?? netfilter-script.c
字號(hào):
fprintf (script, "if [ -e /proc/sys/net/ipv4/proxy_arp ]; then\n" " echo 0 > /proc/sys/net/ipv4/proxy_arp\nfi\n\n"); fprintf (script, "# Set FIB model to be RFC1812 Compliant\n"); fprintf (script, "# (certain policy based routers may break with this - if you find\n"); fprintf (script, "# that you can't access certain hosts on your network - please set\n"); fprintf (script, "# this option to '0' - which is the default)\n\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/ip_fib_model ]; then\n" " echo 2 > /proc/sys/net/ipv4/ip_fib_model\nfi\n\n"); fprintf (script, "\n# --------( Sysctl Tuning - ICMP/IGMP Parameters )--------\n\n"); fprintf (script, "# ICMP Dead Error Messages protection\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then\n" " echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses\nfi\n\n"); fprintf (script, "# ICMP Broadcasting protection\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then\n" " echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts\nfi\n\n"); fprintf (script, "# IGMP Membership 'overflow' protection\n"); fprintf (script, "# (if you are planning on running your box as a router - you should either\n"); fprintf (script, "# set this option to a number greater than 5, or disable this protection\n"); fprintf (script, "# altogether by commenting out this option)\n\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/igmp_max_memberships ]; then\n" " echo 1 > /proc/sys/net/ipv4/igmp_max_memberships\nfi\n\n"); fprintf (script, "\n# --------( Sysctl Tuning - Miscellanous Parameters )--------\n\n"); fprintf (script, "# Set TTL to '64' hops\n"); fprintf (script, "# (If you are running a masqueraded network, or use policy-based\n"); fprintf (script, "# routing - you may want to increase this value depending on the load\n"); fprintf (script, "# on your link.)\n\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/conf/all/ip_default_ttl ]; then\n" " for f in /proc/sys/net/ipv4/conf/*/ip_default_ttl\n do\n echo 64 > $f\n done\nfi\n\n"); fprintf (script, "# Always defragment incoming packets\n"); fprintf (script, "# (Some cable modems [ Optus @home ] will suffer intermittent connection\n"); fprintf (script, "# droputs with this setting. If you experience problems, set this to '0')\n\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/ip_always_defrag ]; then\n" " echo 1 > /proc/sys/net/ipv4/ip_always_defrag\nfi\n\n"); fprintf (script, "# Keep packet fragments in memory for 8 seconds\n"); fprintf (script, "# (Note - this option has no affect if you turn packet defragmentation\n"); fprintf (script, "# (above) off!)\n\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/ipfrag_time ]; then\n" " echo 8 > /proc/sys/net/ipv4/ipfrag_time\nfi\n\n"); fprintf (script, "# Do not reply to Address Mask Notification Warnings\n"); fprintf (script, "# (If you are using your machine as a DMZ router or a PPP dialin server\n"); fprintf (script, "# that relies on proxy_arp requests to provide addresses to it's clients\n"); fprintf (script, "# you may wish to disable this option by setting the value to '1'\n\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/ip_addrmask_agent ]; then\n" " echo 0 > /proc/sys/net/ipv4/ip_addrmask_agent\nfi\n\n"); fprintf (script, "if [ \"$EXT_PPP\" = \"on\" ]; then\n" " # Turn on dynamic TCP/IP address hacking\n" " # (Some broken PPPoE clients require this option to be enabled)\n" " if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then\n" " echo 1 > /proc/sys/net/ipv4/ip_dynaddr\n" " fi\n" "else\n" " if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then\n" " echo 0 > /proc/sys/net/ipv4/ip_dynaddr\n" " fi\n" "fi"); fprintf (script, "\n# --------( Sysctl Tuning - IPTables Specific Parameters )--------\n\n"); fprintf (script, "# Doubling current limit for ip_conntrack\n"); fprintf (script, "if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then\n" " echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max\nfi\n\n"); fclose (script);}/* [ write_netfilter_script ] * Creates the netfilter shell script */voidwrite_netfilter_script (void){ gchar *scriptpath = FIRESTARTER_FIREWALL_SCRIPT; FILE *script = fopen (scriptpath, "w"); time_t now; struct tm *tm; char timestamp[17]; if (script == NULL) { /* Use perror to get sane error messages */ perror(scriptpath); g_printerr("Script not written!"); return; } chmod (scriptpath, 00440); write_sysctl_tuning_script (); write_inbound_script (); write_outbound_script (); now = time(NULL); tm = localtime(&now); strftime(timestamp, 17, "%F %R", tm); fprintf (script, "#-----------( Firestarter " VERSION ", Netfilter kernel subsystem in use )----------#\n"); fprintf (script, "# #\n"); fprintf (script, "# This firewall was generated by Firestarter on %s #\n", timestamp); fprintf (script, "# http://www.fs-security.com #\n"); fprintf (script, "# #\n"); /* Autoloading of netfilter modules must be done before chains are flushed.*/ fprintf (script, "\n# --------( Initial Setup - Firewall Modules Autoloader )--------\n\n"); fprintf (script, "# Remove ipchains module if found\n"); fprintf (script, "$LSM | grep ipchains -q -s && $RMM ipchains\n\n"); fprintf (script, "# Try to load every module we need\n"); fprintf (script, "$MPB ip_tables 2> /dev/null\n"); fprintf (script, "$MPB iptable_filter 2> /dev/null\n"); fprintf (script, "$MPB ipt_state 2> /dev/null\n"); fprintf (script, "$MPB ip_conntrack 2> /dev/null\n"); fprintf (script, "$MPB ip_conntrack_ftp 2> /dev/null\n"); fprintf (script, "$MPB ip_conntrack_irc 2> /dev/null\n"); fprintf (script, "$MPB ipt_REJECT 2> /dev/null\n"); /* fprintf (script, "$MPB ipt_REDIRECT 2> /dev/null\n"); */ fprintf (script, "$MPB ipt_TOS 2> /dev/null\n"); fprintf (script, "$MPB ipt_MASQUERADE 2> /dev/null\n"); fprintf (script, "$MPB ipt_LOG 2> /dev/null\n"); fprintf (script, "$MPB iptable_mangle 2> /dev/null\n"); fprintf (script, "$MPB ipt_ipv4optsstrip 2> /dev/null\n"); fprintf (script, "if [ \"$NAT\" = \"on\" ]; then\n" " $MPB iptable_nat 2> /dev/null\n" " $MPB ip_nat_ftp 2> /dev/null\n" " $MPB ip_nat_irc 2> /dev/null\n" "fi\n"); fprintf (script, "if [ \"EXT_PPP\" = \"on\" ]; then\n" " $MPB bsd_comp 2> /dev/null\n" " $MPB ppp_deflate 2> /dev/null\n" "fi\n\n"); fprintf (script, "\n# --------( Initial Setup - Firewall Capabilities Check )--------\n\n"); fprintf (script, "# Make sure the test chains does not exist\n"); fprintf (script, "$IPT -F test 2> /dev/null\n" "$IPT -X test 2> /dev/null\n" "if [ \"$NAT\" = \"on\" ]; then\n" " $IPT -t nat -F test 2> /dev/null\n" " $IPT -t nat -X test 2> /dev/null\n" "fi\n\n"); fprintf (script, "# Iptables support check, mandatory feature\n" "if [ \"`$IPT -N test 2>&1`\" ]; then\n" " echo Fatal error: Your kernel does not support iptables.\n" " return %d\n" "fi\n\n", RETURN_NO_IPTABLES); fprintf (script, "# Logging support check\n" "log_supported=1\n" "if [ \"`$IPT -A test -j LOG 2>&1`\" ]; then\n" " echo Warning: Logging not supported by kernel, you will recieve no firewall event updates.\n" " log_supported=\"\"\n" "fi\n\n"); fprintf (script, "if [ \"$NAT\" = \"on\" ]; then\n" " # NAT support check\n" " nat_supported=1\n" " if [ \"`$IPT -t nat -N test 2>&1`\" ]; then\n" " echo Warning: Network address translation not supported by kernel, feature disabled.\n" " nat_supported=\"\"\n" " fi\n" "fi\n\n"); fprintf (script, "# Mangle support check\n" "mangle_supported=1\n" "if [ \"`$IPT -t mangle -F 2>&1`\" ]; then\n" " echo Warning: Packet mangling not supported by kernel, feature disabled.\n" " mangle_supported=\"\"\n" "fi\n\n"); fprintf (script, "# IP options stripping support check\n"); fprintf (script, "stripoptions_supported=1\n"); fprintf (script, "if [ \"`$IPT -t mangle -A test -j IPV4OPTSSTRIP 2>&1`\" ]; then\n" /*" echo Warning: IP options stripping not supported by kernel, feature disabled.\n"*/ " stripoptions_supported=\"\"\n" "fi\n\n"); fprintf (script, "\n# --------( Chain Configuration - Flush Existing Chains )--------\n\n"); fprintf (script, "# Purge standard chains (INPUT, OUTPUT, FORWARD).\n\n"); fprintf (script, "$IPT -F\n$IPT -X\n$IPT -Z\n\n"); fprintf (script, "# Purge extended chains (MANGLE & NAT) if they exist.\n\n"); fprintf (script, "if [ \"$mangle_supported\" ]; then\n"); fprintf (script, " $IPT -t mangle -F\n $IPT -t mangle -X\n $IPT -t mangle -Z\nfi\n"); fprintf (script, "if [ \"$nat_supported\" ]; then\n"); fprintf (script, " $IPT -t nat -F\n $IPT -t nat -X\n $IPT -t nat -Z\nfi\n\n"); fprintf (script, "\n# --------( Chain Configuration - Configure Default Policy )--------\n\n"); fprintf (script, "# Configure standard chains (INPUT, OUTPUT, FORWARD).\n\n"); fprintf (script, "$IPT -P INPUT DROP\n"); fprintf (script, "$IPT -P OUTPUT DROP\n"); fprintf (script, "$IPT -P FORWARD DROP\n\n"); fprintf (script, "# Configure extended chains (MANGLE & NAT) if required.\n\n"); fprintf (script, "if [ \"$mangle_supported\" ]; then\n"); fprintf (script, " $IPT -t mangle -P INPUT ACCEPT\n"); fprintf (script, " $IPT -t mangle -P OUTPUT ACCEPT\n"); fprintf (script, " $IPT -t mangle -P PREROUTING ACCEPT\n"); fprintf (script, " $IPT -t mangle -P POSTROUTING ACCEPT\nfi\n"); fprintf (script, "if [ \"$nat_supported\" ]; then\n"); fprintf (script, " $IPT -t nat -P OUTPUT ACCEPT\n"); fprintf (script, " $IPT -t nat -P PREROUTING ACCEPT\n"); fprintf (script, " $IPT -t nat -P POSTROUTING ACCEPT\nfi\n\n"); fprintf (script, "\n# --------( Chain Configuration - Create Default Result Chains )--------\n\n"); fprintf (script, "# Create a new chain for filtering the input before logging is performed\n" "$IPT -N LOG_FILTER 2> /dev/null\n" "$IPT -F LOG_FILTER\n\n"); fprintf (script, "# Hosts for which logging is disabled\n"); fprintf (script, "while read host garbage\n\tdo\n"); fprintf (script, "\t\t$IPT -A LOG_FILTER -s $host -j $STOP_TARGET\n"); fprintf (script, "\tdone < "FIRESTARTER_FILTER_HOSTS_SCRIPT"\n\n"); fprintf (script, "# Ports for which logging is disabled\n"); fprintf (script, "while read port garbage\n\tdo\n"); fprintf (script, "\t\t$IPT -A LOG_FILTER -p tcp --dport $port -j $STOP_TARGET\n"); fprintf (script, "\t\t$IPT -A LOG_FILTER -p udp --dport $port -j $STOP_TARGET\n"); fprintf (script, "\tdone < "FIRESTARTER_FILTER_PORTS_SCRIPT"\n\n"); fprintf (script, "# Create a new log and stop input (LSI) chain.\n"); fprintf (script, "$IPT -N LSI 2> /dev/null\n" "$IPT -F LSI\n" "$IPT -A LSI -j LOG_FILTER\n" "if [ \"$log_supported\" ]; then\n" " # Syn-flood protection\n" " $IPT -A LSI -p tcp --syn -m limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix \"Inbound \"\n" " $IPT -A LSI -p tcp --syn -j $STOP_TARGET\n" " # Rapid portscan protection\n" " $IPT -A LSI -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix \"Inbound \"\n" " $IPT -A LSI -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j $STOP_TARGET\n" " # Ping of death protection\n" " $IPT -A LSI -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix \"Inbound \"\n" " $IPT -A LSI -p icmp --icmp-type echo-request -j $STOP_TARGET\n" " # Log everything\n" " $IPT -A LSI -m limit --limit 5/s -j LOG --log-level=$LOG_LEVEL --log-prefix \"Inbound \"\n" "fi\n" "$IPT -A LSI -j $STOP_TARGET # Terminate evaluation\n\n"); fprintf (script, "# Create a new log and stop output (LSO) chain.\n"); fprintf (script, "$IPT -N LSO 2> /dev/null\n" "$IPT -F LSO\n" "$IPT -A LSO -j LOG_FILTER\n" "if [ \"$log_supported\" ]; then\n" " # Log everything\n" " $IPT -A LSO -m limit --limit 5/s -j LOG --log-level=$LOG_LEVEL --log-prefix \"Outbound \"\n" "fi\n" "$IPT -A LSO -j REJECT # Terminate evaluation\n\n"); fprintf (script, "\n# --------( Initial Setup - Nameservers )--------\n\n"); fprintf (script, "# Allow regular DNS traffic\n" "while read keyword server garbage\n" " do\n" " if [ \"$keyword\" = \"nameserver\" ]; then\n"?? 快捷鍵說(shuō)明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
顯示快捷鍵
?
增大字號(hào)
Ctrl + =
減小字號(hào)
Ctrl + -