#!/bin/bash
#
#2005.7.20
#
#
echo
"Starting................."
echo ""
echo ""
echo
""
echo ""
echo "RunTime = `date |awk '{print $6" "$2" "$3"
"$4}'`"
echo -e "\t\t\n\n"
echo -e "\033[1;031m \n"
echo
"###############################################################"
echo
"# xxxxxxxx office
Firewall rule
2.0
#"
echo
"#
E-mail:xx...@xxxx.com
#"
echo
"###############################################################"
echo
-e "\033[m \n"
echo ""
echo ""
#
echo -e "\033[1;034m
\n"
echo
"#######################################################"
echo
"# office
Network Internet Address:
ADSL
#"
echo
"#
#"
echo "# Internal Network
Address:
192.168.100.0/24
#"
echo
"#
#"
echo
"##########################################################"
echo
""
echo -e "\033[m \n"
echo
""
#
#
########################## Main Options
#####################
IPTABLES="/sbin/iptables"
INET_IFACE="ppp0"
LAN_IFACE="eth0"
LAN_IP="192.168.100.254"
INET_IP=`/sbin/ifconfig
ppp0 |grep inet |grep -v "127.0.0.1" |awk '{print $2}' |head -n
1|awk -F: '{print $2}'`
ACCEPT_ALL_LAN="
192.168.100.200/32
192.168.100.202/32"
ACCEPT_FTP_LAN=""
ACCEPT_OICQ_LAN=""
ACCEPT_ICQ_LAN=""
ACCEPT_IRC_LAN=""
ACCEPT_MSN_LAN=""
ACCEPT_GAME_LAN=""
ACCEPT_NBT_LAN=""
ACCEPT_ADMIN_LAN=""
ACCEPT_HTTP_LAN="
192.168.100.0/24"
#ACCEPT_HTTP_LAN="
192.168.100.1/32
192.168.100.2/32 192.168.100.10/32 192.168.100.11/32
192.168.100.12/32 192.168.100.13/32 192.168.100.14/32
192.168.100.15/32 192.168.100.16/32 192.168.100.17/32
192.168.100.18/32 192.168.100.19/32 192.168.100.20/32
192.168.100.21/32 192.168.100.22/32 192.168.100.23/32
192.168.100.24/32 192.168.100.25/32 192.168.100.26/32
192.168.100.27/32 192.168.100.28/32 192.168.100.29/32
192.168.100.30/32 192.168.100.31/32 192.168.100.32/32
192.168.100.33/32 192.168.100.34/32 192.168.100.35/32
192.168.100.36/32 192.168.100.37/32 192.168.100.38/32
192.168.100.39/32 192.168.100.40/32 192.168.100.41/32
192.168.100.42/32 192.168.100.43/32 192.168.100.44/32
192.168.100.45/32 192.168.100.46/32 192.168.100.47/32
192.168.100.48/32 192.168.100.49/32 192.168.100.50/32
192.168.100.51/32 192.168.100.52/32 192.168.100.53/32
192.168.100.54/32 192.168.100.55/32 192.168.100.56/32
192.168.100.57/32 192.168.100.58/32 192.168.100.59/32
192.168.100.80/32 192.168.100.81/32 192.168.100.82/32
192.168.100.83/32
192.168.100.84/32"
INTERNAL_LAN="
192.168.100.0/24"
DEPOT_LAN="
192.168.110.0/24"
GATEWAY_HOST="192.168.100.254"
DNS_SERVER3="202.96.209.5"
DNS_SERVER4="202.96.209.133"
DNS_SERVER="202.96.134.133"
DNS_SERVER2="202.96.128.68"
MANAGER_HOST="192.168.100.189"
TERMINAL_SERVER="192.168.100.99"
PRIVILEGE="192.168.100.99"
VPN_SERVER="192.168.100.99"
###################
End Options ###########
##############
Load modules
modprobe
ip_tables
> /dev/null 2>&1
modprobe
ip_conntrack
> /dev/null 2>&1
modprobe
iptable_nat
> /dev/null 2>&1
modprobe
ip_nat_ftp
> /dev/null 2>&1
modprobe
ip_conntrack_ftp > /dev/null
2>&1
modprobe
ip_conntrack_irc > /dev/null
2>&1
modprobe ip_conntrack_h323
> /dev/null 2>&1
modprobe
ip_nat_h323
> /dev/null 2>&1
modprobe
ip_conntrack_irc > /dev/null
2>&1
modprobe
ip_nat_irc
> /dev/null 2>&1
modprobe
ip_conntrack_mms > /dev/null
2>&1
modprobe
ip_nat_mms
> /dev/null 2>&1
modprobe
ip_conntrack_pptp > /dev/null
2>&1
modprobe
ip_nat_pptp
> /dev/null 2>&1
modprobe ip_conntrack_proto_gre >
/dev/null 2>&1
modprobe
ip_nat_proto_gre > /dev/null
2>&1
modprobe ip_conntrack_quake3 >
/dev/null 2>&1
modprobe
ip_nat_quake3 >
/dev/null
2>&1
##############################################
echo
"1" > /proc/sys/net/ipv4/ip_forward
echo "1" >
/proc/sys/net/ipv4/tcp_syncookies
echo "1" >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo 1
>/proc/sys/net/ipv4/conf/all/rp_filter
#echo 1 >
/proc/sys/net/ipv4/ip_dynaddr
#echo 1 >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 1 >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0
> /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 >
/proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 >
/proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 >
/proc/sys/net/ipv4/conf/all/log_martians
# Reduce DoS'ing
ability by reducing timeouts
echo 30 >
/proc/sys/net/ipv4/tcp_fin_timeout
echo 0
>
/proc/sys/net/ipv4/tcp_window_scaling
echo 0
> /proc/sys/net/ipv4/tcp_timestamps
echo 0
> /proc/sys/net/ipv4/tcp_sack
echo 1024 >
/proc/sys/net/ipv4/tcp_max_syn_backlog
start(){
echo
""
echo -e "\033[1;032m Flush all
chains......
[OK] \033[m"
$IPTABLES -F
$IPTABLES
-X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -Z -t nat
$IPTABLES -P INPUT DROP
$IPTABLES -P
OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -t filter -F LOG_ACCEPT > /dev/null
2>&1
$IPTABLES -t filter -X LOG_ACCEPT >
/dev/null 2>&1
$IPTABLES -t filter -N
LOG_ACCEPT
$IPTABLES -t filter -F LOG_DROP >
/dev/null 2>&1
$IPTABLES -t filter -X
LOG_DROP > /dev/null 2>&1
$IPTABLES -t
filter -N LOG_DROP
$IPTABLES -t filter -F LOG_HK
> /dev/null 2>&1
$IPTABLES -t filter -X
LOG_HK > /dev/null 2>&1
$IPTABLES -t
filter -N LOG_HK
echo ""
echo ""
echo
"######################################################################"
echo
"#
Internal Access to Internet
servers
#"
echo
"#
#"
echo "# Supply WEB FTP
MAIL Services for Internal
users
#"
echo
"######################################################################"
echo
""
echo ""
# $IPTABLES -A LOG_DROP -j LOG
--log-tcp-options --log-ip-options --log-prefix 'IPTABLES
DROP:'
# $IPTABLES -A LOG_DROP -j DROP
#
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j
LOG_DROP
# $IPTABLES -A LOG_ACCEPT -j LOG
--log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]
: '
# $IPTABLES -A LOG_ACCEPT -j ACCEPT
#
$IPTABLES -A LOG_HK -j LOG --log-tcp-options --log-ip-options
--log-prefix '[HK access computer center] : '
# $IPTABLES
-A LOG_HK -j ACCEPT
echo ""
echo ""
echo -e
"\033[1;032m Stop Port
Scanner......
[OK] \033[m"
# $IPTABLES -A INPUT -i $INET_IFACE -p tcp
--tcp-flags ALL FIN,URG,PSH -j
DROP # NMAP
FIN/URG/PSH
# $IPTABLES -A INPUT -i $INET_IFACE -p tcp
--tcp-flags ALL ALL -j
DROP
# Xmas Tree
# $IPTABLES -A INPUT -i $INET_IFACE -p tcp
--tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Another Xmas
Tree
# $IPTABLES -A INPUT -i $INET_IFACE -p tcp
--tcp-flags ALL NONE -j
DROP
# Null Scan(possibly)
# $IPTABLES -A INPUT -i $INET_IFACE
-p tcp --tcp-flags SYN,RST SYN,RST -j
DROP #
SYN/RST
# $IPTABLES -A INPUT -i $INET_IFACE -p tcp
--tcp-flags SYN,FIN SYN,FIN -j
DROP # SYN/FIN --
Scan(possibly)
$IPTABLES -A INPUT -p icmp -m limit
--limit 1/s --limit-burst 10 -j ACCEPT
$IPTABLES -A
INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit
10/sec
$IPTABLES -A INPUT -s $DNS_SERVER -j
ACCEPT
$IPTABLES -A INPUT -s $DNS_SERVER2 -j
ACCEPT
$IPTABLES -A INPUT -s $DNS_SERVER3 -j
ACCEPT
$IPTABLES -A INPUT -s $DNS_SERVER4 -j
ACCEPT
$IPTABLES -A INPUT -s
127.0.0.1/32 -j
ACCEPT
$IPTABLES -A INPUT -i ipsec+ -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $INET_IFACE --dport 113 -j
ACCEPT
$IPTABLES -A INPUT -p 47 -i $INET_IFACE -j
ACCEPT
$IPTABLES -A INPUT -p 50 -i $INET_IFACE -j
ACCEPT
$IPTABLES -A INPUT -p 51 -i $INET_IFACE -j
ACCEPT
$IPTABLES -A INPUT -p udp -i $INET_IFACE --sport
500 --dport 500 -j
ACCEPT
##########################################################
$IPTABLES -A INPUT -i $LAN_IFACE -p tcp --dport 53 -j
ACCEPT
$IPTABLES -A INPUT -i $LAN_IFACE -p udp
--dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp
--dport 22 -j ACCEPT
$IPTABLES -A INPUT -s
$PRIVILEGE -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o
$INET_IFACE -s $INTERNAL_LAN -j MASQUERADE
# $IPTABLES -t
nat -A PREROUTING -p tcp -i $INET_IFACE -d $INET_IP --dport 3389
-j DNAT --to $TERMINAL_SERVER
$IPTABLES -A INPUT -m
state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -d $TERMINAL_SERVER
--dport 3389 -j ACCEPT
#$IPTABLES -t nat -A PREROUTING
-p tcp -i $INET_IFACE -d $INET_IP --dport 5013 -j DNAT --to
$TERMINAL_SERVER
#$IPTABLES -A FORWARD -p tcp -i
$INET_IFACE -d $TERMINAL_SERVER --dport 5013 -j
ACCEPT
######DNS SERVER #####
$IPTABLES -A
FORWARD -s $DNS_SERVER -j ACCEPT
$IPTABLES -A FORWARD -s
$DNS_SERVER2 -j ACCEPT
$IPTABLES -A FORWARD -s
$DNS_SERVER3 -j ACCEPT
$IPTABLES -A FORWARD -s
$DNS_SERVER4 -j ACCEPT
$IPTABLES -A FORWARD -s
$DEPOT_LAN -j ACCEPT
$IPTABLES -A FORWARD -d $DEPOT_LAN
-j ACCEPT
$IPTABLES -A FORWARD -d $DNS_SERVER -j
ACCEPT
$IPTABLES -A FORWARD -d $DNS_SERVER2 -j
ACCEPT
$IPTABLES -A FORWARD -d $DNS_SERVER3 -j
ACCEPT
$IPTABLES -A FORWARD -d $DNS_SERVER4 -j
ACCEPT
######END DNS SERVER ######
$IPTABLES -A
FORWARD -s $MANAGER_HOST -j ACCEPT # Privilege
host
echo -e "\033[1;032m Load Statefull
check......
[OK] \033[m"
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
-e "\033[1;032m
\n"
################################################# ACCEPT
all hosts
if [ "$ACCEPT_ALL_LAN" != "" ] ; then
for
LAN in ${ACCEPT_ALL_LAN} ; do
$IPTABLES -A FORWARD -s
${LAN} -j ACCEPT
# $IPTABLES -A FORWARD -i
$LAN_IFACE -s ${LAN} -j ACCEPT
# $IPTABLES
-A FORWARD -p tcp -i ppp+ -s ${LAN} -j ACCEPT
echo ""
echo ${LAN} Access to
Externel.....ACCEPT
all
[OK]
done
fi
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
""
echo -e "\033[1;032m
\n"
################################################# common
rules
$IPTABLES -A FORWARD -p tcp -m string --string
"BitTorrent" -j LOG --log-prefix 'IPTABLES FORWARD bt
download:'
$IPTABLES -A FORWARD -p tcp -m string
--string "BitTorrent" -j DROP
# $IPTABLES -A FORWARD -p
tcp -m string --string "QQ" -j DROP
$IPTABLES -A
FORWARD -p icmp -i $LAN_IFACE -j ACCEPT
$IPTABLES -A
FORWARD -p icmp -i ipsec+ -j ACCEPT
# $IPTABLES -A
FORWARD -p tcp -i $INET_IFACE --dport 113 -j
ACCEPT
$IPTABLES -A FORWARD -i ipsec+ -j
ACCEPT
$IPTABLES -A FORWARD -d
pop-ent.21cn.com -j
ACCEPT
$IPTABLES -A FORWARD -d
smtp-ent.21cn.com -j
ACCEPT
################# lock POPO chat
#############################
$IPTABLES -A FORWARD -d
202.108.42.176 -j DROP
$IPTABLES -A FORWARD -d
202.108.42.0/24 -j DROP
$IPTABLES -A FORWARD -d
221.231.129.0/24 -j DROP
$IPTABLES -A FORWARD -d
61.152.101.0/24 -j DROP
$IPTABLES -A FORWARD -d
61.152.97.0/24 -j DROP
################# lock ourgame chat
#############################
$IPTABLES -A FORWARD -d
202.108.36.77 -j DROP
$IPTABLES -A FORWARD -d
202.108.36.0/24 -j DROP
################# lock yahoo chat
#############################
$IPTABLES -A FORWARD -d
216.155.193.225 -j DROP
$IPTABLES -A FORWARD -d
216.155.193.160 -j DROP
$IPTABLES -A FORWARD -d
216.155.193.133 -j DROP
$IPTABLES -A FORWARD -d
216.155.193.143 -j DROP
$IPTABLES -A FORWARD -d
216.155.193.153 -j DROP
$IPTABLES -A FORWARD -d
216.155.194.122 -j DROP
$IPTABLES -A FORWARD -d
216.155.193.0/24 -j DROP
$IPTABLES -A FORWARD -d
61.145.112.212 -j DROP
$IPTABLES -A FORWARD -d
61.145.112.210 -j DROP
$IPTABLES -A FORWARD -d
80.67.74.118 -j DROP
$IPTABLES -A FORWARD -d
216.109.116.191 -j DROP
$IPTABLES -A FORWARD -d
216.136.173.169 -j DROP
################# lock msn chat
#############################
$IPTABLES -A FORWARD -d
207.46.104.0/24 -j DROP
$IPTABLES -A FORWARD -d
207.46.105.0/24 -j DROP
$IPTABLES -A FORWARD -d
207.46.106.0/24 -j DROP
$IPTABLES -A FORWARD -d
207.46.107.0/24 -j DROP
$IPTABLES -A FORWARD -d
207.46.108.0/24 -j DROP
$IPTABLES -A FORWARD -d
207.46.109.0/24 -j DROP
$IPTABLES -A FORWARD -d
207.46.110.0/24 -j DROP
################# lock QQ chat
#############################
$IPTABLES -A FORWARD -d
202.103.149.40 -j DROP
$IPTABLES -A FORWARD -d
61.135.157.0/24 -j DROP
$IPTABLES -A FORWARD -d
61.144.238.0/24 -j DROP
$IPTABLES -A FORWARD -d
61.144.238.145 -j DROP
$IPTABLES -A FORWARD -d
61.144.238.146 -j DROP
$IPTABLES -A FORWARD -d
61.144.238.156 -j DROP
$IPTABLES -A FORWARD -d
61.144.238.150 -j DROP
$IPTABLES -A FORWARD -d
61.144.238.155 -j DROP
$IPTABLES -A FORWARD -d
61.144.238.149 -j DROP
$IPTABLES -A FORWARD -d
61.141.194.0/24 -j DROP
$IPTABLES -A FORWARD -d
61.141.194.203 -j DROP
$IPTABLES -A FORWARD -d
61.141.194.200 -j DROP
$IPTABLES -A FORWARD -d
61.141.194.224 -j DROP
$IPTABLES -A FORWARD -d
61.141.194.227 -j DROP
$IPTABLES -A FORWARD -d
61.152.101.0/24 -j DROP
$IPTABLES -A FORWARD -d
61.152.100.0/24 -j DROP
$IPTABLES -A FORWARD -d
202.104.129.0/24 -j DROP
$IPTABLES -A FORWARD -d
202.104.129.251 -j DROP
$IPTABLES -A FORWARD -d
202.104.129.252 -j DROP
$IPTABLES -A FORWARD -d
202.104.129.253 -j DROP
$IPTABLES -A FORWARD -d
202.104.129.254 -j DROP
$IPTABLES -A FORWARD -d
202.96.170.0/24 -j DROP
$IPTABLES -A FORWARD -d
202.96.170.166 -j DROP
$IPTABLES -A FORWARD -d
202.96.170.163 -j DROP
$IPTABLES -A FORWARD -d
202.96.170.164 -j DROP
$IPTABLES -A FORWARD -d
219.133.45.0/24 -j DROP
$IPTABLES -A FORWARD -d
219.133.45.15 -j DROP
$IPTABLES -A FORWARD -d
219.133.40.0/24 -j DROP
$IPTABLES -A FORWARD -d
219.133.60.0/24 -j DROP
$IPTABLES -A FORWARD -d
219.133.51.0/24 -j DROP
$IPTABLES -A FORWARD -d
219.133.41.0/24 -j DROP
$IPTABLES -A FORWARD -d
219.133.48.0/24 -j DROP
$IPTABLES -A FORWARD -d
219.133.49.0/24 -j DROP
$IPTABLES -A FORWARD -d
219.133.38.0/24 -j DROP
$IPTABLES -A FORWARD -d
219.133.40.0/24 -j DROP
$IPTABLES -A FORWARD -d
219.133.41.0/24 -j DROP
$IPTABLES -A FORWARD -d
219.133.62.0/24 -j DROP
$IPTABLES -A FORWARD -d
218.18.95.0/24 -j DROP
$IPTABLES -A FORWARD -d
218.18.95.221 -j DROP
$IPTABLES -A FORWARD -d
218.18.95.209 -j DROP
$IPTABLES -A FORWARD -d
218.18.95.153 -j DROP
$IPTABLES -A FORWARD -d
218.18.95.171 -j DROP
$IPTABLES -A FORWARD -d
218.18.95.140 -j DROP
$IPTABLES -A FORWARD -d
218.18.95.162 -j DROP
$IPTABLES -A FORWARD -d
218.17.209.0/24 -j DROP
$IPTABLES -A FORWARD -d
218.17.209.23 -j DROP
$IPTABLES -A FORWARD -d
218.17.209.42 -j DROP
$IPTABLES -A FORWARD -d
218.17.209.20 -j DROP
$IPTABLES -A FORWARD -d
218.17.209.21 -j DROP
$IPTABLES -A FORWARD -d
218.85.138.0/24 -j DROP
$IPTABLES -A FORWARD -d
207.46.157.0/24 -j DROP
$IPTABLES -A FORWARD -d
207.46.156.0/24 -j DROP
# $IPTABLES -A FORWARD -p udp
-i $LAN_IFACE -s $INTERNAL_LAN --dport 8000 -j
DROP
# $IPTABLES -A FORWARD -p udp -i $LAN_IFACE -s
$INTERNAL_LAN2 --dport 8000 -j DROP
# $IPTABLES -A
FORWARD -p udp -i $LAN_IFACE -s $INTERNAL_LAN3 --dport 8000
-j DROP
# $IPTABLES -A FORWARD -p udp -i $LAN_IFACE
-s $INTERNAL_LAN4 --dport 8000 -j DROP
################# end of
lock OQ server #########################
$IPTABLES -A
FORWARD -p tcp -m multiport -i $LAN_IFACE -s $INTERNAL_LAN
--dport 53,449 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m
multiport -i $LAN_IFACE -s $INTERNAL_LAN --dport 53,449 -j
ACCEPT
$IPTABLES -A FORWARD -p tcp -m multiport -i
$LAN_IFACE -s $INTERNAL_LAN --dport 25,110,143 -j
ACCEPT
$IPTABLES -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT
echo ""
echo -e
"\033[1;032m Load common rule
......
[OK] \033[m"
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
""
echo -e "\033[1;032m
\n"
#################################################
ACCEPT http hosts
if [ "$ACCEPT_HTTP_LAN" != "" ] ;
then
for LAN in ${ACCEPT_HTTP_LAN} ; do
$IPTABLES -A FORWARD -p tcp -m multiport -i $LAN_IFACE -s
${LAN} --dport 80,443 -j ACCEPT
echo ""
echo
${LAN} Access to Externel..... ACCEPT
http
[OK]
done
fi
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
""
echo -e "\033[1;032m
\n"
################################################# ACCEPT
ftp hosts
if [ "$ACCEPT_FTP_LAN" != "" ] ; then
for
LAN in ${ACCEPT_FTP_LAN} ; do
$IPTABLES -A FORWARD -p
tcp -m multiport -i $LAN_IFACE -s ${LAN} --dport 20,21 -j
ACCEPT
echo ""
echo ${LAN} Access
to Externel..... ACCEPT
ftp
[OK]
done
fi
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
-e "\033[1;032m
\n"
################################################# ACCEPT
network file share hosts
if [ "$ACCEPT_NBT_LAN" != "" ] ;
then
for LAN in ${ACCEPT_NBT_LAN} ; do
$IPTABLES -A FORWARD -p udp -m multiport -i $LAN_IFACE -s
${LAN} --dport 137,138,2049 -j ACCEPT
$IPTABLES -A
FORWARD -p tcp -m multiport -i $LAN_IFACE -s ${LAN} --dport
139,445,2049 -j ACCEPT
echo ""
echo
${LAN} Access to Externel.....ACCEPT network file
share [OK]
done
fi
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
""
echo -e "\033[1;032m
\n"
################################################# ACCEPT
admin hosts
if [ "$ACCEPT_ADMIN_LAN" != "" ] ; then
for LAN in ${ACCEPT_ADMIN_LAN} ; do
# $IPTABLES -A
FORWARD -p tcp -i $LAN_IFACE -s ${LAN} --dport 3389 -j
ACCEPT #terminal service
$IPTABLES -A FORWARD -p tcp -m
multiport -i $LAN_IFACE -s ${LAN} --dport 5631,2299 -j
ACCEPT #PcAnywhere service
$IPTABLES -A FORWARD -p udp
-i $LAN_IFACE -s ${LAN} --dport 5632 -j ACCEPT #PcAnywhere
service
$IPTABLES -A FORWARD -p tcp -i $LAN_IFACE
-s ${LAN} --dport 6000:6010 -j ACCEPT #x11 service
echo
""
echo ${LAN} Access to Externel.....ACCEPT
network
admin
[OK]
done
fi
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
""
echo -e "\033[1;032m
\n"
################################################# ACCEPT
oicq hosts
if [ "$ACCEPT_OICQ_LAN" != "" ] ; then
for
LAN in ${ACCEPT_OICQ_LAN} ; do
$IPTABLES -A FORWARD -p
udp -i $LAN_IFACE -s ${LAN} --dport 8000 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $LAN_IFACE -s ${LAN} --dport
8000 -j ACCEPT
echo ""
echo ${LAN}
Access to Externel..... ACCEPT
oicq
[OK]
done
fi
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
-e "\033[1;032m
\n"
################################################# ACCEPT
icq hosts
if [ "$ACCEPT_ICQ_LAN" != "" ] ; then
for
LAN in ${ACCEPT_ICQ_LAN} ; do
$IPTABLES -A FORWARD -p
udp -i $LAN_IFACE -s ${LAN} --dport 4000 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $LAN_IFACE -s ${LAN} --dport
3000:3014 -j ACCEPT
echo ""
echo
${LAN} Access to Externel.....ACCEPT
icq
[OK]
done
fi
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
""
echo -e "\033[1;032m
\n"
################################################# ACCEPT
irc hosts
if [ "$ACCEPT_IRC_LAN" != "" ] ; then
for
LAN in ${ACCEPT_IRC_LAN} ; do
$IPTABLES -A FORWARD -p
tcp -i $LAN_IFACE -s ${LAN} --dport 7000 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $LAN_IFACE -s ${LAN} --dport
6660:6670 -j ACCEPT
echo ""
echo
${LAN} Access to Externel.....ACCEPT
irc
[OK]
done
fi
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
""
echo -e "\033[1;032m
\n"
################################################# ACCEPT
msn hosts
if [ "$ACCEPT_MSN_LAN" != "" ] ; then
for
LAN in ${ACCEPT_MSN_LAN} ; do
$IPTABLES -A FORWARD -p
tcp -m multiport -i $LAN_IFACE -s ${LAN} --dport 80,443,1863
-j ACCEPT #login service
$IPTABLES -A FORWARD -p
tcp -i $LAN_IFACE -s ${LAN} --dport 1503 -j ACCEPT
#share and blankboard
# $IPTABLES -A FORWARD -p tcp
-i $LAN_IFACE -s ${LAN} --dport 3389 -j ACCEPT #remote
assistant
$IPTABLES -A FORWARD -p tcp -i
$LAN_IFACE -s ${LAN} --dport 6891:6900 -j ACCEPT #file
transport
$IPTABLES -A FORWARD -p udp -i
$LAN_IFACE -s ${LAN} --dport 5004:65535 -j ACCEPT #radio and
audio
echo ""
echo ${LAN} Access
to Externel.....ACCEPT
msn
[OK]
done
fi
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
""
echo -e "\033[1;032m
\n"
################################################# ACCEPT
game hosts
if [ "$ACCEPT_GAME_LAN" != "" ] ; then
for
LAN in ${ACCEPT_GAME_LAN} ; do
$IPTABLES -A FORWARD -p
tcp -i $LAN_IFACE -s ${LAN} --dport 100:65535 -j
ACCEPT
$IPTABLES -A FORWARD -p udp -i $LAN_IFACE
-s ${LAN} --dport 100:65535 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT
game
[OK]
done
fi
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
""
echo -e "\033[1;032m \n"
###########################
logrule
#########################
#ACCESSLOG="NO"
ACCESSLOG="YES"
if
[ "$ACCESSLOG" = "YES" ] ; then
# $IPTABLES -I FORWARD -p
tcp -m multiport --dport 445,135 -j LOG
$IPTABLES -I INPUT -p
tcp -j LOG --log-prefix 'IPTABLES INPUT TCP ACCEPT:'
$IPTABLES
-I INPUT -p udp -j LOG --log-prefix 'IPTABLES INPUT UDP
ACCEPT:'
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW
-j LOG --log-tcp-options --log-ip-options --log-prefix 'IPTABLES
INPUT DROP:'
$IPTABLES -I FORWARD -p tcp -s
192.168.200.0/24 -j
LOG --log-prefix 'IPTABLES FORWARD TCP ACCEPT:'
$IPTABLES -I
FORWARD -p tcp -s
192.168.110.0/24 -j LOG --log-prefix 'IPTABLES
FORWARD TCP ACCEPT:'
$IPTABLES -I FORWARD -p tcp -s
192.168.100.0/24 -j LOG --log-prefix 'IPTABLES FORWARD TCP
ACCEPT:'
$IPTABLES -I FORWARD -p udp -s
192.168.100.0/24 -j LOG
--log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
#$IPTABLES -I
FORWARD -p udp -s
192.168.100.0/24 --dport 1:52 -j LOG
--log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
#$IPTABLES -I
FORWARD -p udp -s
192.168.100.0/24 --dport 54:136 -j LOG
--log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
#$IPTABLES -I
FORWARD -p udp -s
192.168.100.0/24 --dport 139:65535 -j LOG
--log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
$IPTABLES -A
FORWARD -p TCP ! --syn -m state --state NEW -j LOG
--log-tcp-options --log-ip-options --log-prefix 'IPTABLES FORWARD
DROP:'
echo LOG illegal access
...............................
[OK]
fi
echo -e "\033[1;034m \n"
echo
"......................................................................."
echo
"......................................................................."
echo
"......................................................................."
echo
""
echo -e "\033[1;031m \n"
echo -e "\033[1;031m \n"
echo
"######################################################################"
echo
"#
#"
echo "# Load
office Firewall Access rule Successfull
!
#"
echo
"#
#"
echo
"######################################################################"
echo ""
echo -e "\033[m \n"
echo
""
############################# Type of Service mangle
optimizations
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport
23 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A
OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
#
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos
Minimize-Cost
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport
21 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A
OUTPUT -p udp --dport 4000:7000 -j TOS --set-tos
Minimize-Delay
}
stop(){
#####################
Flush everything
$IPTABLES -F
$IPTABLES
-X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -Z -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P
OUTPUT ACCEPT
$IPTABLES -P FORWARD
ACCEPT
$IPTABLES -t filter -F LOG_ACCEPT >
/dev/null 2>&1
$IPTABLES -t filter -X
LOG_ACCEPT > /dev/null 2>&1
$IPTABLES -t
filter -F LOG_DROP > /dev/null
2>&1
$IPTABLES -t filter -X
LOG_DROP > /dev/null 2>&1
$IPTABLES -t filter -F LOG_HK >
/dev/null 2>&1
$IPTABLES -t filter -X
LOG_HK > /dev/null
2>&1
echo ""
echo -e "\033[1;031m \n"
echo
""
echo
"######################################################################"
echo
"#
#"
echo "# Stop office
Firewall Access rule Successfull
!
#"
echo
"#
#"
echo
"######################################################################"
echo
""
echo -e "\033[m \n"
echo
""
}
#########################################################
case
"$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage:$0
{start|stop|restart|}"
exit
1
esac
exit $?
