下面这个script,在启动系统后运行便可。当然,你必须运行iptables和squid。
#!/bin/bash
#Interface name which connect to the Internet
UPLINK="ppp0"
#if this is a router set ROUTER="yes" otherwise ROUTER="no"
ROUTER="yes"
#if need Squid, set SQUID="yes"
SQUID="yes"
#define intranet here
INTRASEG="192.168.1.0/24"
#change this next line to the static IP of your uplink interface for static SNAT, or
#"dynamic" if you have a dynamic IP. If you don't need any NAT, set NAT to "" to
#disable it.
NAT="dynamic"
#change this next line so it lists all your network interfaces, including lo
INTERFACES="lo eth0 eth1 eth2 eth3 ppp0"
#change this line so that it lists the assigned numbers or symbolic names (from
#/etc/services) of all the services that you'd like to provide to the general
#public. If you don't want any services enabled, set it to ""
#SERVICES="http ftp smtp ssh rsync"
SERVICES=""
if [ "$1" = "start" ]
then
echo "Starting firewall..."
#Refresh all chains
iptables -F -t nat
#set INPUT chain's policy to DROP, means packets which do not match any of
#our rules will be dropped at last.
iptables -P INPUT DROP
# allow intranet access
iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
# allow relate connections from internet
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#enable public access to certain services
for x in ${SERVICES}
do
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done
#other packets coming from UPLINK interface will be REJECT
iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
#explicitly disable ECN
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
#disable spoofing on all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
if [ "$ROUTER" = "yes" ]
then
#we're a router of some kind, enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
#enable transparent Squid proxy
if [ "$SQUID" = "yes" ]
then
echo "Enabling transparent Squid internet proxy..."
iptables -t nat -A PREROUTING -i ${SQUID} -p tcp -m tcp -d ! ${INTRASEG}
--dport 80 -j REDIRECT --to-ports 3128
fi
if [ "$NAT" = "dynamic" ]
then
#dynamic IP address, use masquerading
echo "Enabling masquerading (dynamic ip)..."
iptables -t nat -A POSTROUTING -s ${INTRASEG} -d ! ${INTRASEG} -o ${UPLINK} -j
MASQUERADE
elif [ "$NAT" != "" ]
then
#static IP, use SNAT
echo "Enabling SNAT (static ip)..."
iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}
fi
fi
elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
iptables -F INPUT
iptables -P INPUT ACCEPT
#turn off NAT/masquerading, if any
iptables -t nat -F
fi
声明: 本页内容为中国Linux论坛的内容镜像,文章的版权以及其他所有的相关权利属于中国Linux论坛和相应文章的作者,如果转载,请注明文章来源及相关版权信息。
