?? netfilter-script.c
字號:
" $IPT -A INPUT -p tcp ! --syn -s $server -d 0/0 -j ACCEPT\n" " $IPT -A INPUT -p udp -s $server -d 0/0 -j ACCEPT\n" " $IPT -A OUTPUT -p tcp -s $IP -d $server --dport 53 -j ACCEPT\n" " $IPT -A OUTPUT -p udp -s $IP -d $server --dport 53 -j ACCEPT\n" " fi\n" " done < /etc/resolv.conf\n\n"); fprintf (script, "\n# --------( Initial Setup - Configure Kernel Parameters )--------\n\n"); fprintf (script, "source "FIRESTARTER_SYSCTL_SCRIPT"\n\n"); fprintf (script, "\n# --------( Intial Setup - User Defined Pre Script )--------\n\n"); fprintf (script, "source "FIRESTARTER_USER_PRE_SCRIPT"\n\n"); fprintf (script, "\n# --------( Rules Configuration - Specific Rule - Loopback Interfaces )--------\n\n"); fprintf (script, "# Allow all traffic on the loopback interface\n"); fprintf (script, "$IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT\n"); fprintf (script, "$IPT -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT\n\n"); fprintf (script, "\n# --------( Rules Configuration - Type of Service (ToS) - Ruleset Filtered by GUI )--------\n\n"); fprintf (script, "if [ \"$FILTER_TOS\" = \"on\" ]; then\n"); fprintf (script, " if [ \"$TOS_CLIENT\" = \"on\" -a $mangle_supported ]; then\n" " # ToS: Client Applications\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 20:21 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 22 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 68 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 80 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 443 --set-tos $TOSOPT\n" " fi\n"); fprintf (script, " if [ \"$TOS_SERVER\" = \"on\" -a $mangle_supported ]; then\n" " # ToS: Server Applications\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 20:21 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 22 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 25 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 53 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 67 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 80 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 110 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 143 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 443 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 1812 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 1813 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 2401 --set-tos $TOSOPT\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 8080 --set-tos $TOSOPT\n" " fi\n"); fprintf (script, " if [ \"$TOS_SERVER\" = \"on\" -a $mangle_supported ]; then\n" " # ToS: The X Window System\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 22 --set-tos 0x10\n" " $IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 6000:6015 --set-tos 0x08\n" " fi\n"); fprintf (script, "fi\n\n"); fprintf (script, "\n# --------( Rules Configuration - ICMP )--------\n\n"); fprintf (script, "if [ \"$FILTER_ICMP\" = \"on\" ]; then\n"); fprintf (script, " if [ \"$ICMP_ECHO_REQUEST\" = \"on\" ]; then\n" " # ICMP: Ping Requests\n" " $IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT\n" " $IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT\n" " fi\n"); fprintf (script, " if [ \"$ICMP_ECHO_REPLY\" = \"on\" ]; then\n" " # ICMP: Ping Replies\n" " $IPT -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT\n" " $IPT -A FORWARD -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT\n" " fi\n"); fprintf (script, " if [ \"$ICMP_TRACEROUTE\" = \"on\" ]; then\n" " # ICMP: Traceroute Requests\n" " $IPT -A INPUT -p udp --dport 33434 -j ACCEPT\n" " $IPT -A FORWARD -p udp --dport 33434 -j ACCEPT\n" " else\n" " $IPT -A INPUT -p udp --dport 33434 -j LSI\n" " $IPT -A FORWARD -p udp --dport 33434 -j LSI\n" " fi\n"); fprintf (script, " if [ \"$ICMP_MSTRACEROUTE\" = \"on\" ]; then\n" " # ICMP: MS Traceroute Requests\n" " $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n" " $IPT -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT\n" " fi\n"); fprintf (script, " if [ \"$ICMP_UNREACHABLE\" = \"on\" ]; then\n" " # ICMP: Unreachable Requests\n" " $IPT -A INPUT -p icmp --icmp-type host-unreachable -j ACCEPT\n" " $IPT -A FORWARD -p icmp --icmp-type host-unreachable -j ACCEPT\n" " fi\n"); fprintf (script, " if [ \"$ICMP_TIMESTAMPING\" = \"on\" ]; then\n" " # ICMP: Timestamping Requests\n" " $IPT -A INPUT -p icmp --icmp-type timestamp-request -j ACCEPT\n" " $IPT -A INPUT -p icmp --icmp-type timestamp-reply -j ACCEPT\n" " fi\n"); fprintf (script, " if [ \"$ICMP_MASKING\" = \"on\" ]; then\n" " # ICMP: Address Masking\n" " $IPT -A INPUT -p icmp --icmp-type address-mask-request -j ACCEPT\n" " $IPT -A INPUT -p icmp --icmp-type address-mask-reply -j ACCEPT\n" " $IPT -A FORWARD -p icmp --icmp-type address-mask-request -j ACCEPT\n" " $IPT -A FORWARD -p icmp --icmp-type address-mask-reply -j ACCEPT\n" " fi\n"); fprintf (script, " if [ \"$ICMP_REDIRECTION\" = \"on\" ]; then\n" " # ICMP: Redirection Requests\n" " $IPT -A INPUT -p icmp --icmp-type redirect -m limit --limit 2/s -j ACCEPT\n" " $IPT -A FORWARD -p icmp --icmp-type redirect -m limit --limit 2/s -j ACCEPT\n" " fi\n"); fprintf (script, " if [ \"$ICMP_SOURCE_QUENCHES\" = \"on\" ]; then\n" " # ICMP: Source Quench Requests\n" " $IPT -A INPUT -p icmp --icmp-type source-quench -m limit --limit 2/s -j ACCEPT\n" " $IPT -A FORWARD -p icmp --icmp-type source-quench -m limit --limit 2/s -j ACCEPT\n" " fi\n\n"); fprintf (script, " # Catch ICMP traffic not allowed above\n" " $IPT -A INPUT -p icmp -j LSI\n" " $IPT -A FORWARD -p icmp -j LSI\n"); fprintf (script, "else\n" " # Allow all ICMP traffic when filtering disabled\n" " $IPT -A INPUT -p icmp -m limit --limit 10/s -j ACCEPT\n" " $IPT -A FORWARD -p icmp -m limit --limit 10/s -j ACCEPT\n" "fi\n\n"); fprintf (script, "if [ \"$NAT\" = \"on\" ]; then\n" " # --------( Rules Configuration - Masquerading - Sysctl Modifications )--------\n\n"); fprintf (script, " #Turn on IP forwarding\n"); fprintf (script, " if [ -e /proc/sys/net/ipv4/ip_forward ]; then\n" " echo 1 > /proc/sys/net/ipv4/ip_forward\n" " fi\n\n"); fprintf (script, " # --------( Rules Configuration - Masquerading - Default Ruleset )--------\n\n"); fprintf (script, " #TCPMSS Fix - Needed for *many* broken PPPO{A/E} clients\n" " $IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n\n"); fprintf (script, " if [ \"$stripoptions_supported\" -a \"$mangle_supported\" ]; then\n" " #IPv4OPTIONS Fix - Strip IP options from a forwarded packet\n" " $IPT -t mangle -A PREROUTING -j IPV4OPTSSTRIP\n" " fi\n\n"); fprintf (script, " # --------( Rules Configuration - Forwarded Traffic )--------\n\n"); fprintf (script, " if [ \"$nat_supported\" ]; then\n" " #Masquerade outgoing traffic\n" " $IPT -t nat -A POSTROUTING -o $IF -j MASQUERADE\n" " fi\n\n"); fprintf (script, " # Temoporarily set the field separator for CSV format\n" " OLDIFS=$IFS\n" " IFS=','\n\n"); fprintf (script, " # Services forward from the firewall to the internal network\n" " while read service ext_port host int_port garbage\n" " do\n" " scrub_parameters\n" " $IPT -A FORWARD -i $IF -p tcp -d $host --dport $int_port -j ACCEPT\n" " $IPT -A FORWARD -i $IF -p udp -d $host --dport $int_port -j ACCEPT\n" " $IPT -A PREROUTING -t nat -i $IF -p tcp --dport $ext_port -j DNAT --to-destination $host:$int_port_dashed\n" " $IPT -A PREROUTING -t nat -i $IF -p udp --dport $ext_port -j DNAT --to-destination $host:$int_port_dashed\n" " done < "POLICY_IN_FORWARD"\n\n"); fprintf (script, " IFS=$OLDIFS\n\n"); fprintf (script, "fi\n\n"); fprintf (script, "\n# --------( Rules Configuration - Inbound Traffic )--------\n\n"); fprintf (script, "if [ \"$BLOCK_NON_ROUTABLES\" = \"on\" ]; then\n" " # Block traffic from non-routable address space on the public interfaces\n" " $IPT -N NR 2> /dev/null\n" " $IPT -F NR\n" " while read block garbage\n" " do\n" " $IPT -A NR -s $block -d $NET -i $IF -j LSI\n" " done < "FIRESTARTER_NON_ROUTABLES_SCRIPT"\n" " $IPT -A INPUT -s ! $NET -i $IF -j NR\n" "fi\n\n"); fprintf (script, "# Block Broadcast Traffic\n" "if [ \"$BLOCK_EXTERNAL_BROADCAST\" = \"on\" ]; then\n" " $IPT -A INPUT -i $IF -d 255.255.255.255 -j DROP\n" " if [ \"$BCAST\" != \"\" ]; then\n" " $IPT -A INPUT -d $BCAST -j DROP\n" " fi\n" "fi\n\n"); fprintf (script, "if [ \"$NAT\" = \"on\" -a \"$BLOCK_INTERNAL_BROADCAST\" = \"on\" ]; then\n" " $IPT -A INPUT -i $INIF -d 255.255.255.255 -j DROP\n" " if [ \"$INBCAST\" != \"\" ]; then\n" " $IPT -A INPUT -i $INIF -d $INBCAST -j DROP\n" " fi\n" "fi\n\n"); fprintf (script, "# Block Multicast Traffic\n" "# Some cable/DSL providers require their clients to accept multicast transmissions\n" "# you should remove the following four rules if you are affected by multicasting\n" "$IPT -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP\n" "$IPT -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP\n" "$IPT -A OUTPUT -s 224.0.0.0/8 -d 0/0 -j DROP\n" "$IPT -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j DROP\n\n"); fprintf (script, "# Block Traffic with Stuffed Routing\n" "# Early versions of PUMP - (the DHCP client application included in RH / Mandrake) require\n" "# inbound packets to be accepted from a source address of 255.255.255.255. If you have issues\n" "# with DHCP clients on your local LAN - either update PUMP, or remove the first rule below)\n" "$IPT -A INPUT -s 255.255.255.255 -j DROP\n" "$IPT -A INPUT -d 0.0.0.0 -j DROP\n" "$IPT -A OUTPUT -s 255.255.255.255 -j DROP\n" "$IPT -A OUTPUT -d 0.0.0.0 -j DROP\n\n"); fprintf (script, "$IPT -A INPUT -m state --state INVALID -j DROP # Block Traffic with Invalid Flags\n"); fprintf (script, "$IPT -A INPUT -f -m limit --limit 10/minute -j LSI # Block Traffic w/ Excessive Fragmented Packets\n"); fprintf (script, "\n# --------( Rules Configuration - Outbound Traffic )--------\n\n"); fprintf (script, "$IPT -A OUTPUT -m state --state INVALID -j DROP # Block Traffic w/ Invalid Flags\n\n"); fprintf (script, "\n# --------( Traffic Policy )--------\n\n"); fprintf (script, "# Load the inbound traffic policy\n"); fprintf (script, "source "FIRESTARTER_INBOUND_SETUP"\n" "$IPT -A INPUT -i $IF -j INBOUND # Check Internet to firewall traffic\n" "if [ \"$NAT\" = \"on\" ]; then\n" " $IPT -A INPUT -i $INIF -d $INIP -j INBOUND # Check LAN to firewall (private ip) traffic\n" " $IPT -A INPUT -i $INIF -d $IP -j INBOUND # Check LAN to firewall (public ip) traffic\n" " if [ \"$INBCAST\" != \"\" ]; then\n" " $IPT -A INPUT -i $INIF -d $INBCAST -j INBOUND # Check LAN to firewall broadcast traffic\n" " fi\n" "fi\n\n"); fprintf (script, "# Load the outbound traffic policy\n"); fprintf (script, "source "FIRESTARTER_OUTBOUND_SETUP"\n" "$IPT -A OUTPUT -o $IF -j OUTBOUND # Check firewall to Internet traffic\n" "if [ \"$NAT\" = \"on\" ]; then\n" " $IPT -A OUTPUT -o $INIF -j OUTBOUND # Check firewall to LAN traffic\n" " $IPT -A FORWARD -i $INIF -j OUTBOUND # Check LAN to Internet traffic\n\n" " # Allow Internet to LAN response traffic\n" " $IPT -A FORWARD -p tcp -d $INNET -m state --state ESTABLISHED,RELATED -j ACCEPT\n" " $IPT -A FORWARD -p udp -d $INNET -m state --state ESTABLISHED,RELATED -j ACCEPT\n" "fi\n"); fprintf (script, "\n# --------( User Defined Post Script )--------\n\n"); fprintf (script, "source "FIRESTARTER_USER_POST_SCRIPT"\n\n"); fprintf (script, "\n# --------( Unsupported Traffic Catch-All )--------\n\n" "$IPT -A INPUT -j LOG_FILTER\n" "$IPT -A INPUT -j LOG --log-level=$LOG_LEVEL --log-prefix \"Unknown Input\"\n" "$IPT -A OUTPUT -j LOG_FILTER\n" "$IPT -A OUTPUT -j LOG --log-level=$LOG_LEVEL --log-prefix \"Unknown Output\"\n" "$IPT -A FORWARD -j LOG_FILTER\n" "$IPT -A FORWARD -j LOG --log-level=$LOG_LEVEL --log-prefix \"Unknown Forward\"\n\n"); fprintf (script, "return 0\n"); fclose (script); g_print (_("Firewall script saved as %s\n"), scriptpath);}?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -