2012年2月7日 星期二

iptables rule script


##################################################################################

#!/bin/bash
# Program:
#     Iptables Firewall

# History
# 2007/02/01/PM 13:57        TMeng        First release
# 2009/05/25/PM 16:56        TMeng        Second release
# 2009/11/11/AM 10:14        TMeng        Third release
# The IPTABLES part Re-write by "rc.firewall" Scripts from http://iptables-tutorial.frozentux.net/

# I just to integrate it ,and test it ,it can works
#
#*****************************************************************************
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#

#*****************************************************************************
#
# 1. Configuration options.
#
MY_IP="192.168.10.100"
#
# 1.1 Internet Configuration.
#

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#
INET_IFACE="ppp0"
#INET_IFACE="eth0"
INET_IP=`ifconfig $INET_IFACE|grep inet|cut -d : -f 2|cut -d ' ' -f 1`

#
# 1.2 Local Area Network configuration.
#

LAN_IP="192.168.10.1"
LAN_IP_RANGE="192.168.10.0/24"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_TTL
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

#Enable packet forward
echo "1" > /proc/sys/net/ipv4/ip_forward
#Modify tcp conntrack timeout established
echo "300" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#
# 3.3 flush iptables and set default policy
#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT

#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X


###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#


$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset 
#$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
#--log-prefix "New not syn:"


#
# TCP_packets chain rules
#
$IPTABLES -A tcp_packets -p TCP --syn -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
#For PORT mode FTP ,TCP20/21 port
#TCP53 for DNS,TCP2022 for SSH
$IPTABLES -A tcp_packets -p TCP -s 0/0 -m multiport --dports 20,21,53,\
2022 -j ACCEPT
#For PASV mode FTP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 65400:65420 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -j DROP



#
# UDP_packets chain rules
#
# Allow the Paopao tang  port
$IPTABLES -A udp_packets -p UDP -s 0/0 -m multiport --dports 4849,5859,6869,\
7879,9278,9520,9521,9522,9523,9963,9756 -j ACCEPT


# Allow the Games ( QQ paopaotang UC neteasePaopao )
$IPTABLES -A udp_packets -p UDP -s 0/0 -m multiport --dports 2022,3001,3002,\
4000,4001,8000,8191,8192,9889,9977,29851,29853 -j ACCEPT

# Allow the Games ( [rexue]chuanqi[shijie] and other )
$IPTABLES -A udp_packets -p UDP -s 0/0 -m multiport --dports 1429,1547,6000,\
6004,6111,6112,7000,7050,7100,7200,7300,7400,7705 -j ACCEPT

# Allow the default port
$IPTABLES -A udp_packets -p UDP -s 0/0 -m multiport --dports 53,443,123,2032,\
2047,2402,3952,8002,9314 -j ACCEPT

#
# ICMP_packets chain rules
#

$IPTABLES -A icmp_packets -p ICMP --icmp-type echo-reply -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP --icmp-type echo-request -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -j DROP

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -t filter -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#
$IPTABLES -t filter -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -t filter -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -t filter -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -t filter -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT


#
# Rules for incoming packets from the internet.
#

$IPTABLES -t filter -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -t filter -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -t filter -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -t filter -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may 
# also get flooded by Multicasts. We drop them so we do not get flooded by 
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP




# 4.1.5 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#
$IPTABLES -t nat -A OUTPUT --dst $INET_IP -p tcp --dport 21 -j DNAT --to-destination $LAN_IP


$IPTABLES -t filter -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p ALL -s $INET_IP -j ACCEPT






#
# 4.1.6 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -t filter -A FORWARD -p tcp -j bad_tcp_packets


# Drop some client connect to internet

$IPTABLES -t filter -A FORWARD -m ipp2p --ipp2p -j DROP
$IPTABLES -t filter -A FORWARD -m ipp2p --xunlei -j DROP
$IPTABLES -t filter -A FORWARD -p tcp -m conntrack --ctstate INVALID -j REJECT
#$IPTABLES -t filter -A FORWARD -p tcp --syn -m connlimit --connlimit-above 35\
--connlimit-mask 32 -j LOG --log-ip-options
$IPTABLES -t filter -A FORWARD -p tcp --syn -m connlimit --connlimit-above 40\
--connlimit-mask 32 -j REJECT

#
# Accept the packets we actually want to forward
#

$IPTABLES -t filter -A FORWARD -p tcp -i $LAN_IFACE -j ACCEPT
#Just allow some DST UDP port ,for filter P2P UDP upload
$IPTABLES -t filter -A FORWARD -p udp -i $LAN_IFACE -j udp_packets
$IPTABLES -t filter -A FORWARD -p icmp -i $LAN_IFACE -j icmp_packets

$IPTABLES -t filter -A FORWARD -p tcp -i $INET_IFACE -j ACCEPT
$IPTABLES -t filter -A FORWARD -p udp -i $INET_IFACE -j udp_packets
$IPTABLES -t filter -A FORWARD -p icmp -i $INET_IFACE -j icmp_packets

#
######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#
# Redirect http request to squid
#$IPTABLES -t nat -A PREROUTING -p tcp -s 192.168.10.0/24  --dport 80 -j REDIRECT --to-ports 3128

# Map emule port to localhost
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 4662 -j DNAT --to $MY_IP:4662
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp --dport 4672 -j DNAT --to $MY_IP:4672

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#
# Added by TMeng ,for ADSL Connection

$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j SNAT --to-source $INET_IP





######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#
#

#
# 4.3.8 POSTROUTING chain
#


# Increase the IPID
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -j IPID --ipid-pace 2
$IPTABLES -t mangle -A POSTROUTING -o $INET_IFACE -j TTL --ttl-set 128
$IPTABLES -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $INET_IFACE -j TCPMSS --clamp-mss-to-pmtu


##################################################################################

說明:
1.腳本的框架來自於"rc.firewall script"  ,在這裏
http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#INCLUDERCFIREWALL

2.在框架的基礎上,去掉了原來的allowed鏈,只保留四個自定義的鏈 bad_tcp_packets,tcp_packets,udp_packets,icmp_packets;
框架具有很好的可擴展性,添加和刪除規則基本上都在自身的鏈中完成,對其它規則的影響極小

3.基本流程是這樣的
先對進入的packets作合法性檢查,即選進入bad_tcp_packets,非法的丟棄;
合法的packets,TCP報文進入tcp_packets作進一步匹配,合法通過;
合法的packets,UDP報文進入udp_packets進行匹配,合法通過
余下的icmp報文匹配icmp_packets規則

4.對需要進行packets濾的鏈,input ,output ,forward的默認規則是DROP

5.由於網絡環境為ADSL鏈路,上傳帶寬有限,對UDP報文作了--dport限制,符合要求的放行,對於回流的UDP報文,對Firewall來說其 --dport端口為送出時的--sport,因此在自定義的udp_packets鏈中,將其統一寫入--dport中,使用--multiport的 好處是減少規則的條目,提高匹配效率。

6.對TCP的限制使用connlimit,另,對P2P已知的協議進過相關過濾(如果你也需要此功能,你需要自己編譯相關模塊)。

7.在Firewall上提供vsftp,ssh-server服務。

8.為更好理解相關過濾規則在iptables表、鏈中的相對位置,用顏色表示規則和其對應的鏈。對於自定義的鏈(上述2)規則由於圖表的篇幅,沒有在圖 表中列出,你需要對照腳本4.1.3項中的相關鏈的規則。

Netfilter Extensions HOWTO


Next Previous Contents


Fabrice MARIE , mailing list netfilter-devel@lists.samba.org

$Revision: 3822 $ $Date: 2005-04-03 11:03:46 +0200 (Sun, 03 Apr 2005) $
This document describes how to install and use current iptables extensions for netfilter.

1. Introduction

2. Patch-O-Matic

3. New netfilter matches

4. New netfilter targets

5. New connection tracking patches

6. New IPv6 netfilter matches

7. New IPv6 netfilter targets

8. New IPv6 connection tracking patches

9. Contributing


Next Previous Contents

How to repair and clone disk with ddrescue

  ddrescue  is a tool that can be used to repair and clone disks on a  Linux system . This includes hard drives, partitions, DVD discs, flas...