilege# 5 - program not installed# 6 - program not configured# 7 - program is not running# # Note that starting an already running service, stopping# or restarting a not-running service as well as the restart# with force-reload (in case signalling is not supported) are# considered a success. # /End SuSE-specific stuff.# The rest of this script is non-SuSE specific case "$1" instart)echo -n "Loading Firewall's Packet Filters" # SETUP # Load kernel modules firstmodprobe ip_tablesmodprobe ip_conntrack_ftpmodprobe iptable_natmodprobe ip_nat_ftp # Flush old rules, old custom tables$IPTABLES --flush$IPTABLES --delete-chain$IPTABLES --flush -t nat$IPTABLES --delete-chain -t nat # Set default-deny policies for all three default chains$IPTABLES -P INPUT DROP$IPTABLES -P FORWARD DROP$IPTABLES -P OUTPUT DROP # Give free reign to loopback interfaces$IPTABLES -I INPUT 1 -i lo -j ACCEPT$IPTABLES -I OUTPUT 1 -o lo -j ACCEPT # Do some rudimentary anti-IP-spoofing drops on INPUT chain## NOTE: If you use RFC 1918 address-space, comment out or edit the appropriate # lines below!$IPTABLES -A INPUT -s 192.168.0.0/16 -i $IFACE_EXT -j LOG --log-prefix "Spoofed source IP "$IPTABLES -A INPUT -s 192.168.0.0/16 -i $IFACE_EXT -j DROP$IPTABLES -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "Spoofed source IP "$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP$IPTABLES -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix " Spoofed source IP "$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP$IPTABLES -A INPUT -s ! $NET_DMZ -i $IFACE_DMZ -j LOG --log-prefix "Spoofed source IP "$IPTABLES -A INPUT -s ! $NET_DMZ -i $IFACE_DMZ -j DROP$IPTABLES -A INPUT -s ! $NET_INT -i $IFACE_INT -j LOG --log-prefix "Spoofed source IP "$IPTABLES -A INPUT -s ! $NET_INT -i $IFACE_INT -j DROP$IPTABLES -A INPUT -s $NET_DMZ -i $IFACE_EXT -j LOG --log-prefix " Spoofed source IP "$IPTABLES -A INPUT -s $NET_DMZ -i $IFACE_EXT -j DROP$IPTABLES -A INPUT -s $IP_INT -i $IFACE_INT -j LOG --log-prefix "Spoofed source IP (firewall's ) "$IPTABLES -A INPUT -s $IP_INT -i $IFACE_INT -j DROP$IPTABLES -A INPUT -s $IP_DMZ -i $IFACE_DMZ -j LOG --log-prefix "Spoofed source IP (firewall's ) "$IPTABLES -A INPUT -s $IP_DMZ -i $IFACE_DMZ -j DROP$IPTABLES -A INPUT -s $IP_EXT -i $IFACE_EXT -j LOG --log-prefix "Spoofed source IP (firewall's ) "$IPTABLES -A INPUT -s $IP_EXT -i $IFACE_EXT -j DROP # Do the same rudimentary anti-IP-spoofing drops on FORWARD chain## NOTE: If you use RFC 1918 address-space, comment out or edit the appropriate # lines below!$IPTABLES -A FORWARD -s 192.168.0.0/16 -i $IFACE_EXT -j LOG --log-prefix " Spoofed source IP "$IPTABLES -A FORWARD -s 192.168.0.0/16 -i $IFACE_EXT -j DROP$IPTABLES -A FORWARD -s 172.16.0.0/12 -j LOG --log-prefix "Spoofed source IP "$IPTABLES -A FORWARD -s 172.16.0.0/12 -j DROP$IPTABLES -A FORWARD -s 10.0.0.0/8 -j LOG --log-prefix "Spoofed source IP "$IPTABLES -A FORWARD -s 10.0.0.0/8 -j DROP$IPTABLES -A FORWARD -s ! $NET_DMZ -i $IFACE_DMZ -j LOG --log-prefix "Spoofed source IP "$IPTABLES -A FORWARD -s ! $NET_DMZ -i $IFACE_DMZ -j DROP$IPTABLES -A FORWARD -s ! $NET_INT -i $IFACE_INT -j LOG --log-prefix "Spoofed source IP "$IPTABLES -A FORWARD -s ! $NET_INT -i $IFACE_INT -j DROP$IPTABLES -A FORWARD -s $NET_DMZ -i $IFACE_EXT -j LOG --log-prefix "Spoofed source IP "$IPTABLES -A FORWARD -s $NET_DMZ -i $IFACE_EXT -j DROP$IPTABLES -A FORWARD -s $IP_INT -i $IFACE_INT -j LOG --log-prefix "Spoofed source IP (firewall's) "$IPTABLES -A FORWARD -s $IP_INT -i $IFACE_INT -j DROP$IPTABLES -A FORWARD -s $IP_DMZ -i $IFACE_DMZ -j LOG --log-prefix "Spoofed source IP (firewall's) "$IPTABLES -A FORWARD -s $IP_DMZ -i $IFACE_DMZ -j DROP$IPTABLES -A FORWARD -s $IP_EXT -i $IFACE_EXT -j LOG --log-prefix "Spoofed source IP (firewall's) "$IPTABLES -A FORWARD -s $IP_EXT -i $IFACE_EXT -j DROP # INBOUND POLICY # Accept inbound packets that are part of previously-OK'ed sessions$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED # Tell netfilter that all TCP sessions must begin with SYN$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth scan attempt?"$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Accept packets initiating SSH sessions from internal network to firewall$IPTABLES -A INPUT -p tcp -s $NET_INT --dport 22 -m state --state NEW -j ACCEPT # Log anything not accepted above$IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default (INPUT):"$IPTABLES -A INPUT -j DROP # OUTBOUND POLICY # If it's part of an approved connection, let it out$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow outbound ping (comment-out when not needed!)# $IPTABLES -A OUTPUT -p icmp -j ACCEPT # Allow outbound DNS queries, e.g. to resolve IPs in logs$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT # Allow outbound HTTP for Yast2 Online Update$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT # Log anything not accepted above$IPTABLES -A OUTPUT -j LOG --log-prefix "Dropped by default (OUTPUT):"$IPTABLES -A OUTPUT -j DROP # FORWARD POLICY # If it's part of an approved connection, let it out$IPTABLES -I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT # Tell netfilter that all TCP sessions must begin with SYN$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth scan attempt?"$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP # Allow all access to Woofgang's web sites$IPTABLES -A FORWARD -p tcp -d $WOOFGANG --dport 80 -m state --state NEW -j ACCEPT # Allow all access to Woofgang's FTP sites$IPTABLES -A FORWARD -p tcp -d $WOOFGANG --dport 21 -m state --state NEW,RELATED -j ACCEPT # Allow dns from Woofgang to external DNS servers$IPTABLES -A FORWARD -p udp -s $WOOFGANG -m state --state NEW,RELATED --dport 53 -j ACCEPT # NOTE: the next few rules reflect a restrictive stance re. internal users:# only a few services are allowed outward from the internal network.# This may or may not be politically feasible in your environment, i.e., you# really shouldn't "allow all outbound," but sometimes you have no choice. # Allow dns queries from internal hosts to external DNS servers# NOTE: in practice this rule should be source-restricted to internal DNS # servers (that perform recursive queries on behalf of internal users)#$IPTABLES -A FORWARD -p udp -s $NET_INT -m state --state NEW,RELATED --dport 53 -j ACCEPT # Allow FTP from internal hosts to the outside world$IPTABLES -A FORWARD -p tcp -s $NET_INT -m state --state NEW,RELATED --dport 21 -j ACCEPT # Allow HTTP from internal hosts to the outside world$IPTABLES -A FORWARD -p tcp -s $NET_INT -m state --state NEW --dport 80 -j ACCEPT # Allow HTTPS from internal hosts to the outside world$IPTABLES -A FORWARD -p tcp -s $NET_INT -m state --state NEW --dport 443 -j ACCEPT # Allow SMTP from internal hosts to the outside world# NOTE: in practice this should be source-restricted to internal mail servers#$IPTABLES -A FORWARD -p tcp -s $NET_INT -m state --state NEW --dport 25 -j ACCEPT # Allow SSH from internal hosts to Woofgang# NOTE: in practice this should be source-restricted to internal admin systems#$IPTABLES -A FORWARD -p tcp -s $NET_INT -d $WOOFGANG -m state --state NEW --dport 22 -j ACCEPT # Log anything not accepted above - if nothing else, for t-shooting$IPTABLES -A FORWARD -j LOG --log-prefix "Dropped by default (FORWARD):"$IPTABLES -A FORWARD -j DROP # NAT: Post-Routing # Hide internal network behind firewall$IPTABLES -t nat -A POSTROUTING -s $NET_INT -o $IFACE_EXT -j SNAT --to-source $IP_EXT$IPTABLES -t nat -A POSTROUTING -s $NET_INT -o $IFACE_DMZ -j SNAT --to-source $IP_DMZ # Remember status and be verboserc_status -v;; # The following commented-out section is active in Example A-1 but # SHOULD NOT BE USED on a live firewall. (It's only here so I can tell you not# to use it!) Sometimes you can justify turning off packet filtering on a # bastion host, but NEVER on a firewall # wide_open)# echo -n "DANGER!! Unloading firewall's Packet Filters! ARE YOU MAD?"## $IPTABLES --flush# $IPTABLES -P INPUT ACCEPT# $IPTABLES -P FORWARD ACCEPT# $IPTABLES -P OUTPUT ACCEPT # Remember status and be verboserc_status -v;; # Unload all fw rules, leaving default-drop policiesstop)echo -n "Stopping the firewall (in a closed state)!" $IPTABLES --flush # Remember status and be quietrc_status;; status)echo "Querying iptables status..."echo " (actually doing iptables --list)..." $IPTABLES --list; rc=$?if test $rc = 0; then echo "OK"else echo "Hmm, that didn't work for some reason. Bummer." fi#rc_status;;*)echo "Usage: $0 {start|stop|status}"exit 1;;esacrc_exit⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -