#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 3 > /proc/sys/net/ipv4/tcp_retries1
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_ftp
#iptables -P INPUT ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t filter -F
iptables -t nat -F
iptables -t filter -X
iptables -t nat -X
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
iptables -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 0 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 11 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -j LOG --log-prefix "** Firewall DROP **"
#######################################################################
CK="1"
CPASSLOG="0"
if [ "$CK" = "1" ]; then
echo -n "Getting the CK Block List..."
CIP="$CIP
`cat /root/fw/ck-ip | \
awk '/^[1-9]/ {print $1 }'`"
echo "ok"
fi
iptables -N CIP
if [ "$CPASSLOG" = "1" ]; then
iptables -A CIP -j LOG --log-prefix "** Firewall CIP **"
fi
for ip in $CIP ; do
iptables -A INPUT -s $ip -j CIP
# iptables -A FORWARD -s $ip -j CIP
done
#iptables -A CIP -p TCP -m tcp --dport 22 -j ACCEPT
#iptables -A CIP -p TCP -m tcp --dport 80 -j ACCEPT
#iptables -A CIP -p TCP -m tcp --dport 3306 -j ACCEPT
#iptables -A CIP -p UDP -m udp --dport 3306 -j ACCEPT
iptables -A CIP -j ACCEPT
#######################################################################
#######################################################################
WK="0"
PASSLOG="0"
if [ "$WK" = "1" ]; then
echo -n "Getting the WK Block List..."
YIP="$YIP
`cat /root/fw/wk-ip | \
awk '/^[1-9]/ {print $1 }'`"
echo "ok"
fi
iptables -N YIP
if [ "$PASSLOG" = "1" ]; then
iptables -A YIP -j LOG --log-prefix "** Firewall YIP **"
fi
for ip in $YIP ; do
# iptables -A INPUT -s $ip -j YIP
iptables -A FORWARD -s $ip -j YIP
done
#iptables -A YIP -p TCP -m tcp --dport 22 -j ACCEPT
iptables -A YIP -p TCP -m tcp --dport 80 -j ACCEPT
#######################################################################
BK="1"
NPASSLOG="0"
if [ "$BK" = "1" ]; then
echo -n "Getting the BK Block List..."
NIP="$NIP
`cat /root/fw/bk-ip | \
awk '/^[1-9]/ {print $1 }'`"
echo "ok"
fi
iptables -N NIP
if [ "$NPASSLOG" = "1" ]; then
iptables -A NIP -j LOG --log-prefix "** Firewall NIP **"
fi
for ip in $NIP ; do
# iptables -A INPUT -s $ip -j NIP
iptables -A FORWARD -s $ip -j NIP
done
iptables -A NIP -j DROP
#######################################################################
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d 127.0.0.0/255.0.0.0 -o ! lo -j DROP
iptables -A OUTPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT
#iptables -A INPUT -p TCP -m tcp --dport 80 -j ACCEPT
#iptables -A FORWARD -p TCP -m tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp -j DROP
#iptables -A FORWARD -p tcp -m tcp -j DROP
#iptables -A FORWARD -j DROP
沒有留言:
張貼留言