服务器评测
需求说明:此服务器用作网关、MAIL(开启web、smtp、pop3)、FTP、DHCP服务器,内部一台机器(192.168.0.254)对外提供dns服务,为了不让无意者轻易看出此服务器开启了ssh服务器,故把ssh端口改为2018.另把proxy的端口改为60080
eth0:218.28.20.253,外网口
eth1:192.168.0.1/24,内网口
[jackylau@proxyserver init.d]$cat /etc/squid/squid.conf(部份如下)
http_port 192.168.0.1:60080
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl allow_lan src 192.168.0.0/24
http_access allow allow_lan
visible_hostname proxyserver
[jackylau@proxyserver init.d]$ cat firewall
#!/bin/sh
# Author: jackylau ;
# chkconfig: 2345 08 92
# description: firewall
# Time on 2005.08.02
# killproc
# Set ENV
INET_IP=”218.28.20.253″
INET_IFACE=”eth0″
LAN_IP=”192.168.0.1″
LAN_IP_RANGE=”192.168.0.0/24″
LAN_BROADCAST_ADDRESS=”192.168.0.255″
LAN_IFACE=”eth1″
LO_IFACE=”lo”
LO_IP=”127.0.0.1″
IPTABLES=”/sbin/iptables”
start(){
echo -n $”Starting firewall:”
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
echo “1” >; /proc/sys/net/ipv4/ip_forward
# Set policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# Add bad_tcp_packets, allowed and icmp_packets
$IPTABLES -N bad_tcp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N allowed
$IPTABLES -N icmp_packets
# bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG –log-level INFO –log-prefix “New not syn:”
$IPTABLES -A bad_tcp_packets -p TCP ! –syn -m state –state NEW -j DROP
# allowed
$IPTABLES -A allowed -p TCP –syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT
# TCP rules
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 110 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 2018 -j allowed
# UDP rules
$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 67 -j ACCEPT
# ICMP rules
$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT
# INPUT chain
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT INPUT packet died: ”
# FORWARD chain
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT FORWARD packet died: ”
# OUTPUT chain
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix “IPT OUTPUT packet died: ”
# SNAT table
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP
# DNAT table
$IPTABLES -t nat -A PREROUTING -p ! icmp -d $INET_IP -dport 53 -j DNAT –to-destination 192.168.0.254:53
# REDIRECT
$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp -s $LAN_IP_RANGE –dport 80 -j REDIRECT –to-ports 60080
touch /var/lock/subsys/firewall
}
stop(){
echo -n $”Stoping firewall:”
echo “0”>;/proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
rm -f /var/lock/subsys/firewall
}
status(){
clear
echo “——————————————————————-”
$IPTABLES -L
echo “——————————————————————-”
$IPTABLES -t nat -L POSTROUTING
echo “——————————————————————-”
$IPTABLES -t nat -L PREROUTING
}
case “$1” in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo “$0 [start|stop|restart|status]”
;;
esac
cp firewall /etc/init.d/
chmod 700 /etc/init.d/firewall
chkconfig –add firewall
