保护和优化 Linux：红帽版 - 实战指南
上一页	第12章. 网络防火墙 - 地址伪装和转发	下一页

12.3. 配置 Example 网关服务器的脚本

这是我们网关服务器的配置文件。此配置允许环回接口、ICMP、DNS 服务器和客户端 (53)、SSH 服务器和客户端 (22)、HTTP 服务器和客户端 (80)、HTTPS 服务器和客户端 (443)、POP 客户端 (110)、NNTP 新闻客户端 (119)、SMTP 服务器和客户端 (25)、IMAP 服务器 (143)、IRC 客户端 (6667)、ICQ 客户端 (4000)、FTP 客户端 (20, 21)、RealAudio / QuickTime 客户端，以及默认情况下传出的 TRACEROUTE 请求的无限流量。

如果您不希望我默认启用的网关服务器的防火墙规则文件中列出的某些服务，请在行首使用“#”注释掉它们。如果您需要我用“#”注释掉的其他一些服务，请删除这些行开头的“#”。如果您已经在服务器上配置了地址伪装，请不要忘记取消注释地址伪装各自所需服务的模块，例如ip_masq_irc.o, ip_masq_raudio.o, 等等，防火墙脚本文件的 MODULES MASQUERADING 部分下。

创建防火墙脚本文件 touch/etc/rc.d/init.d/firewall，在您的网关服务器上并添加
#!/bin/sh # # ---------------------------------------------------------------------------- # Last modified by Gerhard Mourani: 04-25-2000 # ---------------------------------------------------------------------------- # Copyright (C) 1997, 1998, 1999 Robert L. Ziegler # # Permission to use, copy, modify, and distribute this software and its # documentation for educational, research, private and non-profit purposes, # without fee, and without a written agreement is hereby granted. # This software is provided as an example and basis for individual firewall # development. This software is provided without warranty. # # Any material furnished by Robert L. Ziegler is furnished on an # "as is" basis. He makes no warranties of any kind, either expressed # or implied as to any matter including, but not limited to, warranty # of fitness for a particular purpose, exclusivity or results obtained # from use of the material. # ---------------------------------------------------------------------------- # # Invoked from /etc/rc.d/init.d/firewall. # chkconfig: - 60 95 # description: Starts and stops the IPCHAINS Firewall \ # used to provide Firewall network services. # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. if [ ${NETWORKING} = "no" ] then exit 0 fi if [ ! -x /sbin/ipchains ]; then exit 0 fi # See how we were called. case "$1" in start) echo -n "Starting Firewalling Services: " # Some definitions for easy maintenance. # ---------------------------------------------------------------------------- # EDIT THESE TO SUIT YOUR SYSTEM AND ISP. EXTERNAL_INTERFACE="eth0" # Internet connected interface LOCAL_INTERFACE_1="eth1" # Internal LAN interface LOOPBACK_INTERFACE="lo" # Your local naming convention IPADDR="my.ip.address" # Your IP address LOCALNET_1="192.168.1.0/24" # Whatever private range you use IPSECSG="my.ipsecsg.address" # Space separated list of remote VPN gateways FREESWANVI="ipsec0" # Space separated list of virtual interfaces ANYWHERE="any/0" # Match any IP address NAMESERVER_1="my.name.server.1" # Everyone must have at least one NAMESERVER_2="my.name.server.2" # Your secondary name server MY_ISP="my.isp.address.range/24" # ISP & NOC address range SMTP_SERVER="my.smtp.server" # Your Mail Hub Server. POP_SERVER="my.pop.server" # External pop server, if any NEWS_SERVER="my.news.server" # External news server, if any SYSLOG_SERVER="syslog.internal.server" # Your syslog internal server LOOPBACK="127.0.0.0/8" # Reserved loopback address range CLASS_A="10.0.0.0/8" # Class A private networks CLASS_B="172.16.0.0/12" # Class B private networks CLASS_C="192.168.0.0/16" # Class C private networks CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses BROADCAST_SRC="0.0.0.0" # Broadcast source address BROADCAST_DEST="255.255.255.255" # Broadcast destination address PRIVPORTS="0:1023" # Well known, privileged port range UNPRIVPORTS="1024:65535" # Unprivileged port range # ---------------------------------------------------------------------------- # SSH starts at 1023 and works down to 513 for # each additional simultaneous incoming connection. SSH_PORTS="1022:1023" # range for SSH privileged ports # traceroute usually uses -S 32769:65535 -D 33434:33523 TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" # ---------------------------------------------------------------------------- # Default policy is DENY # Explicitly accept desired INCOMING & OUTGOING connections # Remove all existing rules belonging to this filter ipchains -F # Clearing all current rules and user defined chains ipchains -X # Set the default policy of the filter to deny. # Don't even bother sending an error message back. ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # set masquerade timeout to 10 hours for tcp connections ipchains -M -S 36000 0 0 # Don't forward fragments. Assemble before forwarding. ipchains -A output -f -i $LOCAL_INTERFACE_1 -j DENY # ---------------------------------------------------------------------------- # MODULES MASQUERADING # Uncomment bellow all modules lines that you need # These modules are necessary to masquerade their respective services. /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_raudio ports=554,7070,7071,6970,6971 /sbin/modprobe ip_masq_irc #/sbin/modprobe ip_masq_vdolive #/sbin/modprobe ip_masq_cuseeme #/sbin/modprobe ip_masq_quake # ---------------------------------------------------------------------------- # LOOPBACK # Unlimited traffic on the loopback interface. ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT # ---------------------------------------------------------------------------- # Network Ghouls # Deny access to jerks # /etc/rc.d/rc.firewall.blocked contains a list of # ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY # rules to block from any access. # Refuse any connection from problem sites #if [ -f /etc/rc.d/rc.firewall.blocked ]; then # . /etc/rc.d/rc.firewall.blocked #fi # ---------------------------------------------------------------------------- # SPOOFING & BAD ADDRESSES # Refuse spoofed packets. # Ignore blatantly illegal source addresses. # Protect yourself from sending to bad addresses. # Refuse spoofed packets pretending to be from the external address. ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l # Refuse packets claiming to be to or from a Class A private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l # Refuse packets claiming to be to or from a Class B private network ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l # Refuse packets claiming to be to or from a Class C private network # ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l # ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l # ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l # ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l # Refuse packets claiming to be from the loopback interface ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l # Refuse broadcast address SOURCE packets ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l # Refuse Class D multicast addresses (in.h) (NET-3-HOWTO) # Multicast is illegal as a source address. # Multicast uses UDP. ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l # Refuse Class E reserved IP addresses ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l # refuse addresses defined as reserved by the IANA # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.* # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.* # 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.* ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l #65: 01000001 - /3 includes 64 - need 65-79 spelled out ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l #80: 01010000 - /4 masks 80-95 ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l # 96: 01100000 - /4 makses 96-111 ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l #126: 01111110 - /3 includes 127 - need 112-126 spelled out ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l #217: 11011001 - /5 includes 216 - need 217-219 spelled out ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l #223: 11011111 - /6 masks 220-223 ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l # ---------------------------------------------------------------------------- # ICMP # To prevent denial of service attacks based on ICMP bombs, filter # incoming Redirect (5) and outgoing Destination Unreachable (3). # Note, however, disabling Destination Unreachable (3) is not # advisable, as it is used to negotiate packet fragment size. # For bi-directional ping. # Message Types: Echo_Reply (0), Echo_Request (8) # To prevent attacks, limit the src addresses to your ISP range. # # For outgoing traceroute. # Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11) # default UDP base: 33434 to base+nhops-1 # # For incoming traceroute. # Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11) # To block this, deny OUTGOING 3 and 11 # 0: echo-reply (pong) # 3: destination-unreachable, port-unreachable, fragmentation-needed, etc. # 4: source-quench # 5: redirect # 8: echo-request (ping) # 11: time-exceeded # 12: parameter-problem ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 0 -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 3 -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 4 -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 11 -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 12 -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $MY_ISP 8 -d $IPADDR -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 0 -d $MY_ISP -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 3 -d $MY_ISP -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 4 -d $ANYWHERE -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 8 -d $ANYWHERE -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 12 -d $ANYWHERE -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR 11 -d $MY_ISP -j ACCEPT # ---------------------------------------------------------------------------- # UDP INCOMING TRACEROUTE # traceroute usually uses -S 32769:65535 -D 33434:33523 ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $MY_ISP $TRACEROUTE_SRC_PORTS \ -d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE $TRACEROUTE_SRC_PORTS \ -d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l # ---------------------------------------------------------------------------- # DNS server # ---------- # DNS: full server # server/client to server query or response ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE $UNPRIVPORTS \ -d $IPADDR 53 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR 53 \ -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # DNS client (53) # --------------- ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_2 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_2 53 -j ACCEPT # TCP client to server requests are allowed by the protocol # if UDP requests fail. This is rarely seen. Usually, clients # use TCP as a secondary nameserver for zone transfers from # their primary nameservers, and as hackers. ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NAMESERVER_2 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_2 53 -j ACCEPT # ---------------------------------------------------------------------------- # TCP accept only on selected ports # --------------------------------- # ------------------------------------------------------------------ # SSH server (22) # --------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $UNPRIVPORTS \ -d $IPADDR 22 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $IPADDR 22 \ -d $ANYWHERE $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE $SSH_PORTS \ -d $IPADDR 22 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $IPADDR 22 \ -d $ANYWHERE $SSH_PORTS -j ACCEPT # SSH client (22) # --------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 22 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 22 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 22 \ -d $IPADDR $SSH_PORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $SSH_PORTS \ -d $ANYWHERE 22 -j ACCEPT # ------------------------------------------------------------------ # HTTP client (80) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 80 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 80 -j ACCEPT # ------------------------------------------------------------------ # HTTPS client (443) # ------------------ ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 443 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 443 -j ACCEPT # ------------------------------------------------------------------ # POP client (110) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $POP_SERVER 110 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $POP_SERVER 110 -j ACCEPT # ------------------------------------------------------------------ # NNTP NEWS client (119) # ---------------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NEWS_SERVER 119 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NEWS_SERVER 119 -j ACCEPT # ------------------------------------------------------------------ # FINGER client (79) # ------------------ # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $ANYWHERE 79 \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR $UNPRIVPORTS \ # -d $ANYWHERE 79 -j ACCEPT # ------------------------------------------------------------------ # SYSLOG client (514) # ----------------- # ipchains -A output -i $LOCAL_INTERFACE_1 -p udp \ # -s $IPADDR 514 \ # -d $SYSLOG_SERVER 514 -j ACCEPT # ------------------------------------------------------------------ # AUTH server (113) # ----------------- # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE \ -d $IPADDR 113 -j REJECT # AUTH client (113) # ----------------- # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $ANYWHERE 113 \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR $UNPRIVPORTS \ # -d $ANYWHERE 113 -j ACCEPT # ------------------------------------------------------------------ # SMTP client (25) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 25 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 25 -j ACCEPT # ------------------------------------------------------------------ # IRC client (6667) # ----------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 6667 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 6667 -j ACCEPT # ------------------------------------------------------------------ # ICQ client (4000) # ----------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 2000:4000 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 2000:4000 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE 4000 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 4000 -j ACCEPT # ------------------------------------------------------------------ # FTP client (20, 21) # ------------------- # outgoing request ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 21 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 21 -j ACCEPT # NORMAL mode data channel ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s $ANYWHERE 20 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # NORMAL mode data channel responses ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 20 -j ACCEPT # PASSIVE mode data channel creation ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # PASSIVE mode data channel responses ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE $UNPRIVPORTS \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # RealAudio / QuickTime client # ---------------------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 554 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 554 -j ACCEPT # TCP is a more secure method: 7070:7071 ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $ANYWHERE 7070:7071 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE 7070:7071 -j ACCEPT # UDP is the preferred method: 6970:6999 # For LAN machines, UDP requires the RealAudio masquerading module and # the ipmasqadm third-party software. ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE $UNPRIVPORTS \ -d $IPADDR 6970:6999 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # WHOIS client (43) # ----------------- # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ # -s $ANYWHERE 43 \ # -d $IPADDR $UNPRIVPORTS -j ACCEPT # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ # -s $IPADDR $UNPRIVPORTS \ # -d $ANYWHERE 43 -j ACCEPT # ------------------------------------------------------------------ # OUTGOING TRACEROUTE # ------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $TRACEROUTE_SRC_PORTS \ -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT # ---------------------------------------------------------------------------- # Unlimited traffic within the local network. # All internal machines have access to the firewall machine. ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT # ---------------------------------------------------------------------------- # FreeS/WAN IPSec VPN # ------------------- # If you are using the FreeSWAN IPSec VPN, you will need to fill in the # addresses of the gateways in the IPSECSG and the virtual interfaces for # FreeS/Wan IPSEC in the FREESWANVI parameters. Look at the beginning of # this firewall script rules file to set the parameters. # IPSECSG is a Space separated list of remote gateways. FREESWANVI is a # Space separated list of virtual interfaces for FreeS/Wan IPSEC # implementation. Only include those that are actually used. # Allow IPSEC protocol from remote gateways on external interface # IPSEC uses three main types of packet: # IKE uses the UDP protocol and port 500, # ESP use the protocol number 50, and # AH use the protocol number 51 # ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ # -s $IPSECSG -j ACCEPT # ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ # -d $IPSECSG -j ACCEPT # ipchains -A input -i $EXTERNAL_INTERFACE -p 50 \ # -s $IPSECSG -j ACCEPT # ipchains -A output -i $EXTERNAL_INTERFACE -p 50 \ # -d $IPSECSG -j ACCEPT # ipchains -A input -i $EXTERNAL_INTERFACE -p 51 \ # -s $IPSECSG -j ACCEPT # ipchains -A output -i $EXTERNAL_INTERFACE -p 51 \ # -d $IPSECSG -j ACCEPT # Allow all traffic to FreeS/WAN Virtual Interface # ipchains -A input -i $FREESWANVI \ # -s $ANYWHERE \ # -d $ANYWHERE -j ACCEPT # ipchains -A output -i $FREESWANVI \ # -s $ANYWHERE \ # -d $ANYWHERE -j ACCEPT # Forward anything from the FreeS/WAN virtual interface IPSEC tunnel # ipchains -A forward -i $FREESWANVI \ # -s $ANYWHERE \ # -d $ANYWHERE -j ACCEPT # Disable IP spoofing protection to allow IPSEC to work properly # echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter # echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter # ---------------------------------------------------------------------------- # Masquerade internal traffic. # All internal traffic is masqueraded externally. ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ # ---------------------------------------------------------------------------- # Enable logging for selected denied packets ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -d $IPADDR -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $IPADDR $PRIVPORTS -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $IPADDR $UNPRIVPORTS -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 5 -d $IPADDR -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ -s $ANYWHERE 13:255 -d $IPADDR -j DENY -l # ---------------------------------------------------------------------------- ;; stop) echo -n "Shutting Firewalling Services: " # Remove all existing rules belonging to this filter ipchains -F # Delete all user-defined chain to this filter ipchains -X # Reset the default policy of the filter to accept. ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -P forward ACCEPT ;; status) status firewall ;; restart|reload) $0 stop $0 start ;; *) echo "Usage: firewall {start|stop|status|restart|reload}" exit 1 esac exit 0

现在，使此脚本可执行并更改其默认权限
[root@deep] /#chmod 700 /etc/rc.d/init.d/firewall [root@deep] /#chown 0.0 /etc/rc.d/init.d/firewall

创建符号rc.d链接，使用以下命令为您的防火墙
[root@deep] /#chkconfig --add firewall [root@deep] /#chkconfig --level 345 firewall on
现在，您的防火墙规则已配置为使用 SystemVinit -SystemV init 负责启动所有需要在启动时运行的正常进程，并且每次服务器重启时它都会自动启动。

要手动停止系统上的防火墙，请使用以下命令
[root@deep] /# /etc/rc.d/init.d/firewall stop

Shutting Firewalling Services: [ OK ]

要手动启动系统上的防火墙，请使用以下命令
[root@deep] /# /etc/rc.d/init.d/firewall start

Starting Firewalling Services: [ OK ]

上一页	首页	下一页
配置`/etc/rc.d/init.d/firewall`脚本文件 - 网关服务器	向上	拒绝访问某些地址