2012年2月7日 星期二

iptables rule script


##################################################################################

#!/bin/bash
# Program:
#     Iptables Firewall

# History
# 2007/02/01/PM 13:57        TMeng        First release
# 2009/05/25/PM 16:56        TMeng        Second release
# 2009/11/11/AM 10:14        TMeng        Third release
# The IPTABLES part Re-write by "rc.firewall" Scripts from http://iptables-tutorial.frozentux.net/

# I just to integrate it ,and test it ,it can works
#
#*****************************************************************************
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#

#*****************************************************************************
#
# 1. Configuration options.
#
MY_IP="192.168.10.100"
#
# 1.1 Internet Configuration.
#

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#
INET_IFACE="ppp0"
#INET_IFACE="eth0"
INET_IP=`ifconfig $INET_IFACE|grep inet|cut -d : -f 2|cut -d ' ' -f 1`

#
# 1.2 Local Area Network configuration.
#

LAN_IP="192.168.10.1"
LAN_IP_RANGE="192.168.10.0/24"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_TTL
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

#Enable packet forward
echo "1" > /proc/sys/net/ipv4/ip_forward
#Modify tcp conntrack timeout established
echo "300" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#
# 3.3 flush iptables and set default policy
#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT

#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X


###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#


$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset 
#$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
#--log-prefix "New not syn:"


#
# TCP_packets chain rules
#
$IPTABLES -A tcp_packets -p TCP --syn -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
#For PORT mode FTP ,TCP20/21 port
#TCP53 for DNS,TCP2022 for SSH
$IPTABLES -A tcp_packets -p TCP -s 0/0 -m multiport --dports 20,21,53,\
2022 -j ACCEPT
#For PASV mode FTP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 65400:65420 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -j DROP



#
# UDP_packets chain rules
#
# Allow the Paopao tang  port
$IPTABLES -A udp_packets -p UDP -s 0/0 -m multiport --dports 4849,5859,6869,\
7879,9278,9520,9521,9522,9523,9963,9756 -j ACCEPT


# Allow the Games ( QQ paopaotang UC neteasePaopao )
$IPTABLES -A udp_packets -p UDP -s 0/0 -m multiport --dports 2022,3001,3002,\
4000,4001,8000,8191,8192,9889,9977,29851,29853 -j ACCEPT

# Allow the Games ( [rexue]chuanqi[shijie] and other )
$IPTABLES -A udp_packets -p UDP -s 0/0 -m multiport --dports 1429,1547,6000,\
6004,6111,6112,7000,7050,7100,7200,7300,7400,7705 -j ACCEPT

# Allow the default port
$IPTABLES -A udp_packets -p UDP -s 0/0 -m multiport --dports 53,443,123,2032,\
2047,2402,3952,8002,9314 -j ACCEPT

#
# ICMP_packets chain rules
#

$IPTABLES -A icmp_packets -p ICMP --icmp-type echo-reply -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP --icmp-type echo-request -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -j DROP

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -t filter -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#
$IPTABLES -t filter -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -t filter -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -t filter -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -t filter -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT


#
# Rules for incoming packets from the internet.
#

$IPTABLES -t filter -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -t filter -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -t filter -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -t filter -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may 
# also get flooded by Multicasts. We drop them so we do not get flooded by 
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP




# 4.1.5 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#
$IPTABLES -t nat -A OUTPUT --dst $INET_IP -p tcp --dport 21 -j DNAT --to-destination $LAN_IP


$IPTABLES -t filter -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p ALL -s $INET_IP -j ACCEPT






#
# 4.1.6 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -t filter -A FORWARD -p tcp -j bad_tcp_packets


# Drop some client connect to internet

$IPTABLES -t filter -A FORWARD -m ipp2p --ipp2p -j DROP
$IPTABLES -t filter -A FORWARD -m ipp2p --xunlei -j DROP
$IPTABLES -t filter -A FORWARD -p tcp -m conntrack --ctstate INVALID -j REJECT
#$IPTABLES -t filter -A FORWARD -p tcp --syn -m connlimit --connlimit-above 35\
--connlimit-mask 32 -j LOG --log-ip-options
$IPTABLES -t filter -A FORWARD -p tcp --syn -m connlimit --connlimit-above 40\
--connlimit-mask 32 -j REJECT

#
# Accept the packets we actually want to forward
#

$IPTABLES -t filter -A FORWARD -p tcp -i $LAN_IFACE -j ACCEPT
#Just allow some DST UDP port ,for filter P2P UDP upload
$IPTABLES -t filter -A FORWARD -p udp -i $LAN_IFACE -j udp_packets
$IPTABLES -t filter -A FORWARD -p icmp -i $LAN_IFACE -j icmp_packets

$IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -j ACCEPT
$IPTABLES -t filter -A FORWARD -p udp -i $INET_IFACE -j udp_packets
$IPTABLES -t filter -A FORWARD -p icmp -i $INET_IFACE -j icmp_packets

#
######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#
# Redirect http request to squid
#$IPTABLES -t nat -A PREROUTING -p tcp -s 192.168.10.0/24  --dport 80 -j REDIRECT --to-ports 3128

# Map emule port to localhost
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 4662 -j DNAT --to $MY_IP:4662
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp --dport 4672 -j DNAT --to $MY_IP:4672

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#
# Added by TMeng ,for ADSL Connection

$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j SNAT --to-source $INET_IP





######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#
#

#
# 4.3.8 POSTROUTING chain
#


# Increase the IPID
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -j IPID --ipid-pace 2
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -j TTL --ttl-set 128
$IPTABLES -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $INET_IFACE -j TCPMSS --clamp-mss-to-pmtu


##################################################################################

說明:
1.腳本的框架來自於"rc.firewall script"  ,在這裏
http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#INCLUDERCFIREWALL

2.在框架的基礎上,去掉了原來的allowed鏈,只保留四個自定義的鏈 bad_tcp_packets,tcp_packets,udp_packets,icmp_packets;
框架具有很好的可擴展性,添加和刪除規則基本上都在自身的鏈中完成,對其它規則的影響極小

3.基本流程是這樣的
先對進入的packets作合法性檢查,即選進入bad_tcp_packets,非法的丟棄;
合法的packets,TCP報文進入tcp_packets作進一步匹配,合法通過;
合法的packets,UDP報文進入udp_packets進行匹配,合法通過
余下的icmp報文匹配icmp_packets規則

4.對需要進行packets濾的鏈,input ,output ,forward的默認規則是DROP

5.由於網絡環境為ADSL鏈路,上傳帶寬有限,對UDP報文作了--dport限制,符合要求的放行,對於回流的UDP報文,對Firewall來說其 --dport端口為送出時的--sport,因此在自定義的udp_packets鏈中,將其統一寫入--dport中,使用--multiport的 好處是減少規則的條目,提高匹配效率。

6.對TCP的限制使用connlimit,另,對P2P已知的協議進過相關過濾(如果你也需要此功能,你需要自己編譯相關模塊)。

7.在Firewall上提供vsftp,ssh-server服務。

8.為更好理解相關過濾規則在iptables表、鏈中的相對位置,用顏色表示規則和其對應的鏈。對於自定義的鏈(上述2)規則由於圖表的篇幅,沒有在圖 表中列出,你需要對照腳本4.1.3項中的相關鏈的規則。

沒有留言:

張貼留言

DNSSEC安全技術簡介 作者:游子興 / 臺灣大學計算機及資訊網路中心網路組約聘幹事 DNS 是一套已經廣泛使用的Internet 服務,但因先天的技術限制導致容易成為駭客攻擊的目標。本文主要在介紹DNSSEC 之緣起與技術背景,及其使用的加解密技術如何確保資料的完整...