|
aku1 发表于 2008-7-3 8:22:20 |
This is a basic access control rule,I think i need to configure squid proxy for the advance ACL later
#!/bin/bash
#set Default GATEWAY
GATEWAY=xxx.xxx.xxx.xxx
#set interface WAN
IP_PUB=xxx.xxx.xxx.xxx
IF_PUB=eth0
NET_PUB=xxx.xxx.xxx.xxx/x
#SET interface LAN
IP_PRV=10.16.5.1
IF_PRV=eth1
NET_PRV=10.16.5.0/24
LAN_MASK=255.255.255.0
#others
ANYWHERE=0.0.0.0/0
#Initialize modules
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
#Initialize interface lan
#ifconfig $IF_PRV $IP_PRV netmask $LAN_MASK up
#Initialize policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Flush table
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
iptables -X
#Deny ACK attack
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#Set FORWARDING rule
iptables -i $IF_PRV -o $IF_PUB -j ACCEPT
iptables -A FORWARD -i $IF_PUB -o $IF_PRV -m state --state ESTABLISHED,RELATED -j ACCEPT
#Set loopback Rule
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Set private rule
iptables -A INPUT -i $IF_PRV -s $NET_PRV -j ACCEPT
iptables -A OUTPUT -o $IF_PRV -d $NET_PRV -j ACCEPT
#Set firewall host access rule
iptables -A OUTPUT -o $IF_PUB -j ACCEPT
iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
#Routing for the private network
iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j SNAT --to $IP_PUB
#Logging the rest
iptables -A INPUT -i $IF_PUB -j LOG --log-prefix="INPUT "
iptables -A OUTPUT -o $IF_PUB -j LOG --log-prefix="OUTPUT "
iptables -A FORWARD -j LOG --log-prefix="FORWARD "
| 
