Description: I am stupid, last 2 weeks, in my machine test, some functions, such as Bad_TCP_PACKETS filtering, may affect network performance, and X-Window cannot run. Is there a master explained. Let's take it! Welcome to propose valuable changes! Let this script become a perfect script. PS: There are many friends on the Internet to use RedHat ADSL Squid iptables to access the Internet, one plus some iptables rules on the Internet, Squid can not be used, this script is solved! vi /etc/rc.d/firewall #! / bin / sh # Enable forwarding (Forward) function # enabling ip forwarding ... "echo" enabling ip forwarding ........ "echo 1> / Proc / Sys / Net / IPv4 / IP_Forward # This step is not very needed.
# Non-Required Proc Configration #echo 1> / Proc / Sys / Net / IPv4 / IP_Dynaddr # Start Defining iptables # Internet Configuration. INT_IF = "PPP0" # 外网 网 外 = "eth0" # 网 网LAN_IF = "Eth1" LAN_IP = "192.168.0.1" lan_ip_range = "192.168.0.0/24" trusted_tcp_port = "22 25 53 80 110 143 443 3128 6000 6001 6002 7100" # Your Lan's IP Range and Localhost IP. / 24 means to Only Use the first 24 # bits of the 32 bit ip address. The Same as netmask 255.255.255.0 # localhost configuration. lo_if = "lo" LO_IP = "127.0.0.1" # loading module, some already built, in order to one, or add a # Module loading. echo "modprobe modules" modprobe ip_tables modprobe ip_nat_ftp modprobe ip_conntrack modprobe ip_conntrack_ftp # initialization rules, defaults are set to DROP echo "Enabling iptables rules" # Reset the default policies in the tables iptables -F iptables -X iptables -f -t mangle iptables -x -t mangle iptables -f -t nat iptables -x -t nat iptables -z -t nat # set policies iptables -p input version iptables -p output Drop iptables -p forward Drop # allows PING LOCALHOST, PING 192. 168.0.1 / 2 # allow loopback access iptables -a input -p icmp -i lo -j accept iptables -a output # allows proxy and intranet clients to transfer data (including ping) # Allow ping lan iptables -a input -p all -i $ lan_if -s $ lan_ip_range -j account iptables -a output -p all-ip_i $ lan_if -d $ lan_ip_range -j accept # allows the network card with the Internet and the intranet communication. Received data only accepts a response package, otherwise it will not be released. There is no limit to sending data.
# Allow PPP0 iptables -a input -p all -i $ inet_if -m state --state estables -a output -p all-iptables -a output -p all-iptables -a output -p all -o $ inet_if -j accept # created user-defined chain # Creat UserSpecified Chains iptables -n allowed iptables -n tcp_packets iptables -n bag_tcp_packets iptables -n icmp_packets # BAD_TCP_PACKETS rule chain role is to record the re-oriented online record, then discard the package (prevent online kidnapping, but will affect third parties Service, such as MS Media Server # BAD_TCP_PACKETS CHAIN iptables -a bad_tcp_packets -p TCP --TCP-FLAGS SYN, ACK SYN, ACK-M STATE --STATE NEW -J REJECT --REJECT-WITH TCP-RESET IPTABLES -A BAD_TCP_PACKETS -p tcp! --Syn -m State --State new -j log --log-prefix "new not syn] iptables -a bad_tcp_packets -p tcp! --syn -m state --state new -j drop # The ALLOWED rule chain is to allow online packets or responding packages to enter, and the rest are discarded. # allowed chain iptables -a allowed -p tcp --Syn -j account iptables -a allowed -p tcp -m state --state established, Related -j accept iptables -a allowed -p tcp -j drop # ICMP_PACKETS rule chain The function is: allowing the PING package to enter and discard the remaining packages. # Icmp rules iptables -a icmp_packets -p ICMP -S 0/ICMP-TYPE 8 -J Accept iptables -a icmp_packets -p ICMP -S 0/0 --ICMP-TYPE 11 -J ACCEPT # INPUT CHAIN # 进The TCP packet of the firewall host must be filtered by BAD_TCP_PACKETS first. But sometimes affecting network performance. # first Bad_tcp_packets filter iptables -a input -p tcp -j bad_tcp_packets # The ICMP packet that enters the firewall host from the external network must be filtered by ICMP_PACKETS first. This is to prevent the hacker from transmitting an incomplete IP package, and the system will respond to the ICMP packet notification to the other party, causing the host location to be detected. # Second icmp_packets filter iptables -A INPUT -p icmp -i $ INET_IF -j icmp_packets # open a trusted service # Open trusted ports echo "Open trusted ports ....." iptables -N services for PORT in $ TRUSTED_TCP_PORT; do iptables -A TCP_PACKETS -S 0/0 -P TCP - Dport $ port -j allowed done iptables -a input -p tcp -i $ inet_if -j TCP_PACKETS # rejects external use intranet IP spoofing.
# deny local cheat iptables -a input -i $ inet_if -s 192.168.0.0.0.0.0/8 -j drop iptables -a input_ ipTables -a input -i $ inet_if -s 172.16.0.0/12 -j drop iptables -a input -i $ inet_if -s 127.0.0.0/8 -j drop # From LAN into the DHCP package of the firewall host, release, only when the firewall is a DHCP # allow dhcp_packets From lan iptables -a input -p udp -i $ lan_if --dport 67 --sport 68 -j accept # Limits the alignment of the filter rule for the average flow of three packets per minute (more than the upper package will be paused) And set the instantaneous flow to handle the three packets at a time (more than the upper packet will be discarded), this type of package is usually hacker for blocking IPTABLES -A INPUT -M LIMIT --LIMIT 3 / minute --limit-burst 3 -j log --log-level info --log-prefix "ipt input packets died:" # Forward chain # bad_tcp_packets filter iptables -a forward -p tcp -j bad_tcp_packets # from LAN to WAN Package Pack All Rank iptables -a forward -o $ inet_if -s $ lan_ip_range -j accept # Same to Above and the above rule function The same #iptables -a forward -i $ lan_if -s $ lan_ip_range -j acidpt # from Wan to LAN The package is only the response package iptables -a forward -i $ inet_if -d $ lan_ip_range -m state --state Established, the Related -j Accept # limits the alignment of the filter rule to the average traffic of three packets per minute (more than the upper limit) Package will pause alignment ), And set the instantaneous flow to three packets at a time (more than the upper packet will be discarded), which is usually a hacker to block an iptables -a forward -m limit Limit 3 / Minute --Limit-Burst 3 -j log --log-level debug --log-prefix "pt forward packets died:" ## is to prevent ping iptables -a forward -f -m limited --Limit 100 / S --LIMIT-BURST 100 -J Accept iptables -a forward -p ICMP -M limit --LIMIT 1 / s --LIMIT-BURST 10 -J Accept # prevent DDoS #iptables -a forward -p tcp --TCP- Flags SYN, ACK, FIN, RST RST -M LIMIT --LIMIT 1 / S -J ACCEPT # udp package release # allow udp iptables -a forward -p udp -d $ lan_ip_range -i $ ext_if -j accept # WWW Service turns to Squid.
