A firewall for use on Linux servers (transferred from CU)

xiaoxiao2021-03-06 61

I haven't been here for a long time, in fact, there is a new thing, I have written a lot at the end of 2001, mainly correcting the logic errors in previous versions, sorting it, change the original WAN LAN DMZ to a separate The version on the Linux server, the brothers who use the Linux server are blessed, saving N more brain cells, huh, huh, have a problem email Contact Arlenecc@rainlow.com #! / bin / bash echo -e "/ t / 033 [1; 31M Rainlow FireWall / 033 [M Server Version 1.0RC1 - 09/24/2004 / N "echo -e" ######################################################################################################################################################################################################################################################## ################################# "this Software May be used and distributed According to "echo -e" The Terms of the gnu general public license (GPL) provided "echo -e" credit is given to the Original Author. "echo -e" / t / t / t / 033 [1; 31M CopyRight (c) 2004 rainlow / 033 [m / n "echo -e" / t / t / t / n "echo -e" ##################################################################################################################################################################################################################################################### ######################################################################################################################################################################################################################################################################################################### Now Begins The FireWall Echo -e "/ N / T / T / T Welcome To / 033 [3; 31M Rainlow FireWall / 033 [0M / N / N" Echo -e "/ T / T / T / T / 033 [ 1; 32M http://www.rainlow.com / 033 [m / n "path = / bin: / sbin: / usr / bin: / usr / sbin: / usr / local / bin: / usr / local / sbin . /etc/init.d/functions exit_failure () {echo -en "/ t / 033 [3; 031m [failed] / 0 33 [0M / N "Echo -en" / 033 [3; 031M -> Fatal: $ flilure / 033 [0m / n "echo -en" / 033 [3; 031m -> ** Aborted **. / 033 [ 0m / n "exit 1} check_root () {root_id = 0 echo" checking if you are root .... "f [" $ uid "=" $ root_id "] Ten echo -e" / n / t ok! Continue .... / n "echo -e" / a "else echo -e" Sorry, you are not root and not permitted to do this option ... / n "echo -e" / a "failure =" you can NOT Run this command

OS = `uname -s` _OS = $ OS if [" $ _OS "! =" Linux "] ;1 Failure =" Sorry this version can only work under Linux "exit_failure else echo -en" / t / t / 033 [ 1; 32M Pass / 033 [m / N "Fi kernelmaj =` uname -r | sed -e 's, /.. *,,' `Kernelmin =` uname -r | sed -e 's, [^ /. ] * /., '-E' s, /... *,, '`i [" $ keilure = "sorry you kernel is to old, please upgrade it first!" EXIT_FAILURE FI IF ["$ kernelmaj" -EQ 2 -a "$ kernelmin" -lt 4]; life five = "Only kernel greater trun 2.4 is support" EXIT_FAILURE FI IF ((`iptables -v 2> & 1 | grep -c" Command NOT FOUND "`) ;1 Failure = "Can not find iptables urged" exit_failure fi if! ((`Which modprobe 2> & 1 | grep -c" Which: No modprobe in "`) && [-A / proc / modules] ||! [-A / proc / version]); THEN IF ((`lsmod | grep -c" ipchains "`)); The RMMOD IPCHAINS> / DEV / NULL 2> & 1 FI Fi} Wait () {echo | awk '{printf "||", $ 1}' for x in `SEQ 1 10`; Do Sleep 1 Echo" # "| awk '{printf"% s ", $ 1}' DONE Echo -en "/ n"} iptabl ES () {/ sbin / iptables "$ @"} MP () {/ sbin / modprobe "$ @"} LOAD_MODULE () {i [-e / lib / modules / `uname -r` / kernel / net / ipv4 / NETFILTER/IP_Tables.o] Ten Echo -e "/ n / Tloading iptables modules please wait ...."

mp ip_tables mp ipt_LOG mp ipt_owner mp ipt_MASQURADE mp ipt_REJECT mp ipt_conntrack_ftp mp ipt_conntrack_irc mp iptable_filter mp iptable_nat mp iptable_mangle mp ip_conntrack mp ipt_limit mp ipt_state mp ipt_unclean mp ipt_TCPMSS mp ipt_TOS mp ipt_TTL mp ipt_quota mp ipt_iplimit mp ipt_pkttype mp ipt_ipv4options mp ipt_MARK echo -e "/ t / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "else echo -e" / tsorry, no iptables modules found !! "FI} ip_stack_adjust () {ix [-e / proc / SYS / NET / IPV4 / IP_FORWARD] THEN Echo -e "enable ip_forward.please wait ...." echo 0> / proc / sys / net / ipv4 / ip_forward echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "FI if [-e / proc / sys / net / ipv4 / ip_default_ttl] Then Echo -e" Changing default TTL .... "Echo 88> / Proc / Sys / NET / IPV4 / IP_DEFAULT_TTL ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N" Fi Echo -e "/ N / T Disable Dynamic IP Support ... "echo 0> / proc / sys / net / ipv4 / ip_dynaddr echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "IF [-e / proc / SYS / NET / IPV4 / IP_NO_PMTU_DISC] THEN ECHO -E " Disable path .... "echo 0> / proc / sys / net / ipv4 / ip_no_pmtu_disc echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "FI if [-e / proc / sys / net / ipv4 / ipfrag_high_thresh] Then echo -e" Changing ipfrag_high_thresh.please wait ... "echo 5800> / proc / sys / net / ipv4 / ipfrag_high_thresh echo -e "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N" FI IF [-e / proc / sys / net / ipv4 / ipfrag_low_thresh] Then Echo -e "Changing ipfrag_low_thresh.please Wait .... "echo 2048> / procrag_low_thresh echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "FI IF [ -e / proc / sys / net / ipv4 / ipfrag_time] THEN ECHO -E "

Changing ipfrag_low_thresh.please Wait .... "Echo 20> / proc / sys / net / ipv4 / ipfrag_time echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "Fi if [-e / proc / sys / net / ipv4 / ipfrag_secret_interval] Then echo -e" Changing ipfrag_secret_interval.please wait .... "Echo 600> / proc / sys / net / ipv4 / ipfrag_secret_interval echo -e" / T / T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "Fi if [-e / proc / sys / net / ipv4 / tcp_syn_reteries] the echo -e" Changing TCP_SYN_RETRIES.PLEASE WAIT. ... "Echo 4> / Proc / Sys / Net / IPv4 / TCP_SYN_RETRIES ECHO -E" / T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "Fi IF [-e / proc / sys / net / ipv4 / tcp_synack_retries] THEN ECHO -E "Changing TCP_SYNACK_RETRIES.PLEASE WAIT ..." Echo 4> / Proc / Sys / Net / IPv4 / TCP_SYNACK_RETRIES ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "Fi if [-e / proc / sys / net / ipv4 / tcp_keepalive_time] Then echo -e" Changing TCP_Keepalive_time.please Wait .... "Echo 300 > / proc / sys / net / ipv4 / tcp_keepalive_time echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N" FI IF [-e / proc / sys / net / ipv4 / tcp_keepalive_p Robes] THO -E "Changing TCP_Keepalive_Probes.Please Wait ...." Echo 4> / proc / sys / net / ipv4 / tcp_keepalive_probes echo -e "/ t / t / t / t / 033 [3; 032M [OK ] / 033 [0M / N "Fi if [-e / proc / sys / net / ipv4 / tcp_keepalive_intvl] Then echo -e" Changing TCP_Keepalive_intVl.please Wait ... "Echo 60> / Proc / Sys / Net / IPv4 / TCP_KEEPALIVE_INTVL ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N" FI IF [-e / proc / sys / net / ipv4 / tcp_retries1] THEN ECHO -E "Changing TCP_RETRIEST.PLEASE WAIT ..." ECHO 3> / Proc / Sys / Net / IPv4 / TCP_RETRIES1 ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "

Fi if [-e / proc / sys / net / ipv4 / TCP_RETRIES2] THEN Echo -e "Changing TCP_RETRIEST.PLEASE WAIT ..." Echo 15> / Proc / Sys / Net / IPv4 / TCP_RETRIES2 ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "Fi if [-e / proc / sys / net / ipv4 / tcp_orphan_retries] the echo -e" disable TCP_ORPHAN_RETRIEST.PLEASE WAIT.. .. "echo 0> / proc / sys / net / ipv4 / TCP_ORPHAN_RETRIES ECHO -E" / T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "Fi IF [-e / Proc / Sys / NET / IPV4 / TCP_MAX_TW_BUCKETS] THEN Echo -e "Changing TCP_MAX_TW_BUCKETST.PLEASE WAIT ...." ECHO 4000> / Proc / Sys / Net / IPv4 / TCP_MAX_TW_BUCKETS ECHO -E "/ T / T / T / T / 033 [3; 032m [OK] / 033 [0M / N "FI if [-e / proc / sys / net / ipv4 / tcp_tw_recycle] thrho -e" Changing TCP_RECY.PLEASE WAIT .... "Echo 1> / proc / sys / net / ipv4 / tcp_tw_recycle echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N" FI IF [-e / proc / sys / net / IPv4 / TCP_TW_REUSE] THEN Echo -e "Changing TCP_TW_REUSE.PLESE WAIT ..." Echo 1> / Proc / Sys / Net / IPv4 / TCP_TW_REUSE ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "FI IF [-e / proc / sys / net / i PV4 / TCP_MAX_ORPHANS] THO ECHO -E "Changing TCP_MAX_ORPHANS.PLEASE WAIT ..." Echo 2000> / Proc / Sys / Net / IPv4 / TCP_MAX_ORPHANS ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "Fi if [-e / proc / sys / net / ipv4 / tcp_max_syn_backlog] Then Echo -e" Changing TCP_MAX_SYN_BACKLOG.PLEASE WAIT .... "Echo 8000> / Proc / Sys / Net / ipv4 / tcp_max_syn_backlog echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N" FI if [-e / proc / sys / net / ipv4 / tcp_window_scaling] THEN Echo -e "enable tcp_window_scaling.please wait ...." echo 1> / proc / sys / net / ipv4 / tcp_window_scaling echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [ 0M / N "

Fi if [-e / proc / sys / net / ipv4 / tcp_timestamps] TEN Echo -e "disable tcp_timestamps.please wait ...." echo 0> / proc / sys / net / ipv4 / tcp_timestamps echo -e "/ t / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "Fi for x / proc / sys / net / ipv4 / conf / * / rp_filter do echo 1> $ {x} DONE IF [-e / proc / sys / net / ipv4 / tcp_syncookies] THEN Echo -e "/ N / Tenable The SyncOokies Flood Protection" Echo 1> / Proc / Sys / Net / IPv4 / TCP_SYNCOOKIES ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "FI if [-e / proc / sys / net / ipv4 / ip_conntrack_max] thrho -e" / n / tsetting the maximum number of connections to Track .... "ECHO" 80000 "> / proc / sys / net / ipv4 / ip_conntrack_max echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "FI IF [-e / proc / sys / net / ipv4 / ip_local_port_range] TEN Echo -e "/ N / Tsetting Local Port Range for TCP / UDP Connection ...." Echo -e "32768 / t61000"> / proc / sys / NET / IPV4 / IP_LOCAL_PORT_RANGE ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N" Fi if [-e / proc / sys / net / ipv4 / icmp_ignore_bogus_error_responses] THEN Echo -e "/ N / Tena BLE Bad Error Message Protection ....... "echo 1> / proc / sys / net / ipv4 / icmp_ignore_bogus_error_response echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [ 0M / N "FI IF [-e / proc / sys / net / ipv4 / tcp_ecn] Then Echo -e" / n / tdisabling TCP_ECN, please wait ... "echo 0> / proc / sys / net / ipv4 / tcp_ecn ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N" Fi if [-e / proc / sys / net / ipv4 / tcp_reordering] Ten Echo -e "/ n / tchangling tcp_reordering, please wait ... "echo 0> / proc / sys / net / ipv4 / tcp_reordering echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "Fi if [-e / proc / sys / net / ipv4 / tcp_wmem] kilo -e"

/ N / TCHANGING TCP_WMEM, PLEASE WAIT ... "Echo" 4096 16384 131072 "> / proc / sys / net / ipv4 / tcp_wmem echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "Fi if [-e / proc / sys / net / ipv4 / tcp_rmem] TEN ECHO -E" / N / TCHANGING TCP_RMEM, PLEASE WAIT ... "echo" 4096 87380 174760 "> / proc / SYS / NET / IPV4 / TCP_RMEM ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N" FI IF [-e / proc / sys / net / ipv4 / TCP_MEM ] THEN ECHO -E "/ N / TCHANGING TCP_MEM, PLEASE WAIT ..." Echo "97280 97792 98304"> / proc / sys / net / ipv4 / TCP_MEM ECHO -E "/ T / T / T / T / 033 [ 3; 032M [OK] / 033 [0M / N "FI if [-e / proc / sys / net / ipv4 / tcp_adv_win_scale] TEN ECHO -E" / n / tchanging TCP_ADV_WIN_SCALE, PLEASE WAIT ... "Echo 2> / Proc / Sys / NET / IPV4 / TCP_ADV_WIN_SCALE ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N" FI IF [-e / proc / sys / net / ipv4 / TCP_RFC1337] THO ECHO -E "/ N / TCHANGING TCP_RFC1337, PLEASE WAIT ..." Echo 0> / Proc / Sys / Net / IPv4 / TCP_RFC1337 ECHO -E "/ T / T / T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "Fi if [-e / proc / sys / net / ipv4 / conf / all / accept_redirects] TEN ECHO -E" / N / TDISABIN G ICMP Redirects, please wait .... "echo 0> / proc / sys / net / ipv4 / conf / all / accept_redirects echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "Fi if [-e / proc / sys / net / ipv4 / conf / all / accept_source_route] throute" for packets, please wait .... "for i in / proc / sys / net / ipv4 / conf / * / accept_source_route do echo 0> $ I done echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N" FI if [-e / proc / sys / net / ipv4 / icmp_echo_ignore_broadcasts] then echo -e "/ n / tIgnore any broadcast icmp echo requests ......" echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_broadcasts echo -e "

/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "Fi if [-e / proc / sys / net / ipv4 / icmp_destunreach_rate] the echo -e" modify iqup_destunreach_rate and icmp_echorply_rate. "echo 5> / proc / sys / net / ipv4 / icmp_destunreach_rate echo 5> / proc / sys / net / ipv4 / icmp_echoreply_rate echo 5> / proc / sys / net / ipv4 / icmp_ratelimit echo -e" / t / t / T / T / 033 [3; 032M [OK] / 033 [0M / N "FI IF [-e / proc / sys / net / ipv4 / bootp_relay] kilno -e" / n / tdisable the bootp_relay ... .. "echo 0> / proc / sys / net / ipv4 / conf / all / bootp_relay echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "Fi # IF [-e / proc / sys / net / ipv4 / tcp_timestamps] kilo -e "/ n / tdisable the tcp_timestamps ..." echo 0> / proc / sys / net / ipv4 / tcp_timestamps echo -e " / T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "FI if [-e / proc / sys / net / ipv4 / tcp_fin_timeout] Then echo -e" / n / tsetting up TCP_FIN_TIMEOUT .... "ECHO 30> / proc / sys / net / ipv4 / tcp_fin_timeout echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "FI IF [ -e / proc / sys / net / ipv4 / tcp_window_scaling] Then Echo -e "/ N / Tdisabl ING TCP_WINDOW_SCALING .... "Echo 0> / proc / sys / net / ipv4 / tcp_window_scaling echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "FI IF [-e / proc / sys / net / ipv4 / tcp_sack] thrho -e "/ n / tdisabling TCP_sack ...." echo 0> / proc / sys / net / ipv4 / tcp_sack echo -e "/ t / t / T / T / 033 [3; 032M [OK] / 033 [0M / N "FI if [-e / proc / sys / net / ipv4 / tcp_abort_on_overflowe] TEN ECHO -E" / n / t Enabling TCP_ABORT_ON_OVERFLOW "ECHO 1 > / proc / sys / net / ipv4 / TCP_ABORT_ON_OVERFLOW ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N" Fi IF [-e / proc / sys / net / ipv4 / icmp_ignore_bogus_error_responses] Ten echo -e "

/ N / T ENABLING ICMP_IGNORE_BOGUS_ERROR_RESPONSES "ECHO 1> / PROC / SYS / NET / IPv4 / ICMP_IGNORE_BOGUS_ERROR_RESPONS ECHO -E" / T / T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "FI IF [-e / proc / sys / net / ipv4 / forwarding] Then echo -e "/ n / t disable forward" "echo 1> / proc / sys / net / ipv4 / forwarding echo -e" / t / t / t / T / 033 [3; 032M [OK] / 033 [0M / N "FI IF [-e / proc / sys / net / ipv4 / mc_forwarding] TEN ECHO -E" / n / t disable mc_forward "echo 1> / proc / SYS / NET / IPV4 / MC_FORWARDING ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N" Fi IF [-e / proc / sys / net / ipv4 / Config / All / Log_martians] THEN Echo -e "/ N / TNot Log Packets with Impossible Addresses to Kernel Log ...." Echo 0> / Proc / Sys / Net / IPv4 / Conf / All / Log_martians Echo -e "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "Fi for x in / proc / sys / net / ipv4 / conf / * / log_martians; do echo 1> $ x doneiff [-e / proc / sys / net / ipv4 / conf / limited / proxy_arp] Ten Echo -e "/ n / tdisable proxy_arp ...." echo 0> / proc / sys / net / ipv4 / conf / all / proxy_arp Echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N" f I if [-e / proc / sys / net / ipv4 / conf / all / send_redirects] kiln echo -e "/ n / tdisable send_redirects ...." echo 0> / proc / sys / net / ipv4 / conf / ALL / send_redirects echo -e "/ t / t / t / t / 033 [3; 032M [ok] / 033 [0M / N" FI if [-e / proc / sys / net / ipv4 / conf / all / secure_redirects] Then echo -e "/ n / Tenable Secure_Redirects ...." Echo 1> / proc / sys / net / ipv4 / conf / all / secure_redirects echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "Fi Echo 1>

/ Proc / sys / net / ipv4 / icmp_echo_ignore_all} unload_module () {for MODULE in ipt_TTL iptable_mangle ipt_mark ipt_MARK ipt_MASQUERADE ip_nat_irc ip_nat_ftp ipt_LOG / ipt_limit ipt_REJECT ip_conntrack_irc ip_conntrack_ftp ipt_state iptable_nat iptable_filter ip_tables; do if (( `lsmod | grep -c" $ MODULE " `); then rmmod $ module> / dev / null 2> & 1 fi done} loading_config () {fw_locate = / etc / firewall if [! -e" $ fw_locate "] Then Mkdir $ fw_locate Fi if [! -f / Etc / firewall / firewall.conf] Then Echo "Can not find FireWall.conf, Creating One with default setting ..." echo -e "UPLINK = Eth1 / n Upip = 211.137.58.48 / n interfaces = lo =0 / n loading_modules = NO / N log_illegal_flags = yes / n denyip = 10.0.0.1 10.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 = 7 9 19 107 137 138 139 161 199 369 / n TCP_Port_log = 135 137 138 139 445 500 1433 3306 515 513 / n open_tcp = 21 22 / N Open_UDP = / N LAN_IF = eth0 / n malformed_packet_log = no / n management_ip = 61.129.112.46 / n disable_all_log = no / n "> /etc/firewall/firewall.conf fi echo -e" / t / t / t Loading the firew All configuration ....... / n "UPLINK =` GREP "UPLINK" /etc/firewall/firewall.conf | CUT -D = -f 2 `Upip =` GREP "UPIP" / etc / firewall / firewall. Conf | cut -d = -f 2` interface = `grep" interfaces "/etc/firewall/firewall.conf | cut -d = -f 2` load_modules =` grep "load_modules" /etc/firewall/firewall.conf | Cut -d = -f 2` log_illegal_flags = `GREP" log_illegal_flags "/etc/firewall/firewall.conf | cut -d = -f 2` open_tcp =` GREP "open_tcp" /etc/firewall/firewall.conf | cut - D = -f 2` Open_UDP =

`grep" open_udp "/etc/firewall/firewall.conf | cut -d = -f 2` TCP_Port_Log =` GREP "TCP_PORT_LOG" /etc/firewall/firewall.conf | CUT -D = -f 2` denyip = `GREP "Denyip" /etc/firewall/firewall.conf | cut -d = -f 2` UDP_PORT_LOG = `GREP" udp_port_log "/etc/firewall/firewall.conf | cut -d = -f 2`malformed_packet_log =` grep "malfored_packet_log "/etc/firewall/firewall.conf | CUT -D = -f 2` manage_ip = `grep" manage_ip "/etc/firewall/firewall.conf | cut -d = -f 2` disable_all_log = `GREP" disable_all_log "/ etc / firewall / firewall.conf | cut -d = -f 2 `if [" $ DISABLE_ALL_LOG "==" yes "]; then MALFORMED_PACKET_LOG = no UDP_PORT_LOG = TCP_PORT_LOG = LOG_ILLEGAL_FLAGS = no fi} check_root check_enviroment # if [" $ NAT "==" DHCP "]; Then # IF [-z" $ upip "]; then # echo" [wait] "# echo -n" -> $ UPLINK HAS NO IP Address. Waiting for DHCP "# for count in 1 2 3 4 5 6 7 8 9 10; Do # Sleep 1 # echo -n "* #" # upip = `ifconfig $ {UPLINK} | GREP INET | CUT -D: -F 2 | Cut -D" " F 1` # ix [-n "$ upip"]; then # echo "[Found]" # Break # else # i ["$ count" == "10"]; then # echo "[missing]" # echo "-> Warning: IP address for $ uplink not found." # Fi # Fi # done # fi #fi if ["$ 1" = "start"] "ip_stack_adjust loading_config echo -e" now prepareing the kernel to use for a firewall, please wait ... .. "#if [" $ nat "=" Dynamic "

] #1 # echo -e "/ n / Tenable Dynamic IP Support ...." # echo 1> / proc / sys / net / ipv4 / ip_dynaddr # echo -e "/ t / t / t / t / 033 [ 3; 032M [OK] / 033 [0M / N "# FI #echo 0> / proc / sys / net / ipv4 / conf / all / bootp_relay #depmod -a #define the load modules functioniffix =" $ load_modules "= "yes"] Then IF [-e / lib / modules / `uname -r` / kernel / net / ipv4 / netfilter / ip_tables.o] kiln echo -e" / n / tloading iptables modules please wait .... " mp ip_tables mp ipt_LOG mp ipt_owner mp ipt_MASQURADE mp ipt_REJECT mp ipt_conntrack_ftp mp ipt_conntrack_irc mp iptable_filter mp iptable_nat mp iptable_mangle mp ip_conntrack mp ipt_limit mp ipt_state mp ipt_unclean mp ipt_TCPMSS mp ipt_TOS mp ipt_TTL mp ipt_quota mp ipt_iplimit mp ipt_pkttype mp ipt_ipv4options mp ipt_MARK echo -e "/ t / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "else echo -e" / tsorry, no iptables modules found !! "Fi Fi #prepare the firewall tables for use iptables -t filter -P Input Drop iptables -t filter -p forward drop iptables -t filter -p output drop iptables -t fi lter -F INPUT iptables -t filter -F FORWARD iptables -t filter -F OUTPUT iptables -F -t nat iptables -F -t mangle iptables -Z iptables -X iptables -N CHECK_FLAGS iptables -F CHECK_FLAGS iptables -N tcpHandler iptables - F tcpHandler iptables -N udpHandler iptables -F udpHandler iptables -N icmpHandler iptables -F icmpHandler iptables -N DROP-AND-LOG iptables -F DROP-AND-LOG iptables -N syn-flood iptables -F syn-flood echo -e " / TOK, THE KERNEL IS now Prepared to use for building a firewall !!! "echo -e" / n / t starting firewall, waititing .................... .... "echo -e" / n / tcreating a drop and log chain ..... "

IPTABLES -A DROP-AND-LOG -J LOG --LOP-LEVEL 6 iptables -a drop-and-log -j drop echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "#design a chain for syn-flood protect echo -e" / t define a chain for syn-flood pretect .. "iptables -a syn-flood -m limit --LIMIT 4000 / s --LIMIT -Burst 6000 -J RETURN IPTABLES -A SYN-FLOOD -J DROP iptables -a INPUT -I $ {UPLINK} -p tcp --syn -j syn-flood echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N "iptables -a tcphandler -p tcp -m limit --LIMIT 4000 / s --LIMIT-BURST 6000 -J RETURN IPTABLES -A TCPHANDLER -P TCP -J LOG - -log-prefix "Drop TCP Exceed Connections" iptables -a tcphandler -p tcp -j drop iptables -a udphandler -p udp -m limited --LIMIT 200 / s --LIMIT-BURST 400 -J RETURN IPTABLES -A UDPHANDLER - P udp -j log --log-prefix "DROP UDP Exceed Connections" iptables -a udphandler -p udp -j drop iptables -a icmphandler -p icmp -m limited --LIMIT 200 / s --Limit-Burst 400 -J Return iptables -a icmphandler -p icmp -j log --log-prefix "DROP ICMP EXCEED Connections" iptab Les -a icmphandler -p ICMP -J Drop #define a chain for log malformed packages IF ["$ malformed_packet_log" = "YES"] THEN Echo -e "/ Tnow Logging Malformed Packages" iptables -a input -i $ {UPLINK} -m unclean -m limited --LIMIT 2 / M -J log --Log-Level 6 --Log-prefix "Drop Malformed Packet:" iptables -a input -i $ {uplink} -m unclean -j drop echo - E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N" FI #DOP Malformed Packages # iptables -a input -i $ {uplink} -m unclean -j drop echo - E "/ T1 Starting the check_flag rules, please wait ...." echo -e "/ tlogging illegal tcp flags ...." ing ["$ log_illegal_flags" = "yes"

] THEN iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS All FIN -M LIMIT --LIMIT 3 / M -J LOG --LOG-Level 6 --Log-Prefix "Invalid All Fin] "--LOG-TCP-OPTIONS --LOG-IP-OPTIONS iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS All Fin -j Drop iptables -a check_flags -i $ {UPLINK} -p TCP - TCP-FLAGS ACK, FIN FIN -M LIMIT --LIMIT 3 / M -J LOG --LOG-Level 6 --Log-Prefix "Invalid Ack, FIN" --LOG-TCP-Options - Log-ip-options iptables -a check_flags -i $ {UPLINK} -p tcp --tcp-flags Ack, FIN FIN -J DROP iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-Flags ACK, PSH PSH -M Limit --LIMIT 3 / M -J LOG --LOG-Level 6 --Log-Prefix "Invalid Ack, Psh Psh:" --LOG-TCP-Options --Log-IP-Options iptables -a Check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS ACK, PSH PSH -J DROP iptables -a check_flags -i $ {UPLINK} -p tcp --tcp-flags ACK, URG URG -M LIMIT --LIMIT 3 / m -j log --Log-Level 6 --Log-Prefix "Invalid Ack, URG URG:" --LOG-TCP-OPTION --LOG-IP-OPTIONS iptables -a check_flags -i $ {UPLINK} P TCP - TCP-F Lags ACK, URG URG -J DROP iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS All Fin, URG, PSH -M Limit --LIMIT 3 / M -J log --Log-Level 6 --Log-Prefix "Invaild Nmap Scan" --Log-TCP-Options --Log-IP-Options iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS All Fin, URG, PSH -J DROP iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS SYN, RST SYN, RST -M LIMIT --LIMIT 3 / M -J LOG --LOG-Level 6 --Log-Prefix "SYN / RST SCAN "--LOG-TCP-OPTIONS --LOG-IP-OPTIONS iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS SYN, RST SYN, RST -J DROP iptables -a check_flags - I $ {UPLINK} -p TCP --TCP-FLAGS FIN, RST FIN, RST -M LIMIT --LIMIT 3 / M -J LOG --LOG-Level 6 --Log-Prefix "Fin / Rst SCAN"

--LOG-TCP-OPTIONS --LOG-IP-OPTIONS iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS FIN, RST FIN, RST -J DROP iptables -a check_flags -i $ {UPLINK } -p TCP-FLAGS SYN, FIN SYN, FIN -M LIMIT --LIMIT 3 / M -J log --Log-Level 6 --Log-Prefix "Syn / Fin Scan" --Log-TCP- Options --log-ip-options iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS SYN, FIN SYN, FIN -J DROP iptables -a check_flags -i $ {UPLINK} -p TCP - TCP-OPTION 64 -M LIMIT --LIMIT 3 / M -J log --Log-Level 6 --Log-Prefix "Bogus TCP Flag 64" --Log-TCP-Options --Log-IP-Options iptables -a Check_flags -i $ {UPLINK} -p TCP --TCP-OPTION 64 -J DROP iptables -a check_flags -i $ {uplink} -p TCP --TCP-OPTION 128 -M LIMIT --LIMIT 3 / M -J log --Log-Level 6 --Log-Prefix "Bogus TCP Flag 128" --Log-TCP-Options --Log-IP-Options iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-Option 128 -j drop iptables -a check_flags -i $ {UPLINK} -p tcp --tcp-flags all all -m limit --LIMIT 3 / M -J log --Log-Level 6 --Log-prefix "Merry Xmas Tree : "--Log -tcp-options --log-ip-options iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS All All -j drop iptables -a check_flags -i $ {UPLINK} -p TCP --TCP -flags All Syn, RST, ACK, FIN, URG -M LIMIT --LIMIT 3 / M -J LOG --LOG-LEVEL 6 - Log-Prefix "Xmas-Psh:" --LOG-TCP-OPTIONS - Log-ip-options iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-Flags All SYN, RST, ACK, FIN, URG -J DROP iptables -a check_flags -i $ {UPLINK} -p TCP - -TCP-FLAGS All none -m Limit --Limit 3 / M -J log --Log-Level 6 --Log-prefix "null_scan"

--Log-TCP-OPTIONS --LOG-IP-OPTIONS iptables -a check_flags -i $ {UPLINK} -p tcp --tcp-flags all none -j drop iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS SYN, ACK, FIN, RST RST -M LIMIT --LIMIT 3 / M -J LOG --LOG-Level 6 --Log-Prefix "Invalid Scan:" --Log-TCP-Options - Log-ip-options iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS SYN, ACK, FIN, RST RST -J DROP ELSE iptables -a check_flags -i $ {UPLINK} -p TCP - TCP-FLAGS All Fin -j drop iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS ACK, FIN FIN -J DROP iptables -a check_flags -i $ {UPLINK} -p TCP --TCP- Flags Ack, PSH PSH -J DROP iptables -a check_flags -i $ {uplink} -p TCP --TCP-FLAGS ACK, URG URG -J DROP iptables -a check_flags -i $ {UPLINK} -p TCP --TCP- Flags All FIN, URG, PSH -J DROP iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS SYN, RST SYN, RST -J DROP iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS FIN, RST FIN, RST -J DROP IPTABLES -A Check_Flags -i $ {UPLINK} -p TCP --TCP-FLAGS SYN, FIN SYN, FIN -J DROP I PTABLES -A Check_Flags -i $ {UPLINK} -p TCP --TCP-OPTION 64 -J DROP iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-OPTION 128 -J DROP iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-FLAGS All All -j drop iptables -a check_flags -i $ {UPLINK} -p TCP --TCP-Flags All SYN, RST, ACK, FIN, URG -J DROP iptables - A check_flags -i $ {UPLINK} -p tcp --tcp-flags all none -j drop iptables -a check_flags -i $ {UPLINK} -p TCP - TCP-FLAGS SYN, ACK, FIN, RST RST -J DROP Echo -e "/ t / t / t / t / 033 [3; 032M [ok] / 033 [0m" Fi #drop packages with a invalid flag iptables -a input -i $ {uplink} -p tcp -j check_flags ECHO -E "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N / TFinished Check_flags rules ..." echo -e "

/ Tnow Starting The Input Rules, please wait ....... "#for i in $ open_tcp_quota; do # printf" firewall -> Port $ I TCP Open with quota $ quota ... "#iptables -a input - I $ UPLINK -P TCP --SYN-M STATE --STATE NEW -M LIMIT --LIMIT 2 / S --DPORT $ I -M quota - quota $ quota -j account #iptables -a input -i $ UPLINK -p TCP - Dport $ I -J Drop #done #for i in $ open_udp_quota; do # echo "firewall -> Port $ I udp open with quota $ quota ..." #iptables -a input -i $ uplink - P UDP-M STATE --STATE NEW -M LIMIT --LIMIT 2 / S --DPORT $ I -M quota - quota $ quota -j account #iptables -a input -i $ uplink -p udp --dport $ I -J Drop #done #build a chain for deny ip or ip ranging for x in $ {denyip} do iptables -a input - {uplink} -p tcp -s $ {x} -m state --state new -j log --log-prefix "Invaild: $ {x} TCP in:" iptables -a input -i $ {UPLINK} -p TCP -S $ {x} -m state --state new -j drop iptables - A INPUT -I $ {UPLINK} -p TCP --Syn-S $ {x} -j log --log-prefix "invaild: $ {x} SYN in:" iptables -a input -i $ {uplink} - P TCP --SYN -S $ {x } -j drop iptables -a input -i $ {uplink} -p all -s $ {x} -m limited --LIMIT 6 / m -j log --log-level 6 --log-prefix "denyed IP $ {x} in: "iptables -a input -i $ {uplink} -p all -s $ {x} -j drop iptables -a forward -s $ {x} -m state --state new, established, related J log --log-level 6 --log-prefix "de Neyed $ {x} Forward:" iptables -a forward -s $ {x} -m state --state new, established, related -j drop iptables -a forward -d $ {x} -m State --State New, Established, Related -j log --log-level 6 --log-prefix "de Nenyed $ {x} forward:"

iptables -a forward -d $ {x} -m star --state new, established A INPUT -I $ {UPLINK} -p tcp --dport $ {x} --syn -j log --log-prefix "invalid: $ {x} SYN IN:" iptables -a input -i $ {uplink} -p tcp --dport $ {x} --Syn -j drop iptables -a input -i $ {uplink} -p tcp --dport $ {x} -m state --state new -j log --log- Prefix "Invaild $ {x} Port in:" iptables -a input -i $ {uPLINK} -p TCP - Dport $ {x} -m state --state new -j drop iptables -a input -i $ {Uplink } -p tcp --dport $ {x} -m limit --limit 3 / m -j log --log-level 6 --log-prefix "Port: $ {x} attempt:" --log-tcp- Options --log-ip-options --log-tcp-sequence iptables -a input -i $ {uplink} -p tcp --dport $ {x} -j drop done #bulid a chain for the udp port or port range You want to deny for x in $ {udp_port_log} DO iptables -a input -i $ {uplink} -p UDP --dport $ {x} -m limit --LIMIT 3 / m -j log --log-prefix Invaild Port: $ {x} udp in: "

iptables -ainput -i $ {uplink} -p udp --dport $ {x} -j drop done #iptables -a input -i! $ {uplink} -j account #iptables -a input -i $ {lan} -p tcp -s $ {manage_ip} -j accept for x in $ {information_ip} do iptables -t filter -a infut -p tcp -t $ {x} --dport 22 -j accept iptables -t filter -a output iptables -p tcp -d $ {x} -j accept done #build a chain for the tcp port or port range you want x in $ {open_tcp} do iptables -a input -p tcp --dport $ {x} --Syn -j accept iptables -a input -p tcp --dport $ {x} -j accept iptables -a input --p tcp --dport $ {x} -m state --state new, established, Related -j accept done #build a chain for the udp port or port range you want x in $ {open_udp} do iptables -a input -p udp --dport $ {x} -j accept iptables - A INPUT -P UDP - Dport $ {x} -m State --State New, Established, Related -j Accept Done #build a chain to Drop and log ion iptables -a input -p gmp -m limited --LIMIT 2 / m -j log --Log-Level 6 --Log-Prefix "DROP IGMP"

iptables -ainput -p igmp -j drop #drop and log invalid ip ranging iptables -a input -i $ {uplink} -s 192.168.0.0.0.0.0/24 -j drop-and-log iptables -a input -i $ {UPLINK } -s 10.0.0.0/8 -j drop iptables -a input -i $ {uplink} -s 172.12.0.0/16 -j drop-and-log iptables -a input -i $ {uplink} -s 224.0.0.0 / 4 -J Drop-and-log iptables -a input -i $ {UPLINK} -s 240.0.0.0.0.0.0.0/16 {uplink} -s 169.254.0.0/16 -j drop-and-log iptables -a input -i $ {uplink} -s 192.0.2.0/24 -j drop-and-log ing iptables -a input -i $ {uplink} -p! udp -d 224.0.0.0 / 4 -J Drop iptables -a input -i $ {uplink} -p UDP -D 224.0.0.0.0/4 -j account iptables -a input -i $ {uplink} -d 127.0.0.1 -j drop-and-log iptables -a input -i $ {uplink} -s 127.0.0.1 -j drop-and-log iptables -a input -i $ {UPLINK} -s 0.0.0.0 -j drop-and-log ing iptables -a input -i $ {UPLINK} -s 255.255.255.255 -j drop-and-log #drop and log invalid management ip in #iptables -a lan-input -p tcp --dport 23 -i $ {lan_if} -s! $ {Management_ip } -j log --log-level 6 --L OG-Prefix "Invalid Manage_IP in:"

#iptables -a lan-infut -p tcp --dport 23 -i $ {lan_if} -s! $ {mangle_ip} -j drop #build a chain for ipsec vpn #iptables -a input -p UDP -I $ {Uplink } --Sport 500 --dport 500 -j accept #iptables -a input -p 50 -i $ {UPLINK} -j accept #iptables -a input -p 51 -i $ {UPLINK} -j accept #iptables -a INPUT -P 47 -I $ {UPLINK} -j account #iptables -a forward -p udp -i $ {uplink} --sport 500 --dport 500 -j account -pt #iptables -a forward -p 50 -i $ { Uplink} -j accept #iptables -a forward -p 51 -i $ {uplink} -j accept #iptables -a forward -p 47 -i $ {UPLINK} -j accept iptables -a input -i lo -j accept iptables -A INPUT -P TCP --TCP-FLAGS All Syn, FIN -J DROP IPTABLES -A INPUT -P ICMP --ICMP-TYPE 13 -J DROP iptables -a Output -p ICMP --ICMP-TYPE 14 -J DROP IPTABLES -A INPUT -P All-M STATE --STATE ESTABLISHED, RELATED -J ACCEPT IPTABLES -A INPUT -M STATE --STATE NEW, INVALID -M LIMIT --LIMIT 3 / M -J LOG --LOG-prefix " Invalid New "iptables -a input -m state --state new, invalid -j drop iptables -a input -p tcp! --S YN-M STATE --STATE NEW -M LIMIT --LIMIT 3 / M -J log --Log-Level 6 --Log-Prefix "Drop New Not SYN:" iptables -a input -p tcp! --syn - M State --State new -j drop iptables -a input -p tcp --syn -j log --log-prefix "IPTABLES -A INPUT -P TCP --SYN -J DROP Echo -e" / t logging invalid ICMP package: "iptables -a input -i $ {uplink} -p ICMP! --ICMP-TYPE Echo-reply -m limit --LIMIT 20 / m -j log --log-level 6 - Log-Prefix "Invaild ICMP in:" iptables -a input -i $ {uplink} -f-zemp -j log --log-prefix "fragmented incoming ICMP:"

iptables -a input -i $ {UPLINK} -f -p icmp -j drop iptables -a input -p icmp --ICMP-TYPE SOURCE-QUENCH -D $ UPIP -J Accept iptables -a input -p icmp --ICP -type parameter-problem -j accept iptables -a input -p icmp --ICMP-TYPE DESTINATION-UNREACHABLE -J Accept iptables -a input -p icmp --ICMP-TYPE TIME-EXCEED -J ACCEPT #ipTables -a Input - I $ {UPLINK} -p ICMP -J REJECT --REJECT-WITH ICMP-NET-UNREACHABLE #ipTables -a INPUT -P UDP-I $ {UPLINK} -j log --log-prefix "Invaild UDP in:" # iptables -a input -i $ {uplink} -reject-with icmp-port-unreachable #iptables -a input -i $ {uplink} -p tcp -j log --log-prefix "invaild TCP in: "#iptables -ainput -i $ {uplink} -p TCP -J REJECT --REJECT-WITH TCP-RESET IPTABLES -A INPUT -I $ {UPLINK} -s 0/0 -f -m limit - -LIMIT 2 / M -J log --Log-Level 6 --Log-Prefix "Invaild Fragment:" iptables -a input -i $ {uplink} -s 0/0 -f -j drop iptables -a input -i $ {UPLINK} -j drop echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N / TTHE INPUT RULES HAS BEEN SUCC Essful Applied, Continure ... "echo -e" / t now starting forward rules, please wait ..... "iptables -a forward -p igmp -m limited --LIMIT 2 / m -j log --log- Level 6 --Log-Prefix "Drop IGMP:" iptables -a forward -p @ it -f -m limited --LIMIT 1 / S --LIMIT-BURST 10 -J ACCEPT IPTABLES -A Forward --fragment -p icmp -j log --log-prefix "fragmented forwarded ICMP:"

iptables -a forward --fragment -p ICMP -J DROP iptables -a forward -p icmp --ICMP-TYPE FRAGMENTATION-NEDED -J Accept iptables -a forward -p icmp --ICMP-TYPE PARAMETER-PROBLEM -J ACCEPT IPTABLES -A forward -P ICMP --ICMP-TYPE SOURCE-QUENCH -J Accept iptables -a Output -p ICMP --ICMP-TYPE SOURCE-QUENCH -J ACCEPT iptables -a forward -p icmp -m limited --LIMIT 50 / S --LIMIT-BURST 100 -J Accept iptables -a forward -p TCP - TCP-FLAGS SYN, ACK, FIN, RST RST -M LIMIT --LIMIT 1 / S -J Accept iptables -a forward -p tcp - -tcp-flags all none -j drop iptables -a forward -p tcp-flags all all -j drop iptables -a forward -p tcp -tcp-flags all SYN, RST, ACK, FIN, URG -J DROP iptables -a forward -p tcp --tcp-flags all fin, urg, psh -j drop iptables -a forward -p tcp --TCP-FLAGS SYN, RST SYN, RST -J DROP IPTABLES -A Forward -P TCP --TCP-FLAGS FIN, RST FIN, RST -J DROP IPTABLES -A Forward -P TCP --TCP-FLAGS SYN, FIN SYN, FIN -J DROP IPTABLES -A Forward -P TCP --TCP-FLAGS SYN, ACK , FIN, RST RST -J DROP IPTABLES -A Forwar D -P TCP --TCP-FLAGS All Fin -j Drop iptables -a forward -p tcp --tcp-flags Ack, FIN FIN -J DROP iptables -a forward -p tcp --tcp-flags ACK, PSH PSH - J DROP iptables -a forward -p tcp-flags Ack, URG URG -J DROP IPTABLES -A Forward -P TCP --TCP-OPTION 64 -J DROP iptables -a forward -p tcp --TCP-Option 128 -J DROP iptables -a forward -p tcp --Syn-M limit --LIMIT 2000 / S -J Accept iptables -a forward -p icmp --ICMP-TYPE ECHO-REQUEST -M LIMIT --LIMIT 1 / S - J ACCEPT IPTABLES -A Forward -m State --State Established, Related -j Accept iptables -a forward -m state --state invalid -j log --log-prefix "Invalid Forward:"

iptables -a forward -m state --State Invalid -j drop iptables -a forward-{uplink} -p tcp -m state --state new -m limited --LIMIT 4000 / s --Limit-Burst 6000 - J log --log-prefix "conn TCP:" iptables -a forward -i $ {uplink} -p TCP -M State --State new -j tcphandler iptables -a forward-{uplink} -p UDP -M State --State new -m limited --LIMIT 200 / s --LIMIT-BURST 400 -J LOG --LOG-Prefix "Conn UDP:" iptables -a forward-{uplink} -p udp -m state - -state new -j udphandler iptables -a forward-{uplink} -p ICMP -MSTE --STATE NEW -M LIMIT --LIMIT 200 / S --LIMIT-BURST 400 -J LOG --LOG-prefix " CONN ICMP: "iptables -a forward -i $ {UPLINK} -p icmp -m state --state new -j icmphandler echo -e" / t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N / TTHE Forward Rules Has Been Successful Applied, Conniture ... "echo -e" / t1seing outprut rules, please wait .... "#for i in $ {deny_user} # do # echo -e" / TNO World Wide Visit for User: $ {i} # iptables -a output -m owner --UID-Owner $ {i} -j log --log-prefix Drop packet from $ {i}: "# iptables -a output -m owner --uid-owner $ {i} -j drop # DONE #iptables -a output -p udp -o $ {uplink} --sport 500 - -dport 500 -j accept #iptables -a output -p 50-{uplink} -j accept #iptables -a output -p 51-{uplink} -j accept #iptables -a output -p 47 -o $ {UPLINK} -j accept #if ["$ dhcp_server" = "1"]; then # iptables -a output -o $ lan_interface -p udp -s $ broadecast_src --sport 67 -d $ broadecast_dest --dport 68 - J ACCEPT #fi iptables -a output -o lo -j accept iptables -a output --fragment -p icmp -j log --log-prefix "fragment outgoing ICMP:"

iptables -a output --fragment -p ICMP -J DROP iptables -a output -p icmp --ICMP-TYPE SOURCE-QUENCH -J Accept iptables -a output ip ICMP --ICMP-TYPE PARAMETER-PROBLEM -J ACCEPT IPTABLES -A OUTPUT -P ICMP --ICMP-TYPE DESTINATION-UNREACHABLE -J Accept iptables -a output -p ICMP --ICMP-TYPE FRAGMENTATION-NEDED -J Accept iptables -a output -p icmp --ICMP-TYPE DESTINATION-UNREACHABLE -j drop iptables -a output -p ipmp --icmp-type echo-request -m state --state new -j accept iptables -a output -m state --state establish, Related -j Accept iptables -a output -m State --State Invalid -j Log --Log-Prefix "Invalid Output:" iptables -a output -m state --state invalid -j drop iptables -a output -p icmp-{uplink} -m state - State New, Established, Related -j Accept iptables -a output -o $ {uplink} -m state --state new, established, Related -j Accept iptables -a output -p ket -mst --state invalid -j log --Log-Prefix "Invaild ICMP State Output:" iptables -a output -p icmp -m state --state invalid -j drop iptables -a output -m state --state new, invalid -j log --log-prefix "Invaild New:" iptables -a output -m state --state new, invalid -j drop echo -e "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N / T the Output Rules Has Been Successful Applied, Conniture ... "#echo -e" / t now Applying Nat Rules, please Wait .... "#iptables -t nat -a postrouting -o eth1 -s 192.168.1.0/24 -j masquerade #iptables -t nat -a preording -d $ {lan_net} -i $ {UPLINK} -j Drop #if ["$ router" = "yes"] #1 # echo -e "/ t enabing ip_forward, please wait ..." # echo 1> / proc / sys / net / ipv4 / ip_forward # echo -e "/ T / T / T / T / 033 [3; 032M [OK] / 033 [0M / N "# IF [" $ nat "="

Dynamic "] #im # echo -e" / tenableing masquerading (Dynamic IP) ... "# echo -e" / tdynamic PPP connection, now getting the dynamic ip address "# ip_addr =` ifconfig ppp0 | GREP INET | CUT - D: -f 2 | cut -d "" -f 1` # echo -e "/ t now you ip address is: $ {ip_addr}" # iptables -t nat -a postrouting -o $ {uplink} -j masquerade # iptables -t nat -a postrouting -o $ {uplink} -s $ {dmz_net} -j snat --to $ ip_addr} # iptables -t nat -a postrouting -o $ {uplink} -p TCP --TCP -flags syn, RST SYN -J TCPMSS --CLAMP-MSS-TO-PMTU # iptables -t nat -a preloading -i $ {uplink} -d $ ip_addr} -p tcp --dport 80 -j dnat - To $ {web_ip}: 80 # iptables -t nat -a preording -i $ {UPLINK} -p tcp -d $ ip_addr} --dport 22 -j dnat --to $ {admin_ip}: 22 # echo -e "/ t ok, nat setting start surcecc .." # Elif ["$ nat"! = ""] #1 # echo -e "/ tenableing snat (static ip) ..." # iptables -t nat -a postrouting -o $ {UPLINK} -j snat --to $ {upip} # iptables -t nat -a postrouting -s $ {lan_net} -to $ {uplink} -j snat --to $ {upip} # iptables -t nat -a postrouting-{uplink} -p TCP --TCP-FLAGS SYN, RST SYN -J TCPMS --CLAMP-MSS-TO-PMTU # iptables -t nat -a preording -i $ {UPLINK } -p tcp -d $ {upip} --dport 80 -j dnat --to $ {web_ip}: 80 # iptables -t nat -a preording -i $ {uplink} -p tcp -d $ {upip} - -dport 88 -J DNAT - TO $ {admin_ip}: 22 # echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N" # FI #fi echo - e "/ a" echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N" Echo -e "/ Tall Rules Has Been Successful Applied, Enjoy It ... "Elif [" $ 1 "=" stop "] || [" $ 1 "=" flush "] || [" $ 1 "=" clean "

] THEN Echo -e "/ TSTOPING FIREWALL ...." iptables -t filter -f> / dev / null 2> & 1 iptables -t filter -x> / dev / null 2> & 1 iptables -t nat -f> / DEV / NULL 2> & 1 iptables -t nat -x> / dev / null 2> & 1 iptables -t mangle -f> / dev / null 2> & 1 iptables -t mangle -x> / dev / null 2> & 1 iptables - T Filter -p Input Accept> / dev / null 2> & 1 iptables -t filter -p output accept> / dev / null 2> & 1 iptables -t filter -p forward accept> / dev / null 2> & 1 iptables -f tcphandler > / dev / null 2> & 1 iptables -f udphandler> / dev / null 2> & 1 iptables -f icmphandler> / dev / null 2> & 1 iptables -f check_flags> / dev / null 2> & 1 iptables -f drop-and -Log> / dev / null 2> & 1 iptables -f syn-flood> / dev / null 2> & 1 iptables -X tcphandler> / dev / null 2> & 1 iptables -x udphandler> / dev / null 2> & 1 iptables - X icmphandler> / dev / null 2> & 1 iptables -X check_flags> / dev / null 2> & 1 iptables -x drop-and-log> / dev / null 2> & 1 iptables -x syn-flood> / dev / null 2 > & 1 echo -e "/ a" echo -e "/ t / t / t / t / 033 [3; 032M [OK] / 033 [0M / N" echo -e "/ t / tthe firewall Has sucssful shuted down, be careful! "Fi final editor is arlenecc on 2004-09-24 16:09, the total number of the 2nd edit # rainlow firewall server version - 09/05/2004 # this software may be used and Distributed According to #the Terms of the gnu general public license (gpl) providied #credit is given to the original author. # Copyright (c) 2004 rainlow # all rights reserved ################################################################ ####################################################### "/ n / t / t / t welcome to / 033 [3; 031m rainlow tech. / 033 [0M / N / N" #echo -e "

转载请注明原文地址:https://www.9cbs.com/read-112221.html

9cbs

New Post(0)