一个简单的firewall的配置
2006-12-02 10:59
176 查看
一个简单的firewall的配置
例 11.8. 一个简单的firewall的配置#!/bin/bash
#Our complete stateful firewall script. This firewall can be customized for
#a laptop, workstation, router or even a server. :)
#change this to the name of the interface that provides your "uplink"
#(connection to the Internet)
UPLINK="eth1"
#if you're a router (and thus should forward IP packets between interfaces),
#you want ROUTER="yes"; otherwise, ROUTER="no"
ROUTER="yes"
#change this next line to the static IP of your uplink interface for static SNAT, or
#"dynamic" if you have a dynamic IP. If you don't need any NAT, set NAT to "" to
#disable it.
NAT="1.2.3.4"
#change this next line so it lists all your network interfaces, including lo
INTERFACES="lo eth0 eth1"
#change this line so that it lists the assigned numbers or symbolic names (from
#/etc/services) of all the services that you'd like to provide to the general
#public. If you don't want any services enabled, set it to ""
SERVICES="http ftp smtp ssh rsync"
if [ "$1" = "start" ]
then
echo "Starting firewall..."
iptables -P INPUT DROP
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
#下面一话的意思是如果连接(conntrack)状态是ESTABLISHED,RELATED,就接受
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#enable public access to certain services
for x in ${SERVICES}
do
#如果是状态NEW的话,并且是$x端口,就accept
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done
#为了模拟没有服务
iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
#explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
#disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
if [ "$ROUTER" = "yes" ]
then
#we're a router of some kind, enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ "$NAT" = "dynamic" ]
then
#dynamic IP address, use masquerading
echo "Enabling masquerading (dynamic ip)..."
iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
elif [ "$NAT" != "" ]
then
#static IP, use SNAT
echo "Enabling SNAT (static ip)..."
iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
fi
fi
elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
iptables -F INPUT
iptables -P INPUT ACCEPT
#turn off NAT/masquerading, if any
iptables -t nat -F POSTROUTING
fi
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 在eclipse中配置一个简单的spring入门项目
- 一个项目配置多个数据源进行数据操作,简单方便。
- 设计一个简单的空间配置器, JJ::allocator
- 通过配置文件完成一个简单的英汉转换
- Apache Storm 的安装、配置及入门基础(三):一个简单的 topology
- oracle简单stream 一个用户单向复制配置
- 配置和创建一个hibernate简单应用
- 配置一个简单的hibernate应用
- 一个简单的ssm框架maven项目的相关配置文件
- 一个简单的配置文件
- 简单配置一个Discuz!社区网站
- 配置主机间信任的一个简单办法
- 一个简单的RIP配置
- 在My eclipse中配置一个简单的spring入门项目
- 关于Cisco一个简单实验拓扑配置搭建与配置
- 以一个简单的数据库表为例来展示创建全局/局部数据源和连接池的配置与测试
- structs1.x的配置及一个简单的登陆例子
- VS2010配置opencv2.4.8,用MFC创建显示一个图片的简单程序
- MongoDB: 一个简单的配置两个shared的例子
- 一个比较通用简单易用的配置功能