代码: 全选
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: checkroot
# Required-Stop:
# Default-Start: S
# Default-Stop:
# Short-Description:
### END INIT INFO
Loop_Iface=lo
Lan_Iface=br0
Lan_Ip4Net="192.168.168"
Lan_Ip4="${Lan_Ip4Net}.3/24"
Lan_Gateway="${Lan_Ip4Net}.254"
Vnat_Iface=br1
##############################################################################
# ### mangle ###
StartMangle()
{
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -A FORWARD -o "$Lan_Iface" -p tcp --tcp-flags RST,SYN SYN -j TCPMSS --clamp-mss-to-pmtu
}
StopMangle()
{
iptables -t mangle -F
iptables -t mangle -X
}
##############################################################################
# ### nat ###
StartNat()
{
iptables -t nat -F
iptables -t nat -X
#iptables -t nat -A POSTROUTING -o "$Lan_Iface" -j MASQUERADE
iptables -t nat -A POSTROUTING -o "$Lan_Iface" -j SNAT --to-source "${Lan_Ip4%/*}"
}
StopNat()
{
iptables -t nat -F
iptables -t nat -X
}
##############################################################################
# ### filter ###
StartFilter()
{
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -N SYNFLOOD
iptables -N LAN_IN
iptables -N LAN_OUT
iptables -N LAN_FRW
iptables -N LAN_SSH
iptables -N VNAT_IN
iptables -N VNAT_OUT
iptables -N VNAT_FRW
# ====================================================================
# BUILT-IN
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A INPUT -i "$Loop_Iface" -j ACCEPT
iptables -A OUTPUT -o "$Loop_Iface" -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ACK,RST,SYN,FIN SYN -j SYNFLOOD
iptables -A INPUT -i "$Lan_Iface" -j LAN_IN
iptables -A OUTPUT -o "$Lan_Iface" -j LAN_OUT
iptables -A FORWARD -i "$Lan_Iface" -j LAN_FRW
iptables -A INPUT -i "$Vnat_Iface" -j VNAT_IN
iptables -A OUTPUT -o "$Vnat_Iface" -j VNAT_OUT
iptables -A FORWARD -i "$Vnat_Iface" -j VNAT_FRW
# ====================================================================
# SYNFLOOD
iptables -A SYNFLOOD -p tcp -m limit --limit 25/second --limit-burst 50 -j RETURN
iptables -A SYNFLOOD -j DROP
# ====================================================================
# LAN
# LAN_SSH
iptables -A LAN_SSH -m recent --set --name LAN_SSH --rsource
iptables -A LAN_SSH -m recent --update --name LAN_SSH --seconds 60 --hitcount 4 --rsource -j DROP
iptables -A LAN_SSH -j ACCEPT
# --------------------------------------------------------------------
# samba
iptables -A LAN_IN -p tcp --dport 445 -j ACCEPT
iptables -A LAN_OUT -p tcp --dport 445 -j ACCEPT
iptables -A LAN_IN -p tcp --dport 139 -j ACCEPT
iptables -A LAN_OUT -p tcp --dport 139 -j ACCEPT
iptables -A LAN_IN -p udp --dport 137:138 -j ACCEPT
iptables -A LAN_OUT -p udp --dport 137:138 -j ACCEPT
# dns, dhcp, ntp client
iptables -A LAN_OUT -p udp --dport 53 -j ACCEPT
iptables -A LAN_OUT -p tcp --dport 53 -j ACCEPT
iptables -A LAN_OUT -p udp --sport 68 --dport 67 -j ACCEPT
iptables -A LAN_OUT -p udp --dport 123 -j ACCEPT
# ping, traceroute
iptables -A LAN_IN -p icmp --icmp-type 8 -m limit --limit 1/second --limit-burst 5 -j ACCEPT
iptables -A LAN_OUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A LAN_OUT -p udp --dport 33434:33534 -j ACCEPT
# ssh server
iptables -A LAN_IN -p tcp --dport 22 -m state --state NEW -j LAN_SSH
# other
iptables -A LAN_OUT -p tcp --sport 1024: -j ACCEPT
iptables -A LAN_OUT -p udp --sport 1024: -j ACCEPT
# LAN END
iptables -A LAN_IN -j DROP
iptables -A LAN_OUT -j DROP
iptables -A LAN_FRW -j DROP
# ====================================================================
# VNAT
# samba
iptables -A VNAT_IN -p tcp --dport 445 -j ACCEPT
iptables -A VNAT_OUT -p tcp --dport 445 -j ACCEPT
iptables -A VNAT_IN -p tcp --dport 139 -j ACCEPT
iptables -A VNAT_OUT -p tcp --dport 139 -j ACCEPT
iptables -A VNAT_IN -p udp --dport 137:138 -j ACCEPT
iptables -A VNAT_OUT -p udp --dport 137:138 -j ACCEPT
# dns, dhcp, ntp server
iptables -A VNAT_IN -p udp --dport 53 -j ACCEPT
iptables -A VNAT_IN -p tcp --dport 53 -j ACCEPT
iptables -A VNAT_IN -p udp --sport 68 --dport 67 -j ACCEPT
iptables -A VNAT_IN -p udp --dport 123 -j ACCEPT
# ping, traceroute
iptables -A VNAT_IN -p icmp --icmp-type 8 -m limit --limit 1/second --limit-burst 5 -j ACCEPT
iptables -A VNAT_OUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A VNAT_IN -p udp --dport 33434:33534 -m limit --limit 5/second --limit-burst 5 -j ACCEPT
iptables -A VNAT_OUT -p udp --dport 33434:33534 -j ACCEPT
# to LAN
iptables -A VNAT_FRW -o "$Lan_Iface" -j ACCEPT
# VNAT END
iptables -A VNAT_IN -j DROP
iptables -A VNAT_OUT -j DROP
iptables -A VNAT_FRW -j DROP
}
# StartFilter()
# ============================================================================
StopFilter()
{
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
}
##############################################################################
case "$1" in
start|restart|force-reload)
StartMangle
StartNat
StartFilter
;;
stop)
StopMangle
StopNat
StopFilter
;;
stopfilter)
StopFilter
;;
status)
printf '%s\n' "#### mangle ####"
iptables -t mangle -L -nv --line-numbers
printf '\n\n%s\n' "#### nat ####"
iptables -t nat -L -nv --line-numbers
printf '\n\n%s\n' "#### filter ####"
iptables -L -nv --line-numbers
;;
*)
echo "Usage: $0 {start|stop|stopfilter|restart|force-reload|status}" >&2
exit 2
;;
esac
exit 0