一个简单的firewall的配置
2006-12-02 10:59
176 查看
一个简单的firewall的配置
例 11.8. 一个简单的firewall的配置#!/bin/bash #Our complete stateful firewall script. This firewall can be customized for #a laptop, workstation, router or even a server. :) #change this to the name of the interface that provides your "uplink" #(connection to the Internet) UPLINK="eth1" #if you're a router (and thus should forward IP packets between interfaces), #you want ROUTER="yes"; otherwise, ROUTER="no" ROUTER="yes" #change this next line to the static IP of your uplink interface for static SNAT, or #"dynamic" if you have a dynamic IP. If you don't need any NAT, set NAT to "" to #disable it. NAT="1.2.3.4" #change this next line so it lists all your network interfaces, including lo INTERFACES="lo eth0 eth1" #change this line so that it lists the assigned numbers or symbolic names (from #/etc/services) of all the services that you'd like to provide to the general #public. If you don't want any services enabled, set it to "" SERVICES="http ftp smtp ssh rsync" if [ "$1" = "start" ] then echo "Starting firewall..." iptables -P INPUT DROP iptables -A INPUT -i ! ${UPLINK} -j ACCEPT #下面一话的意思是如果连接(conntrack)状态是ESTABLISHED,RELATED,就接受 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #enable public access to certain services for x in ${SERVICES} do #如果是状态NEW的话,并且是$x端口,就accept iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT done #为了模拟没有服务 iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable #explicitly disable ECN if [ -e /proc/sys/net/ipv4/tcp_ecn ] then echo 0 > /proc/sys/net/ipv4/tcp_ecn fi #disable spoofing on all interfaces for x in ${INTERFACES} do echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter done if [ "$ROUTER" = "yes" ] then #we're a router of some kind, enable IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward if [ "$NAT" = "dynamic" ] then #dynamic IP address, use masquerading echo "Enabling masquerading (dynamic ip)..." iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE elif [ "$NAT" != "" ] then #static IP, use SNAT echo "Enabling SNAT (static ip)..." iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP} fi fi elif [ "$1" = "stop" ] then echo "Stopping firewall..." iptables -F INPUT iptables -P INPUT ACCEPT #turn off NAT/masquerading, if any iptables -t nat -F POSTROUTING fi
相关文章推荐
- 在eclipse中配置一个简单的spring入门项目
- 一个项目配置多个数据源进行数据操作,简单方便。
- 设计一个简单的空间配置器, JJ::allocator
- 通过配置文件完成一个简单的英汉转换
- Apache Storm 的安装、配置及入门基础(三):一个简单的 topology
- oracle简单stream 一个用户单向复制配置
- 配置和创建一个hibernate简单应用
- 配置一个简单的hibernate应用
- 一个简单的ssm框架maven项目的相关配置文件
- 一个简单的配置文件
- 简单配置一个Discuz!社区网站
- 配置主机间信任的一个简单办法
- 一个简单的RIP配置
- 在My eclipse中配置一个简单的spring入门项目
- 关于Cisco一个简单实验拓扑配置搭建与配置
- 以一个简单的数据库表为例来展示创建全局/局部数据源和连接池的配置与测试
- structs1.x的配置及一个简单的登陆例子
- VS2010配置opencv2.4.8,用MFC创建显示一个图片的简单程序
- MongoDB: 一个简单的配置两个shared的例子
- 一个比较通用简单易用的配置功能