iptables實例

單個規(guī)則實例

iptables -F?

# -F 是清除的意思，作用就是把 FILTRE TABLE 的所有鏈的規(guī)則都清空

iptables -A INPUT -s 172.20.20.1/32 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

#在 FILTER 表的 INPUT 鏈匹配源地址是172.20.20.1的主機(jī),，狀態(tài)分別是NEW,ESTABLISHED,RELATED 的都放行,。

iptables -A INPUT -s 172.20.20.1/32 -m state –state NEW,ESTABLISHED -p tcp -m multiport –dport 123,110 -j ACCEPT

# -p 指定協(xié)議，-m 指定模塊,multiport模塊的作用就是可以連續(xù)匹配多各不相鄰的端口號,。完整的意思就是源地址是172.20.20.1的主機(jī),，狀態(tài)分別是NEW, ESTABLISHED,RELATED的，TCP協(xié)議,，目的端口分別為123 和 110 的數(shù)據(jù)包都可以通過,。

iptables -A INPUT -s 172.20.22.0/24 -m state –state NEW,ESTABLISHED -p tcp -m multiport –dport 123,110 -j ACCEPT

iptables -A INPUT -s 0/0 -m state –state NEW -p tcp -m multiport –dport 123,110 -j DROP

#這句意思為源地址是0/0的 NEW狀態(tài)的的TCP數(shù)據(jù)包都禁止訪問我的123和110端口。

iptables -A INPUT -s ! 172.20.89.0/24 -m state –state NEW -p tcp -m multiport –dport 1230,110 -j DROP

# “,！”號的意思 取反,。就是除了172.20.89.0這個IP段的地址都DROP。

iptables -R INPUT 1 -s 192.168.6.99 -p tcp –dport 22 -j ACCEPT

替換INPUT鏈中的第一條規(guī)則

iptables -t filter -L INPUT -vn

以數(shù)字形式詳細(xì)顯示filter表INPUT鏈的規(guī)則

#——————————-NAT IP————————————–

#以下操作是在 NAT TABLE 里面完成的,。請大家注意,。

iptables -t nat -F

iptables -t nat -A PREROUTING -d 192.168.102.55 -p tcp –dport 90 -j DNAT –to 172.20.11.1:800

#-A PREROUTING 指定在路由前做的。完整的意思是在 NAT TABLE 的路由前處理,，目的地為192.168.102.55 的 目的端口為90的我們做DNAT處理,，給他轉(zhuǎn)向到172.20.11.1:800那里去。

iptables -t nat -A POSTROUTING -d 172.20.11.1 -j SNAT –to 192.168.102.55

#-A POSTROUTING 路由后。意思為在 NAT TABLE 的路由后處理,，凡是目的地為 172.20.11.1 的,，我們都給他做SNAT轉(zhuǎn)換，把源地址改寫成 192.168.102.55 ,。

iptables -A INPUT -d 192.168.20.0/255.255.255.0 -i eth1 -j DROP

iptables -A INPUT -s 192.168.20.0/255.255.255.0 -i eth1 -j DROP

iptables -A OUTPUT -d 192.168.20.0/255.255.255.0 -o eth1 -j DROP

iptables -A OUTPUT -s 192.168.20.0/255.255.255.0 -o eth1 -j DROP

# 上例中,，eth1是一個與外部Internet相連，而192.168.20.0則是內(nèi)部網(wǎng)的網(wǎng)絡(luò)號,，上述規(guī)則用來防止IP欺騙,，因為出入eth1的包的ip應(yīng)該是公共IP

iptables -A INPUT -s 255.255.255.255 -i eth0 -j DROP

iptables -A INPUT -s 224.0.0.0/224.0.0.0 -i eth0 -j DROP

iptables -A INPUT -d 0.0.0.0 -i eth0 -j DROP

# 防止廣播包從IP代理服務(wù)器進(jìn)入局域網(wǎng)：

iptables -A INPUT -p tcp -m tcp –sport 5000 -j DROP

iptables -A INPUT -p udp -m udp –sport 5000 -j DROP

iptables -A OUTPUT -p tcp -m tcp –dport 5000 -j DROP

iptables -A OUTPUT -p udp -m udp –dport 5000 -j DROP

# 屏蔽端口 5000

iptables -A INPUT -s 211.148.130.129 -i eth1 -p tcp -m tcp –dport 3306 -j DROP

iptables -A INPUT -s 192.168.20.0/255.255.255.0 -i eth0 -p tcp -m tcp –dport 3306 -j ACCEPT

iptables -A INPUT -s 211.148.130.128/255.255.255.240 -i eth1 -p tcp -m tcp –dport 3306 -j ACCEPT

iptables -A INPUT -p tcp -m tcp –dport 3306 -j DROP

# 防止 Internet 網(wǎng)的用戶訪問 MySQL 服務(wù)器（就是 3306 端口）

iptables -A FORWARD -p TCP –dport 22 -j REJECT –reject-with tcp-reset

#REJECT, 類似于DROP，但向發(fā)送該包的主機(jī)回復(fù)由–reject-with指定的信息,，從而可以很好地隱藏防火墻的存在

www的iptables實例

#!/bin/bash

export PATH=/sbin:/usr/sbin:/bin:/usr/bin

#加載相關(guān)模塊

modprobe iptable_nat

modprobe ip_nat_ftp

modprobe ip_nat_irc

modprobe ip_conntrack

modprobe ip_conntrack_ftp

modprobe ip_conntrack_irc

modprobe ipt_limit

echo 1 >;/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 0 >;/proc/sys/net/ipv4/conf/all/accept_source_route

echo 0 >;/proc/sys/net/ipv4/conf/all/accept_redirects

echo 1 >;/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo 1 >;/proc/sys/net/ipv4/conf/all/log_martians

echo 1 >;/proc/sys/net/ipv4/tcp_syncookies

iptables -F

iptables -X

iptables -Z

## 允許本地回路?Loopback – Allow unlimited traffic

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

## 防止SYN洪水?SYN-Flooding Protection

iptables -N syn-flood

iptables -A INPUT -i ppp0 -p tcp –syn -j syn-flood

iptables -A syn-flood -m limit –limit 1/s –limit-burst 4 -j RETURN

iptables -A syn-flood -j DROP

## 確保新連接是設(shè)置了SYN標(biāo)記的包?Make sure that new TCP connections are SYN packets

iptables -A INPUT -i eth0 -p tcp ! –syn -m state –state NEW -j DROP

## 允許HTTP的規(guī)則

iptables -A INPUT -i ppp0 -p tcp -s 0/0 –sport 80 -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i ppp0 -p tcp -s 0/0 –sport 443 -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i ppp0 -p tcp -d 0/0 –dport 80 -j ACCEPT

iptables -A INPUT -i ppp0 -p tcp -d 0/0 –dport 443 -j ACCEPT

## 允許DNS的規(guī)則

iptables -A INPUT -i ppp0 -p udp -s 0/0 –sport 53 -m state –state ESTABLISHED -j ACCEPT

iptables -A INPUT -i ppp0 -p udp -d 0/0 –dport 53 -j ACCEPT

## IP包流量限制?IP packets limit

iptables -A INPUT -f -m limit –limit 100/s –limit-burst 100 -j ACCEPT

iptables -A INPUT -i eth0 -p icmp -j DROP

## 允許SSH

iptables -A INPUT -p tcp -s ip1/32 –dport 22 -j ACCEPT

iptables -A INPUT -p tcp -s ip2/32 –dport 22 -j ACCEPT

## 其它情況不允許?Anything else not allowed

iptables -A INPUT -i eth0 -j DROP

一個包過濾防火墻實例

環(huán)境：redhat9 加載了string time等模塊

eth0 接外網(wǎng)──ppp0

eth1 接內(nèi)網(wǎng)──192.168.0.0/24

#!/bin/sh

#

modprobe ipt_MASQUERADE

modprobe ip_conntrack_ftp

modprobe ip_nat_ftp

iptables -F

iptables -t nat -F

iptables -X

iptables -t nat -X

###########################INPUT鍵###################################

iptables -P INPUT DROP

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -m multiport –dports 110,80,25 -j ACCEPT

iptables -A INPUT -p tcp -s 192.168.0.0/24 –dport 139 -j ACCEPT

#允許內(nèi)網(wǎng)samba,smtp,pop3,連接

iptables -A INPUT -i eth1 -p udp -m multiport –dports 53 -j ACCEPT

#允許dns連接

iptables -A INPUT -p tcp –dport 1723 -j ACCEPT

iptables -A INPUT -p gre -j ACCEPT

#允許外網(wǎng)vpn連接

iptables -A INPUT -s 192.186.0.0/24 -p tcp -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i ppp0 -p tcp –syn -m connlimit –connlimit-above 15 -j DROP

#為了防止DoS太多連接進(jìn)來,那么可以允許最多15個初始連接,超過的丟棄

iptables -A INPUT -s 192.186.0.0/24 -p tcp –syn -m connlimit –connlimit-above 15 -j DROP

#為了防止DoS太多連接進(jìn)來,那么可以允許最多15個初始連接,超過的丟棄

iptables -A INPUT -p icmp -m limit –limit 3/s -j LOG –log-level INFO –log-prefix “ICMP packet IN: ”

iptables -A INPUT -p icmp -j DROP

#禁止icmp通信-ping 不通

iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE

#內(nèi)網(wǎng)轉(zhuǎn)發(fā)

iptables -N syn-flood

iptables -A INPUT -p tcp –syn -j syn-flood

iptables -I syn-flood -p tcp -m limit –limit 3/s –limit-burst 6 -j RETURN

iptables -A syn-flood -j REJECT

#防止SYN攻擊 輕量

#######################FORWARD鏈###########################

iptables -P FORWARD DROP

iptables -A FORWARD -p tcp -s 192.168.0.0/24 -m multiport –dports 80,110,21,25,1723 -j ACCEPT

iptables -A FORWARD -p udp -s 192.168.0.0/24 –dport 53 -j ACCEPT

iptables -A FORWARD -p gre -s 192.168.0.0/24 -j ACCEPT

iptables -A FORWARD -p icmp -s 192.168.0.0/24 -j ACCEPT

#允許 vpn客戶走vpn網(wǎng)絡(luò)連接外網(wǎng)

iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -I FORWARD -p udp –dport 53 -m string –string “tencent” -m time –timestart 8:15 –timestop 12:30 –days Mon,Tue,Wed,Thu,Fri,Sat -j DROP

#星期一到星期六的8:00-12:30禁止qq通信

iptables -I FORWARD -p udp –dport 53 -m string –string “TENCENT” -m time –timestart 8:15 –timestop 12:30 –days Mon,Tue,Wed,Thu,Fri,Sat -j DROP

#星期一到星期六的8:00-12:30禁止qq通信

iptables -I FORWARD -p udp –dport 53 -m string –string “tencent” -m time –timestart 13:30 –timestop 20:30 –days Mon,Tue,Wed,Thu,Fri,Sat -j DROP

iptables -I FORWARD -p udp –dport 53 -m string –string “TENCENT” -m time –timestart 13:30 –timestop 20:30 –days Mon,Tue,Wed,Thu,Fri,Sat -j DROP

#星期一到星期六的13:30-20:30禁止QQ通信

iptables -I FORWARD -s 192.168.0.0/24 -m string –string “qq.com” -m time –timestart 8:15 –timestop 12:30 –days Mon,Tue,Wed,Thu,Fri,Sat -j DROP

#星期一到星期六的8:00-12:30禁止qq網(wǎng)頁

iptables -I FORWARD -s 192.168.0.0/24 -m string –string “qq.com” -m time –timestart 13:00 –timestop 20:30 –days Mon,Tue,Wed,Thu,Fri,Sat -j DROP

#星期一到星期六的13:30-20:30禁止QQ網(wǎng)頁

iptables -I FORWARD -s 192.168.0.0/24 -m string –string “ay2000.net” -j DROP

iptables -I FORWARD -d 192.168.0.0/24 -m string –string “寬頻影院” -j DROP

iptables -I FORWARD -s 192.168.0.0/24 -m string –string “色情” -j DROP

iptables -I FORWARD -p tcp –sport 80 -m string –string “廣告” -j DROP

#禁止ay2000.net,，寬頻影院，色情,，廣告網(wǎng)頁連接 ,！但中文 不是很理想

iptables -A FORWARD -m ipp2p –edk –kazaa –bit -j DROP

iptables -A FORWARD -p tcp -m ipp2p –ares -j DROP

iptables -A FORWARD -p udp -m ipp2p –kazaa -j DROP

#禁止BT連接

iptables -A FORWARD -p tcp –syn –dport 80 -m connlimit –connlimit-above 15 –connlimit-mask 24 -j DROP

#只允許每組ip同時15個80端口轉(zhuǎn)發(fā)

#######################################################################

sysctl -w net.ipv4.ip_forward=1 &>/dev/null

#打開轉(zhuǎn)發(fā)

#######################################################################

sysctl -w net.ipv4.tcp_syncookies=1 &>/dev/null

#打開 syncookie （輕量級預(yù)防 DOS 攻擊）

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 &>/dev/null

#設(shè)置默認(rèn) TCP 連接癡呆時長為 3800 秒（此選項可以大大降低連接數(shù)）

sysctl -w net.ipv4.ip_conntrack_max=300000 &>/dev/null

#設(shè)置支持最大連接樹為 30W（這個根據(jù)你的內(nèi)存和 iptables 版本來，每個 connection 需要 300 多個字節(jié)）

iptables -I INPUT -s 192.168.0.50 -j ACCEPT

iptables -I FORWARD -s 192.168.0.50 -j ACCEPT

#192.168.0.50是我的機(jī)子,，全部放行,！

squid+iptables

[原創(chuàng)] squid+iptables實現(xiàn)網(wǎng)關(guān)防火墻

http://www. 作者:jackylau 發(fā)表于：2007-05-27 10:40:01

【發(fā)表評論】【查看原文】【Proxy服務(wù)器討論區(qū)】【關(guān)閉】

需求說明：此服務(wù)器用作網(wǎng)關(guān)、MAIL(開啟web,、smtp,、pop3)、FTP,、DHCP服務(wù)器,，內(nèi)部一臺機(jī)器(192.168.0.254) 對外提供dns服務(wù),為了不讓無意者輕易看出此服務(wù)器開啟了ssh服務(wù)器，故把ssh端口改為2018.另把proxy的端口改為60080

eth0:218.28.20.253,外網(wǎng)口

eth1:192.168.0.1/24,內(nèi)網(wǎng)口

[jackylau@proxyserver init.d]$cat /etc/squid/squid.conf(部份如下)

http_port 192.168.0.1:60080

httpd_accel_port 80

httpd_accel_host virtual

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

acl allow_lan src 192.168.0.0/24

http_access allow allow_lan

visible_hostname proxyserver

[jackylau@proxyserver init.d]$ cat firewall

#!/bin/sh

# Author: jackylau <[email protected]>;

# chkconfig: 2345 08 92

# description: firewall

# Time on 2005.08.02

# killproc

# Set ENV

INET_IP=”218.28.20.253″

INET_IFACE=”eth0″

LAN_IP=”192.168.0.1″

LAN_IP_RANGE=”192.168.0.0/24″

LAN_BROADCAST_ADDRESS=”192.168.0.255″

LAN_IFACE=”eth1″

LO_IFACE=”lo”

LO_IP=”127.0.0.1″

IPTABLES=”/sbin/iptables”

start(){

echo -n $”Starting firewall:”

/sbin/depmod -a

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state

echo “1″ >; /proc/sys/net/ipv4/ip_forward

# Set policies

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

# Add bad_tcp_packets, allowed and icmp_packets

$IPTABLES -N bad_tcp_packets

$IPTABLES -N tcp_packets

$IPTABLES -N udp_packets

$IPTABLES -N allowed

$IPTABLES -N icmp_packets

# bad_tcp_packets

$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG –log-level INFO –log-prefix “New not syn:”

$IPTABLES -A bad_tcp_packets -p TCP ! –syn -m state –state NEW -j DROP

# allowed

$IPTABLES -A allowed -p TCP –syn -j ACCEPT

$IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A allowed -p TCP -j DROP

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT

# TCP rules

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 20 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 25 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 110 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 2018 -j allowed

# UDP rules

$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 67 -j ACCEPT

# ICMP rules

$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT

# INPUT chain

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets

$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT INPUT packet died: ”

# FORWARD chain

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT FORWARD packet died: ”

# OUTPUT chain

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

$IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT OUTPUT packet died: ”

# SNAT table

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP

# DNAT table

$IPTABLES -t nat -A PREROUTING -p ! icmp -d $INET_IP -dport 53 -j DNAT –to-destination 192.168.0.254:53

# REDIRECT

$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp -s $LAN_IP_RANGE –dport 80 -j REDIRECT –to-ports 60080

touch /var/lock/subsys/firewall

}

stop(){

echo -n $”Stoping firewall:”

echo “0″>;/proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT ACCEPT

$IPTABLES -P FORWARD ACCEPT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -t nat -P PREROUTING ACCEPT

$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT

$IPTABLES -t mangle -P OUTPUT ACCEPT

$IPTABLES -F

$IPTABLES -t nat -F

$IPTABLES -t mangle -F

$IPTABLES -X

$IPTABLES -t nat -X

$IPTABLES -t mangle -X

rm -f /var/lock/subsys/firewall

}

status(){

clear

echo “——————————————————————-”

$IPTABLES -L

echo “——————————————————————-”

$IPTABLES -t nat -L POSTROUTING

echo “——————————————————————-”

$IPTABLES -t nat -L PREROUTING

}

case “$1″ in

start)

start

;;

stop)

stop

;;

restart)

stop

start

;;

*)

echo “$0 [start|stop|restart|status]”

;;

esac

cp firewall /etc/init.d/

chmod 700 /etc/init.d/firewall

chkconfig –add firewall

rc.firewall腳本代碼

#!/bin/sh

#

###########################################################################

#

# 1. 配置選項.

#

#

# 1.1 Internet 相關(guān)變量設(shè)置.

#

INET_IP=”194.236.50.155″

INET_IFACE=”eth0″

INET_BROADCAST=”194.236.50.255″

#

# 1.1.1 DHCP相關(guān)設(shè)置

#

#

# 1.1.2 PPPoE相關(guān)設(shè)置

#

#

# 1.2 局域網(wǎng)相關(guān)變量設(shè)置.

#

LAN_IP=”192.168.0.2″　#防火墻連接局域網(wǎng)的IP地址

LAN_IP_RANGE=”192.168.0.0/16″　#局域網(wǎng)地址

LAN_IFACE=”eth1″　#防火墻連接局域網(wǎng)的網(wǎng)絡(luò)接口

#

# 1.3 DMZ 非軍事區(qū)相關(guān)變量設(shè)置.

#

#

# 1.4 本機(jī)相關(guān)變量設(shè)置.

#

LO_IFACE=”lo”　#本地接口名稱

LO_IP=”127.0.0.1″ #本地接口IP

#

# 1.5 IPTables 路徑設(shè)置.

#

IPTABLES=”/usr/sbin/iptables”

#

# 1.6 其它配置.

#

###########################################################################

#

# 2. 要加載的模塊.

#

#

# 初始加載的模塊

#

/sbin/depmod -a

#

# 2.1 需加載的模塊

#

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state

#

# 2.2 不需加載的模塊

#

#/sbin/modprobe ipt_owner

#/sbin/modprobe ipt_REJECT

#/sbin/modprobe ipt_MASQUERADE

#/sbin/modprobe ip_conntrack_ftp

#/sbin/modprobe ip_conntrack_irc

#/sbin/modprobe ip_nat_ftp

#/sbin/modprobe ip_nat_irc

###########################################################################

#

# 3. /proc 設(shè)置.

#

#

# 3.1 需要的proc配置

#

echo “1″ > /proc/sys/net/ipv4/ip_forward

#

# 3.2 不需要的proc配置

#

#echo “1″ > /proc/sys/net/ipv4/conf/all/rp_filter

#echo “1″ > /proc/sys/net/ipv4/conf/all/proxy_arp

#echo “1″ > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################

#

# 4. 建立規(guī)則.

#

######

# 4.1 Filter表

#

#

# 4.1.1 建立策略

#

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

#

# 4.1.2 創(chuàng)建自定義鏈Create userspecified chains

#

#

# 為不可靠的tcp包建立自定義鏈Create chain for bad tcp packets

#

$IPTABLES -N bad_tcp_packets

#

# 分別為ICMP, TCP 和 UDP協(xié)議建立自定義鏈Create separate chains for ICMP, TCP and UDP to traverse

#

$IPTABLES -N allowed

$IPTABLES -N tcp_packets

$IPTABLES -N udp_packets

$IPTABLES -N icmp_packets

#

# 4.1.3 在自定義鏈建立規(guī)則Create content in userspecified chains

#

#

# bad_tcp_packets鏈bad_tcp_packets chain

#

#這條鏈包含的規(guī)則檢查進(jìn)入包（incoming packet）的包頭是否不正?；蛴袥]有其他問題,，并進(jìn)行相應(yīng)地處理。但事實上,，我們使用它只是為了過濾掉一些特殊的包：沒有設(shè)置SYN位但又是NEW狀 態(tài)的TCP包,，還有那些設(shè)置了SYN/ACK但也被認(rèn)為是NEW狀態(tài)的TCP包。這條鏈可以用來檢查所有可能的不一致的東西

$IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset

$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG –log-prefix “New not syn:”

$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP

#

# allowed鏈?allowed chain

#

$IPTABLES -A allowed -p TCP –syn -j ACCEPT

$IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A allowed -p TCP -j DROP

#

# TCP規(guī)則?TCP rules

#

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 22 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 113 -j allowed

#

# UDP端口?UDP ports

#

#$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 53 -j ACCEPT

#$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 123 -j ACCEPT

$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 2074 -j ACCEPT

$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 4000 -j ACCEPT

#

# 如果網(wǎng)絡(luò)中存在Microsoft網(wǎng)絡(luò)的話,，你會遭遇洪水一樣的廣播信息,，下面的指令將阻止這些廣播并在日志中#記錄．?In Microsoft Networks you will be swamped by broadcasts. These lines

# will prevent them from showing up in the logs.

#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST –destination-port?135:139 -j DROP

#

# 如果有來自我們網(wǎng)絡(luò)之外的DHCP請求的話，就會很快把我們的日志塞滿,，下面的指令I(lǐng)f we get DHCP requests from the Outside of our network, our logs will

# be swamped as well. This rule will block them from getting logged.

#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 –destination-port 67:68 -j DROP

#

#ICMP規(guī)則?ICMP rules

#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT

#

# 4.1.4 INPUT鏈?INPUT chain

#

#

# 排除不良TCP包?Bad TCP packets we don’t want.

#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#

# 非internet網(wǎng)絡(luò)部分的規(guī)則?Rules for special networks not part of the Internet

#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#

# 有關(guān)本地DHCP的特殊規(guī)則?Special rule for DHCP requests from LAN, which are not caught properly

# otherwise.

#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE –dport 67 –sport 68 -j ACCEPT

#

# 來自因特網(wǎng)的進(jìn)入包的規(guī)則　Rules for incoming packets from the internet.

#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets

$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#

# 如果防火墻外存在Microsoft網(wǎng)絡(luò)的話,，你會遭遇洪水一樣的多播信息，下面的指令將丟棄這些包,，所以日志就不會被這些東西淹沒# 記錄If you have a Microsoft Network on the outside of your firewall, you may

# also get flooded by Multicasts. We drop them so we do not get flooded by

# logs

#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#

# 將不滿足上述規(guī)則的形為怪異的包記錄在案　Log weird packets that don’t match the above.

#

$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT INPUT packet died: ”

#

# 4.1.5 FORWARD鏈?FORWARD chain

#

#

# 排除不良TCP包?Bad TCP packets we don’t want

#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#

# 接收想要轉(zhuǎn)發(fā)的TCP包?Accept the packets we actually want to forward

#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

#

# 將不滿足上述規(guī)則的形為怪異的包記錄在案?Log weird packets that don’t match the above.

#

$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT FORWARD packet died: ”

#

# 4.1.6?OUTPUT鏈?OUTPUT chain

#

#

# 排除不良TCP包?Bad TCP packets we don’t want.

#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#

# 決定允許哪個IP包OUTPUT的規(guī)則?Special OUTPUT rules to decide which IP’s to allow.

#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#

# 將不滿足上述規(guī)則的形為怪異的包記錄在案?Log weird packets that don’t match the above.

#

$IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT OUTPUT packet died: ”

######

# 4.2 nat表?nat table

#

#

# 4.2.1 設(shè)置策略?Set policies

#

#

# 4.2.2 創(chuàng)建用戶自定義鏈?Create user specified chains

#

#

# 4.2.3 在用戶自定義鏈中建立規(guī)則?Create content in user specified chains

#

#

# 4.2.4 PREROUTING鏈?PREROUTING chain

#

#

# 4.2.5 POSTROUTING鏈?POSTROUTING chain

#

#

# 允許簡單的IP轉(zhuǎn)發(fā)及網(wǎng)絡(luò)地址轉(zhuǎn)換?Enable simple IP Forwarding and Network Address Translation

#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP

#

# 4.2.6 OUTPUT鏈?OUTPUT chain

#

######

# 4.3 mangle表?mangle table

#

#

# 4.3.1 設(shè)置策略?Set policies

#

#

# 4.3.2 創(chuàng)建用戶自定義鏈?Create user specified chains

#

#

# 4.3.3 在用戶自定義鏈中建立規(guī)則?Create content in user specified chains

#

#

# 4.3.4 PREROUTING鏈?PREROUTING chain

#

#

# 4.3.5 INPUT鏈?INPUT chain

#

#

# 4.3.6 FORWARD鏈?FORWARD chain

#

#

# 4.3.7 OUTPUT鏈?OUTPUT chain

#

#

# 4.3.8 POSTROUTING鏈?POSTROUTING chain

#

初始化

IPTABLES -X

IPTABLES -t nat -X

IPTABLES -t mangle -X

iptables -Z

定義策略(默認(rèn)規(guī)則)

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state –state RELATED -j ACCEPT