I.1. rc.firewall脚本代码

#!/bin/sh## rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables## Copyright (C) 2001  Oskar Andreasson ## This program is free software; you can redistribute it and/or modify# it under the terms of the GNU General Public License as published by# the Free Software Foundation; version 2 of the License.## This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the# GNU General Public License for more details.## You should have received a copy of the GNU General Public License# along with this program or from the site that you downloaded it# from; if not, write to the Free Software Foundation, Inc., 59 Temple# Place, Suite 330, Boston, MA  02111-1307   USA############################################################################## 1. Configuration options.### 1.1 Internet Configuration.# #连接到internet网上的IP，设备INET_IP="194.236.50.155"INET_IFACE="eth0"INET_BROADCAST="194.236.50.255"## 1.1.1 DHCP### 1.1.2 PPPoE### 1.2 Local Area Network configuration.## your LAN's IP range and localhost IP. /24 means to only use the first 24# bits of the 32 bit IP address. the same as netmask 255.255.255.0# 连接内部网络的IP，设备LAN_IP="192.168.0.2"LAN_IP_RANGE="192.168.0.0/16"LAN_IFACE="eth1"## 1.3 DMZ Configuration.### 1.4 Localhost Configuration.#LO_IFACE="lo"LO_IP="127.0.0.1"## 1.5 IPTables Configuration.# 定议变量IPTABLESIPTABLES="/usr/sbin/iptables"## 1.6 Other Configuration.############################################################################## 2. Module loading.### Needed to initially load modules# 初始化/sbin/depmod -a## 2.1 Required modules# 加载必需的模块/sbin/modprobe ip_tables/sbin/modprobe ip_conntrack/sbin/modprobe iptable_filter/sbin/modprobe iptable_mangle/sbin/modprobe iptable_nat/sbin/modprobe ipt_LOG/sbin/modprobe ipt_limit/sbin/modprobe ipt_state## 2.2 Non-Required modules##/sbin/modprobe ipt_owner#/sbin/modprobe ipt_REJECT#/sbin/modprobe ipt_MASQUERADE#/sbin/modprobe ip_conntrack_ftp#/sbin/modprobe ip_conntrack_irc#/sbin/modprobe ip_nat_ftp#/sbin/modprobe ip_nat_irc############################################################################# 3. /proc set up.### 3.1 Required proc configuration# 打开转发功能echo "1" > /proc/sys/net/ipv4/ip_forward## 3.2 Non-Required proc configuration##echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp#echo "1" > /proc/sys/net/ipv4/ip_dynaddr############################################################################# 4. rules set up.######## 4.1 Filter table### 4.1.1 Set policies# 缺省策略的设置,用来处理那些在相应的链里没被规则匹配的包$IPTABLES -P INPUT DROP$IPTABLES -P OUTPUT DROP$IPTABLES -P FORWARD DROP## 4.1.2 Create userspecified chains# 创建用户自定义链## Create chain for bad tcp packets# $IPTABLES -N bad_tcp_packets## Create separate chains for ICMP, TCP and UDP to traverse# 分别为tcp,udp,icmp建立新链$IPTABLES -N allowed$IPTABLES -N tcp_packets$IPTABLES -N udp_packets$IPTABLES -N icmp_packets## 4.1.3 Create content in userspecified chains### bad_tcp_packets chain# 这条链包含的规则检查进入包（incoming packet）的包头是否不正常或有没有其他问题。# 没有设置SYN位但又是NEW状态的TCP包，还有那些设置了SYN/ACK但也被认为是NEW状态的TCP包。# 这条链可以用来检查所有可能的不一致的东西$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP## allowed chain# 检查这个包是否是SYN包，如果是，它很可能是新连接的第一个包，则接受# 如果不是，那就检查包是否来自某个ESTABLISHED或RELATED状态的连接，是的话，就接受# 最后一条规则将DROP所有其他的包, 目前没有什么TCP/ IP程序会使用SYN包以外的包来打开一个TCP连接。# 因此，我们要把这样的包DROP掉，一般来说它们是端口扫描用的 $IPTABLES -A allowed -p TCP --syn -j ACCEPT$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT$IPTABLES -A allowed -p TCP -j DROP## TCP rules# 充许所有地址访问21，22，80，113端口，并交给allowed链处理。$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed## UDP ports# 允许访问UDP的2047,它是某些实时的多媒体应用程序使用的。比如speak freely # 端口4000相应的协议是ICQ协议，由ICQ使用#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT## In Microsoft Networks you will be swamped by broadcasts. These lines # will prevent them from showing up in the logs.# 阻塞目的端口是135到139的广播包# 阻塞所有位于外网的那些Microsoft Network产生的广播包#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST #--destination-port 135:139 -j DROP## If we get DHCP requests from the Outside of our network, our logs will # be swamped as well. This rule will block them from getting logged.# 阻止外网的DHCP查询#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 #--destination-port 67:68 -j DROP## ICMP rules#$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT## 4.1.4 INPUT chain### Bad TCP packets we don't want.# 把所有的tcp包送到bad_tcp_packets链，由其中的规则进行检查进入的tcp包的形态# 是否是不正常的或我们不想要的$IPTABLES -A INPUT -p tcp -j bad_tcp_packets## Rules for special networks not part of the Internet# 处理被信任的网络的数据传输,“连接内网的网卡”的流量,所有来自和发往loopback的流量# 把处理LAN的流量的规则放在防火墙的上部，因为我们的局域网产生的流量要远远多于Internet连接。# 这样，规则会更有效率，防火墙就能以较小的开销去匹配包$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT## Special rule for DHCP requests from LAN, which are not caught properly# otherwise.#$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT## Rules for incoming packets from the internet.# 这是个处理状态的规则，允许所有处于状态ESTABLISHED或RELATED且发往 Internet接口的包进入# 把从$INET_IFACE进入的所有TCP包发往tcp_packets链$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets## If you have a Microsoft Network on the outside of your firewall, you may # also get flooded by Multicasts. We drop them so we do not get flooded by # logs# Microsoft的客户机有个坏习惯，就是向地址224.0.0.0/8发送大量的多播包。# 因此我们要有这条规则来阻塞那些包，以免我们的日志被它们填满#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP## Log weird packets that don't match the above.# 每分钟最多记录3个包，对所有的记录设置了前缀。$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "## 4.1.5 FORWARD chain### Bad TCP packets we don't want#$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets## Aclearcase/" target="_blank" >ccept the packets we actually want to forward# 第一个允许所有来自$LAN_IFACE的数据通过# 第二个允许ESTABLISHED和RELATED状态的包能通过防火墙。# 就是所有对我们的内网发出的连接的回应都可以返回局域网# $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT## Log weird packets that don't match the above.# 记录没被上面任何规则匹配的包$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "## 4.1.6 OUTPUT chain### Bad TCP packets we don't want.# 把所有出去TCP包发到bad_tcp_packets链检查$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets## Special OUTPUT rules to decide which IP's to allow.# 允许所有从防火墙的IP（包括 LOCALHOST_IP，$LAN_IP或$STATIC_IP ）出发的数据$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT## Log weird packets that don't match the above.#$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "####### 4.2 nat table### 4.2.1 Set policies### 4.2.2 Create user specified chains### 4.2.3 Create content in user specified chains### 4.2.4 PREROUTING chain### 4.2.5 POSTROUTING chain### Enable simple IP Forwarding and Network Address Translation# 构造网络地址转换$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP## 4.2.6 OUTPUT chain######## 4.3 mangle table### 4.3.1 Set policies### 4.3.2 Create user specified chains### 4.3.3 Create content in user specified chains### 4.3.4 PREROUTING chain### 4.3.5 INPUT chain### 4.3.6 FORWARD chain### 4.3.7 OUTPUT chain### 4.3.8 POSTROUTING chain#    

原文转自：http://www.ltesting.net