Вот решил немного линукс поизучать.. есть уже настроенная убунта. в ней есть некий скрипт, который называется firewall.sh, находящийся в /etc/init.d/
запускается при старте системы.
однако если запустить повторно, то все задвоится
какие нужно доавить команды, чтобы при запуске firewall.sh удалялись все таблицы, и после этого загружались новые.. ну и чтобы при этом не выбрасывало того кто по ssh запускается рестарт Код: Выделить всё
#!/bin/sh
## rc.firewall - Initialisation of noc.vici.ua iptables rules, tunnels and routers
###########################################################################
#
# 1. Configuration options.
#
#
# 1.1 Internet Configuration.
#
INET_IP="11.11.11.11"
INET_IFACE="eth2"
INET_BROADCAST="11.11.11.11"
INET2_IP="22.22.22.22"
INET2_IFACE="eth3"
INET2_BROADCAST="22.22.22.22"
LO_IFACE="lo"
# 1.5 IPTables Configuration.
#
IPTABLES="/sbin/iptables"
#
# 1.6 Other Configuration.
#
###########################################################################
#
# 2. Module loading.
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# 2.1 Required modules
#
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_gre
/sbin/modprobe ip_conntrack_ftp
#
# 2.2 Non-Required modules
#
/sbin/modprobe ip_nat_ftp
###########################################################################
#
# 3. /proc set up.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
###########################################################################
#
# 4. rules set up.
#
######
# 4.1 Filter table
#
#
# 4.1.1 Set policies
#
$IPTABLES -P INPUT ACCEPT # --log-prefix "Input killed"
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP # --log-prefix "forward killed"
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
$IPTABLES -N pptp
#
# secret chain
#
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# pptp chain
#
/sbin/iptables -A pptp -p tcp --destination-port 1723 -j ACCEPT
/sbin/iptables -A pptp -p 47 -j ACCEPT
/sbin/iptables -I FORWARD -j pptp
/sbin/iptables -t nat -N pptp
/sbin/iptables -t nat -A pptp -i ppp+ -p tcp --dport 1723 -j DNAT --to $INET_IP:1723
/sbin/iptables -t nat -A pptp -i ppp+ -p 47 -j DNAT --to $INET_IP
/sbin/iptables -t nat -A PREROUTING -j pptp
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 30 -j allowed
#
# UDP ports
#
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 1194 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
--destination-port 135:139 -j DROP
$IPTABLES -A udp_packets -p UDP -i $INET2_IFACE -d $INET2_BROADCAST \
--destination-port 135:139 -j DROP
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP
#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# 4.1.4 INPUT chain
#
#
# Bad TCP packets we don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -s 192.168.0.0/16 -j ACCEPT
$IPTABLES -A INPUT -p ALL -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET2_IP -j ACCEPT
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j AC
CEPT
$IPTABLES -A INPUT -p ALL -d $INET2_IP -m state --state ESTABLISHED,RELATED -j A
CCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET2_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET2_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET2_IFACE -j icmp_packets
#
# 4.1.5 FORWARD chain
#
#
# Bad TCP packets we don't want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -p tcp -m tcp --dport 20 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -p tcp -m tcp --dport 100 -j A
CCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -p tcp -m tcp --dport 110 -j A
CCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -p tcp -m tcp --dport 25 -j AC
CEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -p tcp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -p udp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -p tcp --dport 995 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -p tcp --dport 465 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -p udp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET2_IFACE -p tcp -m tcp --dport 100 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET2_IFACE -p tcp -m tcp --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET2_IFACE -p tcp -m tcp --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET2_IFACE -p tcp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET2_IFACE -p udp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET2_IFACE -p tcp --dport 995 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET2_IFACE -p tcp --dport 465 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET2_IFACE -p udp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp --dport 3389 -j ACCEPT
#
# 4.1.6 OUTPUT chain
#
#
# Bad TCP packets we don't want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET2_IP -j ACCEPT
######
# 4.2 nat table
#
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -j MASQUERADE
#
# 4.2.6 OUTPUT chain
#
$IPTABLES -A OUTPUT -p ICMP -j ACCEPT
$IPTABLES -A OUTPUT -p UDP --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --dport 110 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --dport 20 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --dport 21 -j ACCEPT
$IPTABLES -A OUTPUT -p TCP --dport 22 -j ACCEPT
######
# 4.3 mangle table
#
iptables -t mangle -N MARK-CRITICAL
iptables -t mangle -A MARK-CRITICAL -j MARK --set-mark 20
iptables -t mangle -A MARK-CRITICAL -j TOS --set-tos Minimize-Delay
iptables -t mangle -A MARK-CRITICAL -j ACCEPT
iptables -t mangle -N MARK-REALTIME
iptables -t mangle -A MARK-REALTIME -j MARK --set-mark 21
iptables -t mangle -A MARK-REALTIME -j TOS --set-tos Minimize-Delay
iptables -t mangle -A MARK-REALTIME -j ACCEPT
iptables -t mangle -N MARK-NORMAL
iptables -t mangle -A MARK-NORMAL -j MARK --set-mark 22
iptables -t mangle -A MARK-NORMAL -j TOS --set-tos Normal-Service
iptables -t mangle -A MARK-NORMAL -j ACCEPT
iptables -t mangle -N MARK-LOW
iptables -t mangle -A MARK-LOW -j MARK --set-mark 23
iptables -t mangle -A MARK-LOW -j TOS --set-tos Maximize-Throughput
iptables -t mangle -A MARK-LOW -j ACCEPT
iptables -t mangle -N MARK-VERYLOW
iptables -t mangle -A MARK-VERYLOW -j MARK --set-mark 24
iptables -t mangle -A MARK-VERYLOW -j TOS --set-tos Minimize-Cost
iptables -t mangle -A MARK-VERYLOW -j ACCEPT
# LET INCOMING DATA PASS THROUGH
iptables -t mangle -A FORWARD -d 192.168.0.0/255.255.0.0 -j ACCEPT
# SET UP TRAFFIC PRIORITIES
# ICMP
iptables -t mangle -A FORWARD -p udp --dport 443 -j MARK-REALTIME
iptables -t mangle -A FORWARD -p udp --dport 3389 -j MARK-REALTIME
# Standard Services
iptables -t mangle -A FORWARD -p tcp --sport telnet -j MARK-REALTIME
iptables -t mangle -A FORWARD -p tcp --dport telnet -j MARK-REALTIME
iptables -t mangle -A FORWARD -p tcp --sport ssh -j MARK-REALTIME
iptables -t mangle -A FORWARD -p tcp --sport ftp -j MARK-REALTIME
iptables -t mangle -A FORWARD -p tcp --dport ftp -j MARK-REALTIME
iptables -t mangle -A FORWARD -p tcp --sport ftp-data -j MARK-LOW
iptables -t mangle -A FORWARD -p tcp --dport ssh -j MARK-REALTIME
iptables -t mangle -A FORWARD -p tcp --sport smtp -j MARK-LOW
# Everything else...
iptables -t mangle -A FORWARD -j MARK-NORMAL
iptables -t mangle -A FORWARD -p tcp --sport http -j MARK-LOW
