netfilter-script.c

linux防火墙源代码 需要用的人自己下载看看 程序比较简单啊

			 "			$IPT -A INPUT -p tcp ! --syn -s $server -d 0/0 -j ACCEPT\n"
			 "			$IPT -A INPUT -p udp -s $server -d 0/0 -j ACCEPT\n"
			 "			$IPT -A OUTPUT -p tcp -s $IP -d $server --dport 53 -j ACCEPT\n"
			 "			$IPT -A OUTPUT -p udp -s $IP -d $server --dport 53 -j ACCEPT\n"
			 "		fi\n"
			 "	done < /etc/resolv.conf\n\n");

	fprintf (script, "\n# --------( Initial Setup - Configure Kernel Parameters )--------\n\n");	
	fprintf (script, "source "FIRESTARTER_SYSCTL_SCRIPT"\n\n");


	fprintf (script, "\n# --------( Intial Setup - User Defined Pre Script )--------\n\n");
	fprintf (script, "source "FIRESTARTER_USER_PRE_SCRIPT"\n\n");

   fprintf (script, "\n# --------( Rules Configuration - Specific Rule - Loopback Interfaces )--------\n\n");

	fprintf (script, "# Allow all traffic on the loopback interface\n");
	fprintf (script, "$IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT\n");
	fprintf (script, "$IPT -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT\n\n");


   fprintf (script, "\n# --------( Rules Configuration - Type of Service (ToS) - Ruleset Filtered by GUI )--------\n\n");

	fprintf (script, "if [ \"$FILTER_TOS\" = \"on\" ]; then\n");
	fprintf (script, "	if [ \"$TOS_CLIENT\" = \"on\" -a $mangle_supported ]; then\n"
			 "		# ToS: Client Applications\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 20:21 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 22 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 68 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 80 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 443 --set-tos $TOSOPT\n"
			 "	fi\n");

	fprintf (script, "	if [ \"$TOS_SERVER\" = \"on\" -a $mangle_supported ]; then\n"
			 "		# ToS: Server Applications\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 20:21 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 22 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 25 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 53 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 67 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 80 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 110 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 143 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 443 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 1812 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 1813 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 2401 --set-tos $TOSOPT\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 8080 --set-tos $TOSOPT\n"
			 "	fi\n");

	fprintf (script, "	if [ \"$TOS_SERVER\" = \"on\" -a $mangle_supported ]; then\n"
			 "		# ToS: The X Window System\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 22 --set-tos 0x10\n"
			 "		$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 6000:6015 --set-tos 0x08\n"
			 "	fi\n");
	fprintf (script, "fi\n\n");

        fprintf (script, "\n# --------( Rules Configuration - ICMP )--------\n\n");

        fprintf (script, "if [ \"$FILTER_ICMP\" = \"on\" ]; then\n");

	fprintf (script, "	if [ \"$ICMP_ECHO_REQUEST\" = \"on\" ]; then\n"
	                 "		# ICMP: Ping Requests\n"
	                 "		$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT\n"
	                 "		$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT\n"
			 "	fi\n");

	fprintf (script, "	if [ \"$ICMP_ECHO_REPLY\" = \"on\" ]; then\n"
	                 "		# ICMP: Ping Replies\n"
	                 "		$IPT -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT\n"
	                 "		$IPT -A FORWARD -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT\n"
			 "	fi\n");


	fprintf (script, "	if [ \"$ICMP_TRACEROUTE\" = \"on\" ]; then\n"
	                 "		# ICMP: Traceroute Requests\n"
	                 "		$IPT -A INPUT -p udp --dport 33434 -j ACCEPT\n"
	                 "		$IPT -A FORWARD -p udp --dport 33434 -j ACCEPT\n"
	                 "	else\n"
			 "		$IPT -A INPUT -p udp --dport 33434 -j LSI\n"
			 "		$IPT -A FORWARD -p udp --dport 33434 -j LSI\n"
			 "	fi\n");

	fprintf (script, "	if [ \"$ICMP_MSTRACEROUTE\" = \"on\" ]; then\n"
	                 "		# ICMP: MS Traceroute Requests\n"
	                 "		$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
	                 "		$IPT -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
			 "	fi\n");

	fprintf (script, "	if [ \"$ICMP_UNREACHABLE\" = \"on\" ]; then\n"
	                 "		# ICMP: Unreachable Requests\n"
	                 "		$IPT -A INPUT -p icmp --icmp-type host-unreachable -j ACCEPT\n"
	                 "		$IPT -A FORWARD -p icmp --icmp-type host-unreachable -j ACCEPT\n"
			 "	fi\n");

	fprintf (script, "	if [ \"$ICMP_TIMESTAMPING\" = \"on\" ]; then\n"
	                 "		# ICMP: Timestamping Requests\n"
	                 "		$IPT -A INPUT -p icmp --icmp-type timestamp-request -j ACCEPT\n"
	                 "		$IPT -A INPUT -p icmp --icmp-type timestamp-reply -j ACCEPT\n"
			 "	fi\n");

	fprintf (script, "	if [ \"$ICMP_MASKING\" = \"on\" ]; then\n"
	                 "		# ICMP: Address Masking\n"
	                 "		$IPT -A INPUT -p icmp --icmp-type address-mask-request -j ACCEPT\n"
	                 "		$IPT -A INPUT -p icmp --icmp-type address-mask-reply -j ACCEPT\n"
	                 "		$IPT -A FORWARD -p icmp --icmp-type address-mask-request -j ACCEPT\n"
	                 "		$IPT -A FORWARD -p icmp --icmp-type address-mask-reply -j ACCEPT\n"
			 "	fi\n");

	fprintf (script, "	if [ \"$ICMP_REDIRECTION\" = \"on\" ]; then\n"
	                 "		# ICMP: Redirection Requests\n"
	                 "		$IPT -A INPUT -p icmp --icmp-type redirect -m limit --limit 2/s -j ACCEPT\n"
	                 "		$IPT -A FORWARD -p icmp --icmp-type redirect -m limit --limit 2/s -j ACCEPT\n"
			 "	fi\n");

	fprintf (script, "	if [ \"$ICMP_SOURCE_QUENCHES\" = \"on\" ]; then\n"
	                 "		# ICMP: Source Quench Requests\n"
	                 "		$IPT -A INPUT -p icmp --icmp-type source-quench -m limit --limit 2/s -j ACCEPT\n"
	                 "		$IPT -A FORWARD -p icmp --icmp-type source-quench -m limit --limit 2/s -j ACCEPT\n"
			 "	fi\n\n");

	fprintf (script, "	# Catch ICMP traffic not allowed above\n"
			 "	$IPT -A INPUT -p icmp -j LSI\n"
			 "	$IPT -A FORWARD -p icmp -j LSI\n");

	fprintf (script, "else\n"
	                 "	# Allow all ICMP traffic when filtering disabled\n"
	                 "	$IPT -A INPUT -p icmp -m limit --limit 10/s -j ACCEPT\n"
	                 "	$IPT -A FORWARD -p icmp -m limit --limit 10/s -j ACCEPT\n"
			 "fi\n\n");

	fprintf (script, "if [ \"$NAT\" = \"on\" ]; then\n"
			 "	# --------( Rules Configuration - Masquerading - Sysctl Modifications )--------\n\n");
   
	fprintf (script, "	#Turn on IP forwarding\n");
	fprintf (script, "	if [ -e /proc/sys/net/ipv4/ip_forward ]; then\n"
	                 "		echo 1 > /proc/sys/net/ipv4/ip_forward\n"
			 "	fi\n\n");

	fprintf (script, "	# --------( Rules Configuration - Masquerading - Default Ruleset )--------\n\n");
      		
	fprintf (script, "	#TCPMSS Fix - Needed for *many* broken PPPO{A/E} clients\n"
	                 "	$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n\n");

	fprintf (script, "	if [ \"$stripoptions_supported\" -a \"$mangle_supported\" ]; then\n"
	                 "		#IPv4OPTIONS Fix - Strip IP options from a forwarded packet\n"
	                 "		$IPT -t mangle -A PREROUTING -j IPV4OPTSSTRIP\n"
	                 "	fi\n\n");

	fprintf (script, "	# --------( Rules Configuration - Forwarded Traffic )--------\n\n");

	fprintf (script, "	if [ \"$nat_supported\" ]; then\n"
	                 "		#Masquerade outgoing traffic\n"
	                 "		$IPT -t nat -A POSTROUTING -o $IF -j MASQUERADE\n"
	                 "	fi\n\n");

	fprintf (script, "	# Temoporarily set the field separator for CSV format\n"
	                 "	OLDIFS=$IFS\n"
	                 "	IFS=','\n\n");

	fprintf (script, "	# Services forward from the firewall to the internal network\n"
	                 "	while read service ext_port host int_port garbage\n"
	                 "		do\n"
			 "			scrub_parameters\n"
	                 "			$IPT -A FORWARD -i $IF -p tcp -d $host --dport $int_port -j ACCEPT\n"
	                 "			$IPT -A FORWARD -i $IF -p udp -d $host --dport $int_port -j ACCEPT\n"
	                 "			$IPT -A PREROUTING -t nat -i $IF -p tcp --dport $ext_port -j DNAT --to-destination $host:$int_port_dashed\n"
	                 "			$IPT -A PREROUTING -t nat -i $IF -p udp --dport $ext_port -j DNAT --to-destination $host:$int_port_dashed\n"
	                 "		done < "POLICY_IN_FORWARD"\n\n");

	fprintf (script, "	IFS=$OLDIFS\n\n");

	fprintf (script, "fi\n\n");

   fprintf (script, "\n# --------( Rules Configuration - Inbound Traffic )--------\n\n");

	fprintf (script, "if [ \"$BLOCK_NON_ROUTABLES\" = \"on\" ]; then\n"
	                 "	# Block traffic from non-routable address space on the public interfaces\n"
	                 "	$IPT -N NR 2> /dev/null\n"
			 "	$IPT -F NR\n"
	                 "	while read block garbage\n"
			 "		do\n"
	                 "			$IPT -A NR -s $block -d $NET -i $IF -j LSI\n"
	                 "		done < "FIRESTARTER_NON_ROUTABLES_SCRIPT"\n"
	                 "	$IPT -A INPUT -s ! $NET -i $IF -j NR\n"
			 "fi\n\n");

	fprintf (script, "# Block Broadcast Traffic\n"
	                 "if [ \"$BLOCK_EXTERNAL_BROADCAST\" = \"on\" ]; then\n"
	                 "	$IPT -A INPUT -i $IF -d 255.255.255.255 -j DROP\n"
			 "	if [ \"$BCAST\" != \"\" ]; then\n"
	                 "		$IPT -A INPUT -d $BCAST -j DROP\n"
			 "	fi\n"
			 "fi\n\n");

	fprintf (script, "if [ \"$NAT\" = \"on\" -a \"$BLOCK_INTERNAL_BROADCAST\" = \"on\" ]; then\n"
	                 "	$IPT -A INPUT -i $INIF -d 255.255.255.255 -j DROP\n"
			 "	if [ \"$INBCAST\" != \"\" ]; then\n"
	                 "		$IPT -A INPUT -i $INIF -d $INBCAST -j DROP\n"
			 "	fi\n"
			 "fi\n\n");

	fprintf (script, "# Block Multicast Traffic\n"
	                 "#  Some cable/DSL providers require their clients to accept multicast transmissions\n"
	                 "#  you should remove the following four rules if you are affected by multicasting\n"
	                 "$IPT -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP\n"
	                 "$IPT -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP\n"
	                 "$IPT -A OUTPUT -s 224.0.0.0/8 -d 0/0 -j DROP\n"
	                 "$IPT -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j DROP\n\n");

	fprintf (script, "# Block Traffic with Stuffed Routing\n"
                         "#  Early versions of PUMP - (the DHCP client application included in RH / Mandrake) require\n"
                         "#  inbound packets to be accepted from a source address of 255.255.255.255.  If you have issues\n"
                         "#  with DHCP clients on your local LAN - either update PUMP, or remove the first rule below)\n"
	                 "$IPT -A INPUT -s 255.255.255.255 -j DROP\n"
	                 "$IPT -A INPUT -d 0.0.0.0 -j DROP\n"
	                 "$IPT -A OUTPUT -s 255.255.255.255 -j DROP\n"
	                 "$IPT -A OUTPUT -d 0.0.0.0 -j DROP\n\n");

	fprintf (script, "$IPT -A INPUT -m state --state INVALID -j DROP # Block Traffic with Invalid Flags\n");
	fprintf (script, "$IPT -A INPUT -f -m limit --limit 10/minute -j LSI # Block Traffic w/ Excessive Fragmented Packets\n");

   fprintf (script, "\n# --------( Rules Configuration - Outbound Traffic )--------\n\n");
	fprintf (script, "$IPT -A OUTPUT -m state --state INVALID -j DROP # Block Traffic w/ Invalid Flags\n\n");

   fprintf (script, "\n# --------( Traffic Policy )--------\n\n");
	fprintf (script, "# Load the inbound traffic policy\n");
	fprintf (script, "source "FIRESTARTER_INBOUND_SETUP"\n"
	                 "$IPT -A INPUT -i $IF -j INBOUND # Check Internet to firewall traffic\n"
	                 "if [ \"$NAT\" = \"on\" ]; then\n"
	                 "	$IPT -A INPUT -i $INIF -d $INIP -j INBOUND # Check LAN to firewall (private ip) traffic\n"
	                 "	$IPT -A INPUT -i $INIF -d $IP -j INBOUND   # Check LAN to firewall (public ip) traffic\n"
			 "	if [ \"$INBCAST\" != \"\" ]; then\n"
			 "		$IPT -A INPUT -i $INIF -d $INBCAST -j INBOUND # Check LAN to firewall broadcast traffic\n"
			 "	fi\n"
	                 "fi\n\n");

	fprintf (script, "# Load the outbound traffic policy\n");
	fprintf (script, "source "FIRESTARTER_OUTBOUND_SETUP"\n"
	                 "$IPT -A OUTPUT -o $IF -j OUTBOUND # Check firewall to Internet traffic\n"
	                 "if [ \"$NAT\" = \"on\" ]; then\n"
	                 "	$IPT -A OUTPUT -o $INIF -j OUTBOUND  # Check firewall to LAN traffic\n"
	                 "	$IPT -A FORWARD -i $INIF -j OUTBOUND # Check LAN to Internet traffic\n\n"

	                 "	# Allow Internet to LAN response traffic\n"
	                 "	$IPT -A FORWARD -p tcp -d $INNET -m state --state ESTABLISHED,RELATED -j ACCEPT\n"
	                 "	$IPT -A FORWARD -p udp -d $INNET -m state --state ESTABLISHED,RELATED -j ACCEPT\n"
			 "fi\n");

	fprintf (script, "\n# --------( User Defined Post Script )--------\n\n");
	fprintf (script, "source "FIRESTARTER_USER_POST_SCRIPT"\n\n");

	fprintf (script, "\n# --------( Unsupported Traffic Catch-All )--------\n\n"
			 "$IPT -A INPUT -j LOG_FILTER\n"
			 "$IPT -A INPUT -j LOG --log-level=$LOG_LEVEL --log-prefix \"Unknown Input\"\n"
			 "$IPT -A OUTPUT -j LOG_FILTER\n"
			 "$IPT -A OUTPUT -j LOG --log-level=$LOG_LEVEL --log-prefix \"Unknown Output\"\n"
			 "$IPT -A FORWARD -j LOG_FILTER\n"
			 "$IPT -A FORWARD -j LOG --log-level=$LOG_LEVEL --log-prefix \"Unknown Forward\"\n\n");

	fprintf (script, "return 0\n");

	fclose (script);

	g_print (_("Firewall script saved as %s\n"), scriptpath);
}