很不错的iptables帮助指南,值得学习和收藏

转from http://iptables-tutorial.frozentux.net/cn/iptables-tutorial-cn-1.1.19.html

附录 B. 常见问题和解答

B.1. 模块装载问题

装载模块时,您可能会碰到几个问题,比如,有错误提示说明没有您指定名字的那种模块: 

insmod: iptable_filter: no module by 
that name found

这个提示是无关紧要的,因为那些模块很有可能已被静态地编译进内核了。当您碰到这个信息时,这是您应该首先想到的。至于是否真的如我们所想,最简单的测试方就是敲一个用到那个模块功能的命令试试。对于上面的情况,可能是filter表没有装入,从而就没有相应的功能,当然不能使用filter表了。为了检查 filter表是否装入,能够用下面的命令来试试:

iptables -t filter -L

这个命令会输出filter表里任何的链,或是运行失败,给出错误提示信息。假如一切正常,输出结果类似下面的情况,当然,这还要看您是否已在filter表里加入了规则(译者注:在这个例子里,表是空的)。

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

假如您确实没有装载filter表,得到的就是如下信息:

iptables 
v1.2.5: can't initialize iptables table `filter': Table      does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

这个问题就有些严重了,从此提示中我们能得到两个信息:第一,我们确实没有把相应的功能编译进内核里;第二,在模块一般应在的目录中没有找到这个模块。这意味着问题是,您或忘记了装载想用的模块,或没有用depmod -a命令更新模块数据库,或没有把相应的功能编译进内核(不论是静态的还是作为模块)。当然还可能是其他原因,但这些是主要的,不管怎样,大部分原因是很容易解决的。比如,第一个问题能够简单地通过在内核源码目录里运行make modules_install 命令来解决,这当然是有前提的,就是源码已编译(compile)而且模块已构建(build)。第二个问题的解决办法也很简单,只要运行一下depmod -a命令,之后再看看能否正常工作即可。第三个问题有点超出我们的范围了,而且这个问题或多或少会让您感到发晕。更多的信息能够在Linux文档计划里找到。

在运行iptables时,您还可能得到另外一个错误信息: 

iptables: No chain/target/match by that name

这说明您要用的链或target、或match不存在,原因有很多,但最普遍的是您拼错了名字。当您想使用一个不可用的模块时也会产生这种错误。模块之所以不可用,可能是因为您没有装载正确的模块,或内核里不包含那个模块,或是iptables自动装载模块时失败了。通常,您不止应该考虑上面提到的任何解决办法,还要考虑规则中target的拼写错误,或其他的原因。

B.2. 未配置SYN的NEW状态包

iptables有个“特点”没有被很好地给以说明,所以很多人(当然,也包括我)都忽视了他。这个“特点”就是:假如您使用状态NEW,那么未配置SYN的包也会通过防火墙。之所以有这个特点,是因为在某些情况下,我们想把那样的包看作某个(比如是和另一个防火墙有关的)已处于ESTABLISHED状态的连接的一部分。这个特点使拥有两个或更多的防火墙协同工作成为可能,而且可使数据在服务器间无丢失的传输,如辅助防火墙能够接受子网的防火墙的操作。但他也会导致这样的事情:状态 NEW会允许几乎任何的TCP连接进入,而不管是否有3次握手。为了处理这个问题,我们需要在防火墙的 INPUT链、OUTPUT链和FORWARD链加入如下规则(译者注:此规则作者称为“NEW not SYN rules”,下一小节还会提到):

$IPTABLES -A 
INPUT -p tcp ! --syn -m state --state NEW -j LOG      --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Caution

警告,在Netfilter/iptables项目中,这个特点所拥有的行为缺少文档说明,更明确的说,在您的防火墙上,他是个很不安全的因素。

注意,这个规则用于microsoft的TCP/IP(微软实现的TCP/IP就是不行,至少现在不行)产生的包时还是有些问题。假如包是由microsoft的产品生成的,且被标为状态NEW,那么就会被此规则记录然后丢弃。看起来规则工作很正常啊,是吧。但问题就出在这儿了,因为连接无法中断了。这个问题出现在关闭连接时,在最后一个包即FIN/ACK包发出后,Netfilter的状态机制就会关闭连接、删除连接跟踪表里的相应记录。但就在这时,Microsoft那不完善的程式会发送另外一个包,这个包就是那种未配置SYN且被认为是NEW状态的包,因此他就会被上面的规则匹配。换句话说,就是对这个规则无需过于关注,假如您很在意他,就在规则里加入选项--log-headers吧。这样,您就能够把包头记录下来,从而能够更好地了解相应的包。

对于这个规则,更有一些已知的问题。比如,某个连接(比如是从LAN发出的)已连接到防火墙,而且有个脚本要在启动PPP时激活。当您启动PPP连接时,刚才提到的那个连接可能就会被干掉(be killed)。当然,这只会在特定的情况下才能发生,就是您把conntrack和nat作为模块运行,并且每次运行那个脚本时这两个模块都要被装入和卸载。假如您在防火墙之外的机子上运行telnet,而且又通过这个telnet连接运行脚本rc.firewall.txt,也会导致上面的问题。为了能简单地表达这个问题,您先准备一个telnet连接,或其他的流连接,再运行连接跟踪模块,然后装入上面的规则,最后,试着用telnet clientdaemon发送一些数据。效果应该出来了,连接跟踪代码会认为这个连接是非法的,因为在此之前,他没有看到任何方向有包发出,更为严重的是现在连接上有了未配置SYN的包,因为刚才由telnet client或daemon发出的包肯定不是这个连接的第一个包。因此,上面的规则就起作用了,也就是说,这个包会被记录下来,然后被无情地扔掉,从而连接就会中断。

B.3. NEW状态的SYN/ACK包

某些,TCP欺骗攻击所用的技术叫做序列号预测(Sequence Number Prediction)。在这类攻击中,攻击者利用另一台机子的IP访问攻击对象(译者注:这就是为什么叫欺骗的原因了,攻击者是想假冒另一台被攻击对象信任的机子,以达到欺骗攻击对象的目的),然后再试着预测攻击对象使用什么序列号。

我们来看看典型的使用序列号预测技术的欺骗是如何实现的,参和者:攻击者[A](attacker)试图假装另一台机子[O](other host)向受害者[V](victim)发送数据。

  1. [A]以[O]的IP为源地址向[V]发SYN。

  2. [V]向[O]回应SYN/ACK。

  3. 现在,若[O]以RST回应这个未知的SYN/ACK,攻击就失败了,但假如[O]已没有这个能力了呢?比如他早已被另外的攻击(如SYN flood)降服,或被关闭,或他的RST包被防火墙拒绝。

  4. 假如[O]没能破坏这条连接,而且[A]猜对了序列号,那他就能以[O]的身份和[V]交谈了。

只要我们没能在第三步以RST回应那个未知的SYN/ACK包,[V]就会被攻击,而且我们还会被连累(译者注:因为我们本身也被攻击了,而且还可能会成为攻击者的替罪羊被起诉,呜呜,好惨)。所以,为安全起见,我们应该以正确的方式向[V]发送一个RST包。假如我们使用类似“NEW not SYN rules”(译者注:在上一小节中)的规则,SYN/ACK包就能够被丢弃了。因此,我们在bad_tcp_packets链中加入了如下规则:

iptables -A 
bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

这样,您想成为上面那个[O]的机会就很少了(译者注:作者好幽默啊,我们可不想成为被别人利用的对象),而且这条规则在绝大部分情况下是安全的,不会有什么副作用,但多个防火墙要协同工作的情况要除外。那种情况下,防火墙之间会经常传递、接受包或流,有了这条规则,有些连接可能会被阻塞,即使是合法的连接。这条规则的存在还产生了另外一问题,就是有几个portscan(端口扫描器)会看到我们的防火墙,但好在仅此而已。

B.4. 使用私有IP地址的ISP

我的一位朋友告诉我说有些事我完全忘记了,从那时起,我就把这一节加上了。您刚上网时连接的网络是 ISP提供的,但某些愚蠢的ISP在那个网络里使用的是私有地址,而那是IANA专门分配给局域网使用的。Swedish Internet Service Provider和电话垄断企业Telia就是这样做的,例如在DNS服务器上,他们使用的IP地址段就是10.x.x.x。我们最容易碰到的问题是,在这个脚本里,为了防止被欺骗,不允许从10.x.x.x发出的连接来访问我们。不幸的是,对于上面的例子,为了DNS能正常地被访问,我们不得不把规则的放宽松一些。也就是说,我们或在刚才提到的那条防止欺骗的规则上面增加一条规则(如下),或是把那条规则注释掉:

/usr/local/sbin/iptables -t nat -I PREROUTING -i 
eth1 -s      10.0.0.1/32 -j ACCEPT

我愿意对这些ISP再多费些唇舌。这些IP地址不是为了让您象这样愚蠢的使用而分配给您的,至少我知道不是这样的。对于一个大集团的站点或是我们自己的家庭网络来说,这样用是很合适的,但您不能只因为您们的一些原因就强迫我们把自己公示于天下。

B.5. 放行DHCP数据

一旦您了解DHCP是如何工作的,就会知道这其实是个很简单的任务。但您必须小心处理到底让谁进入、不让谁进入。首先,我们要明白DHCP是工作在UDP协议之上的,所以,UDP协议是我们期望的第一个条件。其次,我们应该检查是从那个接口接收和发送请求的。例如,假如我们配置了DHCP使用接口eth0,那就要阻塞 eth1上的DHCP请求。为了让规则再周详些,我们只需打开(allow)DHCP实际使用的UDP端口,一般都是67和 68。这两个端口是标准定义,我们就用他们来匹配被允许的包。现在,规则应该是这个样子的:

$IPTABLES  -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport      67:68 -j ACCEPT

注意,现在我们能够接受任何来自和发往UDP端口67、68的数据,似乎不太安全,但这并不是多大的问题,因为这条规则只允许从67或68端口连接的主机才能访问。当然,此规则还能够更严谨一些,但也应该足够接受任何的DHCP请求和更新,而不至于需要在防火墙上开一个大洞。假如您很在意现在的规则是否很宽松,您当然能够写一个限制条件更紧的。

B.6. 关于mIRC DCC的问题

mIRC使用一个特别的设定,他能够使mIRC连接穿过防火墙,也能够使DCC连接能在防火墙不了解他的情况下正常工作。假如此选项和iptables更有ip_conntrack_irc模块和ip_nat_irc模块一起使用,那mIRC就不能工作了。问题在于mIRC会自动对包进行NAT操作,这样当包到达防火墙后,防火墙就完全不知道该对包做什么了,也不知道该怎么做。假如是防火墙来处理,他只是简单地用自己的IP去询问IRC服务器,然后用那个地址发送DCC请求。mIRC不希望防火墙自作聪明地以这种方式代替自己来处理这个包。

打开“I am behind a firewall”(我在防火墙后)这个配置选项并且使用ip_conntrack_irc和 ip_nat_irc模块,会导致Netfilter建立包含“Forged DCC send packet”的记录。

最简单的解决办法是不要选中mIRC的那个选项而让iptables来做这些工作。意思就是要明确地告诉mIRC,他不是在防火墙后面的。

附录 C. ICMP类型

这是个完整的ICMP类型的列表:

Table C-1. ICMP类型

TYPECODEDescriptionQueryError
00Echo Reply——回显应答(Ping应答)x 
30Network Unreachable——网络不可达 x
31Host Unreachable——主机不可达 x
32Protocol Unreachable——协议不可达 x
33Port Unreachable——端口不可达 x
34Fragmentation needed but no frag. bit set——需要进行分片但配置不分片比特 x
35Source routing failed——源站选路失败 x
36Destination network unknown——目的网络未知 x
37Destination host unknown——目的主机未知 x
38Source host isolated (obsolete)——源主机被隔离(作废不用) x
39Destination network administratively prohibited——目的网络被强制禁止 x
310Destination host administratively prohibited——目的主机被强制禁止 x
311Network unreachable for TOS——由于服务类型TOS,网络不可达 x
312Host unreachable for TOS——由于服务类型TOS,主机不可达 x
313Communication administratively prohibited by filtering——由于过滤,通信被强制禁止 x
314Host precedence violation——主机越权 x
315Precedence cutoff in effect——优先中止生效 x
40Source quench——源端被关闭(基本流控制)  
50Redirect for network——对网络重定向  
51Redirect for host——对主机重定向  
52Redirect for TOS and network——对服务类型和网络重定向  
53Redirect for TOS and host——对服务类型和主机重定向   
80Echo request——回显请求(Ping请求)x 
90Router advertisement——路由器通告  
100Route solicitation——路由器请求  
110TTL equals 0 during transit——传输期间生存时间为0  x
111TTL equals 0 during reassembly——在数据报组装期间生存时间为0 x
120IP header bad (catchall error)——坏的IP首部(包括各种差错) x
121Required options missing——缺少必需的选项 x
130Timestamp request (obsolete)——时间戳请求(作废不用)x 
14 Timestamp reply (obsolete)——时间戳应答(作废不用) x 
150Information request (obsolete)——信息请求(作废不用)x 
160Information reply (obsolete)——信息应答(作废不用) x 
170Address mask request——地址掩码请求x 
180Address mask reply——地址掩码应答x 

附录 D. 其他资源和链接

这里有一些资源的链接,我从这些地方获得了不少信息,相信对您应该也很有帮助:

  • ip-sysctl.txt ——来自内核2.4.14,一篇关于IP网络控制参数的短小精干的参考文章。

  • The Internet Control Message Protocol ——一篇很好的周详介绍ICMP协议的文章,作者是Ralph Walden。

  • RFC 792 - Internet Control Message Protocol ——ICMP的权威文档,假如您想找关于ICMP协议的信息,这是您应该首先想到的地方。作者:J. Postel。

  • RFC 793 - Transmission Control Protocol ——TCP的权威文档,从1981年开始,他就成为TCP的规范了。只要您想学习TCP,就一定要读读这篇技术性很强的文章。作者:J. Postel

  • ip_dynaddr.txt ——来自内核2.4.14,关于通过sysctl和proc文档系统配置ip_dynaddr 的参考文章。

  • iptables.8 ——iptables 1.2.4的帮助,这是HTML版本的。在您读写iptables规则时,这是个很好的参考,您应该把他带在身边。

  • Firewall rules table ——由Stuart Clark给出的一个小小的PDF文档,里面是防火墙配置的参考样式,对您书写自己的防火墙规则很有帮助。

  • http://www.netfilter.org/ ——Netfilteriptables的官方网站,是每一个打算在linux里配置iptablesNetfilter的人必到之处。

  • http://www.netfilter.org/documentation/index.html#FAQ ——官方的Netfilter Frequently Asked Questions,是开始了解iptablesNetfilter的好去处。

  • http://www.netfilter.org/unreliable-guides/packet-filtering-HOWTO/index.html ——很好的包过滤基础指南,介绍了如何使用iptables进行包过滤。作者是iptables Netfilter的核心研发者之一Rusty Russell。

  • http://www.netfilter.org/unreliable-guides/NAT-HOWTO/index.html ——介绍网络地址转换的很好的指南。作者是iptablesNetfilter的核心研发者之一Rusty Russell。

  • http://www.netfilter.org/unreliable-guides/netfilter-hacking-HOWTO/index.html ——只有很少的文章介绍如何在Netfilteriptables 的用户空间、内核空间里编写代码,这是其中一篇。作者还是Rusty Russell。

  • http://www.linuxguruz.org/iptables/ ——很好的资源链接网页,里包含了Internet 上大部分关于iptables的链接,尤其是他还包含了很多为不同用处而写的iptables脚本的链接。

  • http://www.islandsoft.net/veerapen.html ——这篇文章讨论了iptables自动增强坚固性的可能,连同如何通过很少的改变使您的电脑能自动地把敌对站点加入iptables的一个特别的“禁止列表”。

  • /etc/protocols ——此文档是从Slackware发行版中抽取的。您能够利用此文档找到协议所对应的协议号,如IP、ICMP或TCP对应的号码。

  • /etc/services ——此文档也是从Slackware发行版中抽取的。他很值得一读,您能够大致了解什么协议使用什么端口。

  • Internet Engineering Task Force ——IETF是定制和维护互连网标准的最大的组织之一,很多大企业集团和个人都是他的成员,他们一起工作是为了确保Internet的互操作性。

  • Linux Advanced Routing and Traffic Control HOW-TO ——此站点主要讨论Linux高级路由和流量控制,这个HOW-TO是关于Linux高级路由的最大的也是最好的一篇文章。作者是Bert Hubert。

  • Paksecured Linux Kernel patches ——此站点包含了Matthew G. Marsh写的任何内核补丁,FTOS patch就在这儿。

  • ULOGD project page ——ULOGD的站点。

  • The Linux Documentation Project ——有关Linux的文档的极好(能够说是最好)的站点。有关Linux的很多较大的文档这儿都有,假如TLDP里没有,您就要好好地在网络上搜索一下了。假如您想了解多一些,就去看看吧。

  • http://kalamazoolinux.org/presentations/20010417/conntrack.html ——这篇文章里有一个极其出色的例子,他是用来展示conntrack模块连同他在Netfilter里的工作的。假如您想多看一些有关conntrack的文章,这一篇应该是必读的。

  • http://www.docum.org/ ——此站点包含了全部有关CBQ(Class Based Queue)、tcip命令的资料,这是很少的几个这样的站点中的一个。此站点由Stef Coene维护。

  • http://lists.samba.org/mailman/listinfo/netfilter ——Netfilter的官方邮件列表,很有用哦。万一您碰到了一些问题,而这篇文章或这里提到的一些链接解决不了,他就是您的救世主了。

当然,资源不止我上面提到的这些,更有iptables的源码和文档,及很多能够帮助您的朋友。

附录 E. 鸣谢

很多朋友在我写这篇文章时给了我热心的帮助,我要感谢他们:

  • Fabrice Marie,对我糟糕的语法和拼写做了大量的订正,还用make文档等工具把这篇指南转换成了DocBook。

  • Marc Boucher,在状态匹配代码的使用方面给了我很多帮助。

  • Frode E. Nyboe,大幅度改善了rc.firewall的规则,当我要重写这个规则集、把多个表的遍历(the multiple table traversing)引入同一份文档时,给了我很多灵感。

  • Chapman Brad, Alexander W. Janssen,开始时,我对包如何穿越nat和filter 表的理解是错误的,是他们使我了解到这一点的,而且他们还给了我正确的顺序。

  • Michiel Brandenburg, Myles Uyema,帮我解决了一些状态匹配代码,并让他正常问题。

  • Kent `Artech' Stahre,帮我绘制图像,还帮我查错。

  • Anders 'DeZENT' Johansson,提示我有些古怪的ISP在Internet上使用保留的网址,至少对他来说碰到了这样的情况。

  • Jeremy `Spliffy' Smith,提示我有些内容容易使大家糊涂,还帮我进行了测试和查错。

更有很多人,我和他们进行过讨论,也请教过他们,这里不能一一提及了。

附录 I. 示例脚本的代码

I.1. rc.firewall脚本代码

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"
INET_BROADCAST="194.236.50.255"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset 
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines 
# will prevent them from showing up in the logs.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST #--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will 
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 #--destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may 
# also get flooded by Multicasts. We drop them so we do not get flooded by 
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

I.2. rc.DMZ.firewall脚本代码 

#!/bin/sh
#
# rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.1"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a



#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Packets from the Internet to this box
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Packets from LAN, DMZ or LOCALHOST
#

#
# From DMZ Interface to DMZ firewall IP
#

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

#
# From LAN Interface to LAN firewall IP
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT

#
# From Localhost interface to Localhost IP's
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# All established and related packets incoming from the internet to the
# firewall
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d $INET_BROADCAST #--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d 255.255.255.255 #--destination-port 67:68 -j DROP

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


#
# DMZ section
#
# General rules
#

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# HTTP server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP --dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP -j icmp_packets

#
# DNS server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP --dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP -j icmp_packets

#
# LAN section
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

I.3. rc.UTIN.firewall脚本代码

#!/bin/sh
#
# rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"
INET_BROADCAST="194.236.50.255"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST #--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 #--destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Rules for incoming packets from anywhere.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udp_packets
$IPTABLES -A INPUT -p ICMP -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

I.4. rc.DHCP.firewall脚本代码

#!/bin/sh
#
# rc.firewall - DHCP IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP
# over the Internet set this variable to yes, and set up the proper IP
# address for the DHCP server in the DHCP_SERVER variable.
#

DHCP="no"
DHCP_SERVER="195.22.90.65"

#
# 1.1.2 PPPoE
#

# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not
# getting through while small mail get through properly etc, you may set
# this option to "yes" which may fix the problem. This option will set a
# rule in the PREROUTING chain of the mangle table which will clamp
# (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since
# the PPPoE configuration option will give less overhead.
#

PPPOE_PMTU="no"

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
 $IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER --sport 67  --dport 68 -j ACCEPT
fi

#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE #--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 #--destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly 
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log w




	 (阅读次数: