Ще стане чудесен рутер, но не може да се обясни с няколко реда. Да разбирам ли, че написаното от теб вече е направено? Ако да, то рутерът ти вероятно вече работи. Направи един файл /etc/rc.d/rc.firewall със следното съдържание
Цитат |
#!/bin/sh
EXTERNAL=eth0 # connected to the internet.
INTERNAL=eth1 # connected to a private subnet.
LOOP=127.0.0.1 # Loopback address
# Change this subnet to correspond to your private # ethernet subnet. PRIVATE=192.168.1.0/24
# Delete old iptables rules and temporarily block all traffic. iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F
# Prevent external packets from using loopback addr iptables -A INPUT -i $EXTERNAL -s $LOOP -j DROP iptables -A INPUT -i $EXTERNAL -d $LOOP -j DROP iptables -A FORWARD -i $EXTERNAL -s $LOOP -j DROP iptables -A FORWARD -i $EXTERNAL -d $LOOP -j DROP
# Anything coming from the Internet should have a real Internet address iptables -A FORWARD -i $EXTERNAL -s 192.168.0.0/16 -j DROP iptables -A FORWARD -i $EXTERNAL -s 172.16.0.0/12 -j DROP iptables -A FORWARD -i $EXTERNAL -s 10.0.0.0/8 -j DROP iptables -A INPUT -i $EXTERNAL -s 192.168.0.0/16 -j DROP iptables -A INPUT -i $EXTERNAL -s 172.16.0.0/12 -j DROP iptables -A INPUT -i $EXTERNAL -s 10.0.0.0/8 -j DROP
## Allow incoming pings (disabled ) #iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
## Allow services such as www and ssh (disabled) #iptables -A INPUT -p tcp --dport http -j ACCEPT #iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Stop all NEW and INVALID from Internet iptables -A INPUT -i $EXTERNAL -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i $EXTERNAL -m state --state NEW,INVALID -j DROP
# Antivirus iptables -A FORWARD -p tcp -m multiport --dports 69,135,4444,6667 -j DROP iptables -A OUTPUT -p tcp -m multiport --dports 69,135,4444,6667 -j DROP iptables -A INPUT -p tcp -m multiport --dports 69,135,4444,6667 -j DROP iptables -A FORWARD -p udp -m multiport --dports 69,135,4444,6667 -j DROP iptables -A OUTPUT -p udp -m multiport --dports 69,135,4444,6667 -j DROP iptables -A INPUT -p udp -m multiport --dports 69,135,4444,6667 -j DROP
## Check source address validity on packets going out to internet iptables -A FORWARD -s 192.168.0.0/16 -o $EXTERNAL -j DROP iptables -A FORWARD -s 172.16.0.0/12 -o $EXTERNAL -j DROP iptables -A FORWARD -s 10.0.0.0/8 -o $EXTERNAL -j DROP iptables -A FORWARD -s $LOOP -o $EXTERNAL -j DROP
# Block outgoing NetBios will stop # local windows machines from broadcasting themselves to # the internet # Block forwarding SMTP too iptables -A FORWARD -p tcp --dport 25 -o $EXTERNAL -j DROP iptables -A FORWARD -p udp --dport 25 -o $EXTERNAL -j DROP iptables -A FORWARD -p tcp --sport 137:139 -o $EXTERNAL -j DROP iptables -A FORWARD -p udp --sport 137:139 -o $EXTERNAL -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o $EXTERNAL -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o $EXTERNAL -j DROP
# Allow all connections OUT and only related ones IN iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -o $EXTERNAL -i $INTERNAL -j ACCEPT
## Masquerade local subnet echo "Setting up NAT (Network Address Translation)..." iptables -t nat -A POSTROUTING -s $PRIVATE -o $EXTERNAL -j MASQUERADE
# Set default policies iptables -P OUTPUT ACCEPT iptables -P INPUT ACCEPT iptables -P FORWARD DROP # by default, nothing is forwarded.
|
, направи го изпълним (chmod +x /etc/rc.d/rc.firewall) и го стартирай. Той конфигурира твоя firewall. Резултата от изпълнението му можеш да видиш с "iptables -L -v". Пиши какъв е резултата. Успех!