iptables防火墙脚本实例1(2011-07-07)
2011-07-07 14:40
381 查看
#PPTP服务器上的iptables防火墙实例
#因大部分公司pptp服务器需要进行权限控制,如果采用linux作为pptp服务器平台,则可用iptables进行访问控制。我特编写了一个样例。(这是我给一个客户做的#pptp服务器的配置,当然实际IP地址信息已经被替换)
#pptp服务器为fc4,两个网卡:eth0和eth1,eth0:202.85.33.44 eth1:10.15.0.254 内部网络划分了6个VLAN,其中pptp用户所有的vlan5为10.15.0.0/24 内部服务
#器网段地址为:10.15.55.0/24 在pptp服务器上需要增加一条路由表:route add -net 10.15.55.0/24 gw 10.15.0.1(注:10.15.0.1为vlan5的IP地址)
#下面是firewall.sh脚本文件(vi firewall.sh后把下面的复制到此文件中,保存退出后,chmod 700 firewall.sh即可执行 ./firewall.sh restart)
常用命令:
iptables -t filter -F FORWARD
iptables -t nat -F
iptables -t filter -L -n
iptables -t nat -L -n
#############################################################
#!/bin/bash
#
#
#
echo "Starting................."
echo "RunTime = `date |awk '{print $6" "$2" "$3" "$4}'`"
echo -e "\t\t\n\n"
echo -e "\033[1;031m \n"
echo "######################################################################"
echo "# pptp server iptables rule 1.0 #"
echo "# E-mail:jdaoyou@sohu.com #"
echo "######################################################################"
echo -e "\033[m \n"
echo ""
echo ""
#
echo -e "\033[1;034m \n"
echo "######################################################################"
echo "# Network Internet Address eth0: 202.85.33.44 #"
echo "# #"
echo "# Internal Network Address eth1: 10.15.0.254 #"
echo "# #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
LAN_IFACE="eth1"
INET_IFACE="eth0"
IPTABLES="/sbin/iptables"
ACCEPT_ERP_OA_HOSTS="10.15.0.91 10.15.0.90 10.15.0.85 10.15.0.67 10.15.0.65 10.15.0.71 10.15.0.3 10.15.0.4 10.15.0.5 10.15.0.6 10.15.0.7 10.15.0.8 10.15.0.9 10.15.0.10 10.15.0.11 10.15.0.12 10.15.0.13 10.15.0.14 10.15.0.15 10.15.0.16 10.15.0.17 10.15.0.18 10.15.0.19 10.15.0.20 10.15.0.21 10.15.0.22 10.15.0.23 10.15.0.24 10.15.0.25 10.15.0.26 10.15.0.27 10.15.0.28 10.15.0.29 10.15.0.30 10.15.0.31 10.15.0.32 10.15.0.33 10.15.0.34 10.15.0.40 10.15.0.41 10.15.0.42 10.15.0.43 10.15.0.44 10.15.0.45 10.15.0.46 10.15.0.47 10.15.0.48 10.15.0.49 10.15.0.50 10.15.51 10.15.0.52 10.15.0.55 10.15.0.58 10.15.0.60 10.15.0.61 10.15.0.63 10.15.0.64 10.15.0.65 10.15.0.68 10.15.0.69 10.15.0.70 10.15.0.72 10.15.0.73 10.15.0.74 10.15.0.75 10.15.0.80 10.15.0.82 10.15.0.89 10.15.0.87"
#以上规则为可以访问OA和ERP的权限
ACCEPT_inMAIL_HOSTS="10.15.0.91 10.15.0.67 10.15.0.65 10.15.0.71 10.15.0.3 10.15.0.4 10.15.0.5 10.15.0.6 10.15.0.7 10.15.0.8 10.15.0.9 10.15.0.10 10.15.0.11 10.15.0.12 10.15.0.13 10.15.0.14 10.15.0.15 10.15.0.16 10.15.0.17 10.15.0.18 10.15.0.19 10.15.0.20 10.15.0.21 10.15.0.22 10.15.0.23 10.15.0.24 10.15.0.25 10.15.0.26 10.15.0.27 10.15.0.28 10.15.0.29 10.15.0.30 10.15.0.31 10.15.0.32 10.15.0.33 10.15.0.34 10.15.0.40 10.15.0.41 10.15.0.42 10.15.0.43 10.15.0.44 10.15.0.45 10.15.0.46 10.15.0.47 10.15.0.48 10.15.0.49 10.15.0.50 10.15.0.51 10.15.0.52 10.15.0.55 10.15.0.58 10.15.0.60 10.15.0.61 10.15.0.63 10.15.0.64 10.15.0.65 10.15.0.68 10.15.0.69 10.15.0.70 10.15.0.72 10.15.0.73 10.15.0.74 10.15.0.75 10.15.0.80 10.15.0.82 10.15.0.87"
#以上规则为仅可访问内部邮件服务器的权限
ACCEPT_ERP_HOSTS=""
ACCEPT_inWEB_HOSTS=""
ACCEPT_TEST_HOSTS="10.15.0.76 10.15.0.77 10.15.0.78 10.15.0.92"
ACCEPT_CRM_HOSTS="10.15.35.0/24"
ACCEPT_all_HOSTS="10.15.0.90 10.15.0.81 10.15.0.21 10.15.0.22 10.15.0.31 10.15.0.32 10.15.0.33 10.15.0.35 10.15.0.36 10.15.55.94 10.15.55.24 10.15.55.38 10.15.0.41 19.168.34.42 10.15.0.43 10.15.0.44 10.15.0.53 10.15.0.54 10.15.0.56 10.15.0.57 10.15.0.59 10.15.0.62 10.15.0.66 10.15.0.79 10.15.0.83 10.15.0.88"
#以上为所有访问权限,也即可以访问内网,也可能通过PPTP服务器访问Internet
ACCEPT_APS_HOSTS="10.15.0.39" #可以访问APS系统的权限
#
########################## Main Options #####################
# ===============================================
# --------Actual NetFilter Stuff Follows---------
# ===============================================
############## Load modules
modprobe ip_tables > /dev/null 2>&1
modprobe ip_conntrack > /dev/null 2>&1
modprobe iptable_nat > /dev/null 2>&1
#modprobe ip_nat_ftp > /dev/null 2>&1
modprobe ip_conntrack_ftp > /dev/null 2>&1
modprobe ip_conntrack_irc > /dev/null 2>&1
modprobe ip_conntrack_h323 > /dev/null 2>&1
modprobe ip_nat_h323 > /dev/null 2>&1
modprobe ip_conntrack_irc > /dev/null 2>&1
#modprobe ip_nat_irc > /dev/null 2>&1
modprobe ip_conntrack_mms > /dev/null 2>&1
modprobe ip_nat_mms > /dev/null 2>&1
#modprobe ip_conntrack_pptp > /dev/null 2>&1
#modprobe ip_nat_pptp > /dev/null 2>&1
#modprobe ip_conntrack_proto_gre > /dev/null 2>&1
#modprobe ip_nat_proto_gre > /dev/null 2>&1
modprobe ip_conntrack_quake3 > /dev/null 2>&1
modprobe ip_nat_quake3 > /dev/null 2>&1
##############################################
##############################################
echo 1 >/proc/sys/net/ipv4/ip_forward
#echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
start(){
echo ""
echo -e "\033[1;032m Flush all chains...... [OK] \033[m"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -Z -t nat
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
$IPTABLES -A INPUT -s 202.102.224.68 -j ACCEPT
$IPTABLES -A INPUT -s 202.96.134.133 -j ACCEPT
$IPTABLES -A INPUT -s 127.0.0.0/8 -j ACCEPT
$IPTABLES -A INPUT -d 127.0.0.0/8 -j ACCEPT
$IPTABLES -A INPUT -p 47 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -s 10.15.55.19 -j ACCEPT
# $IPTABLES -A INPUT -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.15.0.0/24 -j SNAT --to 202.85.33.44
##########################################################
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -s 10.15.0.22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i ppp+ --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -I FORWARD -d 10.15.0.0/24 -j ACCEPT
######################## comm rule ###################
$IPTABLES -I FORWARD -d 10.15.55.229 -j ACCEPT
$IPTABLES -I FORWARD -s 10.15.55.229 -j ACCEPT
$IPTABLES -A FORWARD -d 10.15.55.219 -j ACCEPT
$IPTABLES -I FORWARD -s 10.15.0.0/24 -d 10.15.55.15 -j ACCEPT
$IPTABLES -I FORWARD -s 10.15.0.0/24 -d 10.15.55.14 -j ACCEPT
$IPTABLES -I FORWARD -s 10.15.0.0/24 -d 10.15.55.16 -j ACCEPT
$IPTABLES -I FORWARD -s 10.15.0.0/24 -d 10.15.55.13 -j ACCEPT
$IPTABLES -I FORWARD -s 10.15.0.0/24 -d 210.75.1.165 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m multiport --dport 53,449 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m multiport --dport 53,449 -j ACCEPT
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept erp access #######################
if [ "$ACCEPT_ERP_OA_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_ERP_OA_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.17 -j ACCEPT
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.91 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT erp and oa access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept erp access #######################
if [ "$ACCEPT_ERP_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_ERP_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.17-j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT only erp access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept crm access #######################
if [ "$ACCEPT_CRM_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_CRM_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.9 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT CRM access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept test access #######################
if [ "$ACCEPT_TEST_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_TEST_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.30 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT testapp access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept inMAIL access #######################
if [ "$ACCEPT_inMAIL_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_inMAIL_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.8 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT inmail access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept inWEB access #######################
if [ "$ACCEPT_inWEB_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_inWEB_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.8 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT inweb access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept aps access #######################
if [ "$ACCEPT_APS_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_APS_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.23 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT aps access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept all access #######################
if [ "$ACCEPT_all_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_all_HOSTS} ; do
$IPTABLES -A FORWARD -s ${LAN} -j ACCEPT
# $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 0/0 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT all access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
#######################################################################################
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;031m \n"
########################### logrule #########################
#LOGACCESS="no"
LOGACCESS="yes"
if [ "$LOGACCESS" = "yes" ] ; then
# $IPTABLES -I FORWARD -p tcp -m multiport --dport 445,135 -j LOG
$IPTABLES -I INPUT -p tcp ! -s 10.15.55.180 -j LOG --log-prefix 'IPTABLES INPUT TCP ACCEPT:'
#$IPTABLES -I INPUT -p udp ! -s 10.15.55.180 -j LOG --log-prefix 'IPTABLES INPUT UDP ACCEPT:'
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j LOG --log-tcp-options --log-ip-options --log-prefix 'IPTABLES INPUT DROP:'
$IPTABLES -I FORWARD -p tcp -s 10.15.0.0/24 -j LOG --log-prefix 'IPTABLES FORWARD TCP ACCEPT:'
$IPTABLES -I FORWARD -p udp -s 10.15.0.0/24 -j LOG --log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG --log-tcp-options --log-ip-options --log-prefix 'IPTABLES FORWARD DROP:'
echo LOG illegal access ............................... [OK]
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;031m \n"
echo ""
echo "######################################################################"
echo "# #"
echo "# Load PPTP server Access rule Successfull ! #"
echo "# #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
############################# Type of Service mangle optimizations
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p udp --dport 4000:7000 -j TOS --set-tos Minimize-Delay
}
stop(){
##################### Flush everything
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -Z -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo ""
echo -e "\033[1;031m \n"
echo ""
echo "######################################################################"
echo "# #"
echo "# Stop PPTP server Access rule Successfull ! #"
echo "# #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
}
#########################################################
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage:$0 {start|stop|restart|}"
exit 1
esac
exit $?
#因大部分公司pptp服务器需要进行权限控制,如果采用linux作为pptp服务器平台,则可用iptables进行访问控制。我特编写了一个样例。(这是我给一个客户做的#pptp服务器的配置,当然实际IP地址信息已经被替换)
#pptp服务器为fc4,两个网卡:eth0和eth1,eth0:202.85.33.44 eth1:10.15.0.254 内部网络划分了6个VLAN,其中pptp用户所有的vlan5为10.15.0.0/24 内部服务
#器网段地址为:10.15.55.0/24 在pptp服务器上需要增加一条路由表:route add -net 10.15.55.0/24 gw 10.15.0.1(注:10.15.0.1为vlan5的IP地址)
#下面是firewall.sh脚本文件(vi firewall.sh后把下面的复制到此文件中,保存退出后,chmod 700 firewall.sh即可执行 ./firewall.sh restart)
常用命令:
iptables -t filter -F FORWARD
iptables -t nat -F
iptables -t filter -L -n
iptables -t nat -L -n
#############################################################
#!/bin/bash
#
#
#
echo "Starting................."
echo "RunTime = `date |awk '{print $6" "$2" "$3" "$4}'`"
echo -e "\t\t\n\n"
echo -e "\033[1;031m \n"
echo "######################################################################"
echo "# pptp server iptables rule 1.0 #"
echo "# E-mail:jdaoyou@sohu.com #"
echo "######################################################################"
echo -e "\033[m \n"
echo ""
echo ""
#
echo -e "\033[1;034m \n"
echo "######################################################################"
echo "# Network Internet Address eth0: 202.85.33.44 #"
echo "# #"
echo "# Internal Network Address eth1: 10.15.0.254 #"
echo "# #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
LAN_IFACE="eth1"
INET_IFACE="eth0"
IPTABLES="/sbin/iptables"
ACCEPT_ERP_OA_HOSTS="10.15.0.91 10.15.0.90 10.15.0.85 10.15.0.67 10.15.0.65 10.15.0.71 10.15.0.3 10.15.0.4 10.15.0.5 10.15.0.6 10.15.0.7 10.15.0.8 10.15.0.9 10.15.0.10 10.15.0.11 10.15.0.12 10.15.0.13 10.15.0.14 10.15.0.15 10.15.0.16 10.15.0.17 10.15.0.18 10.15.0.19 10.15.0.20 10.15.0.21 10.15.0.22 10.15.0.23 10.15.0.24 10.15.0.25 10.15.0.26 10.15.0.27 10.15.0.28 10.15.0.29 10.15.0.30 10.15.0.31 10.15.0.32 10.15.0.33 10.15.0.34 10.15.0.40 10.15.0.41 10.15.0.42 10.15.0.43 10.15.0.44 10.15.0.45 10.15.0.46 10.15.0.47 10.15.0.48 10.15.0.49 10.15.0.50 10.15.51 10.15.0.52 10.15.0.55 10.15.0.58 10.15.0.60 10.15.0.61 10.15.0.63 10.15.0.64 10.15.0.65 10.15.0.68 10.15.0.69 10.15.0.70 10.15.0.72 10.15.0.73 10.15.0.74 10.15.0.75 10.15.0.80 10.15.0.82 10.15.0.89 10.15.0.87"
#以上规则为可以访问OA和ERP的权限
ACCEPT_inMAIL_HOSTS="10.15.0.91 10.15.0.67 10.15.0.65 10.15.0.71 10.15.0.3 10.15.0.4 10.15.0.5 10.15.0.6 10.15.0.7 10.15.0.8 10.15.0.9 10.15.0.10 10.15.0.11 10.15.0.12 10.15.0.13 10.15.0.14 10.15.0.15 10.15.0.16 10.15.0.17 10.15.0.18 10.15.0.19 10.15.0.20 10.15.0.21 10.15.0.22 10.15.0.23 10.15.0.24 10.15.0.25 10.15.0.26 10.15.0.27 10.15.0.28 10.15.0.29 10.15.0.30 10.15.0.31 10.15.0.32 10.15.0.33 10.15.0.34 10.15.0.40 10.15.0.41 10.15.0.42 10.15.0.43 10.15.0.44 10.15.0.45 10.15.0.46 10.15.0.47 10.15.0.48 10.15.0.49 10.15.0.50 10.15.0.51 10.15.0.52 10.15.0.55 10.15.0.58 10.15.0.60 10.15.0.61 10.15.0.63 10.15.0.64 10.15.0.65 10.15.0.68 10.15.0.69 10.15.0.70 10.15.0.72 10.15.0.73 10.15.0.74 10.15.0.75 10.15.0.80 10.15.0.82 10.15.0.87"
#以上规则为仅可访问内部邮件服务器的权限
ACCEPT_ERP_HOSTS=""
ACCEPT_inWEB_HOSTS=""
ACCEPT_TEST_HOSTS="10.15.0.76 10.15.0.77 10.15.0.78 10.15.0.92"
ACCEPT_CRM_HOSTS="10.15.35.0/24"
ACCEPT_all_HOSTS="10.15.0.90 10.15.0.81 10.15.0.21 10.15.0.22 10.15.0.31 10.15.0.32 10.15.0.33 10.15.0.35 10.15.0.36 10.15.55.94 10.15.55.24 10.15.55.38 10.15.0.41 19.168.34.42 10.15.0.43 10.15.0.44 10.15.0.53 10.15.0.54 10.15.0.56 10.15.0.57 10.15.0.59 10.15.0.62 10.15.0.66 10.15.0.79 10.15.0.83 10.15.0.88"
#以上为所有访问权限,也即可以访问内网,也可能通过PPTP服务器访问Internet
ACCEPT_APS_HOSTS="10.15.0.39" #可以访问APS系统的权限
#
########################## Main Options #####################
# ===============================================
# --------Actual NetFilter Stuff Follows---------
# ===============================================
############## Load modules
modprobe ip_tables > /dev/null 2>&1
modprobe ip_conntrack > /dev/null 2>&1
modprobe iptable_nat > /dev/null 2>&1
#modprobe ip_nat_ftp > /dev/null 2>&1
modprobe ip_conntrack_ftp > /dev/null 2>&1
modprobe ip_conntrack_irc > /dev/null 2>&1
modprobe ip_conntrack_h323 > /dev/null 2>&1
modprobe ip_nat_h323 > /dev/null 2>&1
modprobe ip_conntrack_irc > /dev/null 2>&1
#modprobe ip_nat_irc > /dev/null 2>&1
modprobe ip_conntrack_mms > /dev/null 2>&1
modprobe ip_nat_mms > /dev/null 2>&1
#modprobe ip_conntrack_pptp > /dev/null 2>&1
#modprobe ip_nat_pptp > /dev/null 2>&1
#modprobe ip_conntrack_proto_gre > /dev/null 2>&1
#modprobe ip_nat_proto_gre > /dev/null 2>&1
modprobe ip_conntrack_quake3 > /dev/null 2>&1
modprobe ip_nat_quake3 > /dev/null 2>&1
##############################################
##############################################
echo 1 >/proc/sys/net/ipv4/ip_forward
#echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
start(){
echo ""
echo -e "\033[1;032m Flush all chains...... [OK] \033[m"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -Z -t nat
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
$IPTABLES -A INPUT -s 202.102.224.68 -j ACCEPT
$IPTABLES -A INPUT -s 202.96.134.133 -j ACCEPT
$IPTABLES -A INPUT -s 127.0.0.0/8 -j ACCEPT
$IPTABLES -A INPUT -d 127.0.0.0/8 -j ACCEPT
$IPTABLES -A INPUT -p 47 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -s 10.15.55.19 -j ACCEPT
# $IPTABLES -A INPUT -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.15.0.0/24 -j SNAT --to 202.85.33.44
##########################################################
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -s 10.15.0.22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i ppp+ --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -I FORWARD -d 10.15.0.0/24 -j ACCEPT
######################## comm rule ###################
$IPTABLES -I FORWARD -d 10.15.55.229 -j ACCEPT
$IPTABLES -I FORWARD -s 10.15.55.229 -j ACCEPT
$IPTABLES -A FORWARD -d 10.15.55.219 -j ACCEPT
$IPTABLES -I FORWARD -s 10.15.0.0/24 -d 10.15.55.15 -j ACCEPT
$IPTABLES -I FORWARD -s 10.15.0.0/24 -d 10.15.55.14 -j ACCEPT
$IPTABLES -I FORWARD -s 10.15.0.0/24 -d 10.15.55.16 -j ACCEPT
$IPTABLES -I FORWARD -s 10.15.0.0/24 -d 10.15.55.13 -j ACCEPT
$IPTABLES -I FORWARD -s 10.15.0.0/24 -d 210.75.1.165 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m multiport --dport 53,449 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m multiport --dport 53,449 -j ACCEPT
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept erp access #######################
if [ "$ACCEPT_ERP_OA_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_ERP_OA_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.17 -j ACCEPT
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.91 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT erp and oa access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept erp access #######################
if [ "$ACCEPT_ERP_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_ERP_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.17-j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT only erp access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept crm access #######################
if [ "$ACCEPT_CRM_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_CRM_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.9 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT CRM access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept test access #######################
if [ "$ACCEPT_TEST_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_TEST_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.30 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT testapp access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept inMAIL access #######################
if [ "$ACCEPT_inMAIL_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_inMAIL_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.8 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT inmail access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept inWEB access #######################
if [ "$ACCEPT_inWEB_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_inWEB_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.8 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT inweb access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept aps access #######################
if [ "$ACCEPT_APS_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_APS_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 10.15.55.23 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT aps access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept all access #######################
if [ "$ACCEPT_all_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_all_HOSTS} ; do
$IPTABLES -A FORWARD -s ${LAN} -j ACCEPT
# $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 0/0 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT all access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
#######################################################################################
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;031m \n"
########################### logrule #########################
#LOGACCESS="no"
LOGACCESS="yes"
if [ "$LOGACCESS" = "yes" ] ; then
# $IPTABLES -I FORWARD -p tcp -m multiport --dport 445,135 -j LOG
$IPTABLES -I INPUT -p tcp ! -s 10.15.55.180 -j LOG --log-prefix 'IPTABLES INPUT TCP ACCEPT:'
#$IPTABLES -I INPUT -p udp ! -s 10.15.55.180 -j LOG --log-prefix 'IPTABLES INPUT UDP ACCEPT:'
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j LOG --log-tcp-options --log-ip-options --log-prefix 'IPTABLES INPUT DROP:'
$IPTABLES -I FORWARD -p tcp -s 10.15.0.0/24 -j LOG --log-prefix 'IPTABLES FORWARD TCP ACCEPT:'
$IPTABLES -I FORWARD -p udp -s 10.15.0.0/24 -j LOG --log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG --log-tcp-options --log-ip-options --log-prefix 'IPTABLES FORWARD DROP:'
echo LOG illegal access ............................... [OK]
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;031m \n"
echo ""
echo "######################################################################"
echo "# #"
echo "# Load PPTP server Access rule Successfull ! #"
echo "# #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
############################# Type of Service mangle optimizations
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p udp --dport 4000:7000 -j TOS --set-tos Minimize-Delay
}
stop(){
##################### Flush everything
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -Z -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo ""
echo -e "\033[1;031m \n"
echo ""
echo "######################################################################"
echo "# #"
echo "# Stop PPTP server Access rule Successfull ! #"
echo "# #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
}
#########################################################
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage:$0 {start|stop|restart|}"
exit 1
esac
exit $?
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- iptables防火墙脚本实例2
- 防火墙iptables之常用脚本
- iptables防火墙脚本应用 推荐
- iptables防火墙配置工具ShoreWall的安装和使用实例
- 一键配置CentOS iptables防火墙的Shell脚本分享
- 一键配置CentOS iptables防火墙的Shell脚本分享
- 在线生成IPTABLES防火墙脚本的网站
- 嵌入式 iptables防火墙常用配置规则实例
- iptables--静态防火墙实例教程
- 防火墙iptables之常用脚本
- 保护你的Web服务器 iptables防火墙脚本全解读
- iptables 防火墙笔记 3 :黑名单脚本
- iptables的备份、恢复及防火墙脚本的基本使用
- Linux防火墙iptables学习笔记(五)linux+iptables构筑防火墙实例
- 嵌入式 iptables防火墙配置规则实例分析
- 在线生成iptables防火墙脚本的网站
- Linux中iptables防火墙配置实例分享
- iptables脚本(squid_proxy_firewall) 防火墙
- 嵌入式 iptables防火墙选项参数介绍和配置实例