About Slackware 9.1.0 System Configuration of firewall and NAT Functions
Date: 2004/07/30 Author: zcatlinux Source: zclinux
**************************************** *****************
**
*******************
**
**************************************** *****************
The system is mainly used for static nat ing and port access control on internal servers.
In the firewall, the above firewall script has been automatically started when the system starts. the startup location is in the/etc/rc. d/rc. Local file,
SH/etc/rc. d/nat_firewall.sh # This script is automatically started when the system starts.
To manually enable the firewall and static Nat ing functions, follow these steps.
CD/etc/rc. d/
./Portnat. Sh
If you do not need to control any ports on the internal server, you only need to perform static Nat ing. You only need to execute the following files to restore the non-Firewall Status.
CD/etc/rc. d/
./No_firewall.sh
**************************************** ******************
**
* ** About slackware 9.1.0 System Configuration of firewall and Nat functions *****
* *** (Nat_firewall.sh )*
**************************************** ******************
#! /Bin/sh
# Make: zcatlinux
# Time: 2004-06-18
# E-mail: zcatlinux@yahoo.com.cn
PATH =/sbin:/bin:/usr/sbin:/usr/bin
# Set the external tcp port of the internal server. If you need to modify the port number for internal access, modify it here,
# Adding a rule means there is a space between the port numbers. The same is true for adding rules to the upd port below.
# Tcp allow ports
TPORTS = "80 22" # allow users to access ports 22 and 80 of the firewall remotely
# Set the external udp port of the Internal Server
# Udp allow ports
UPORTS = "53 123"
# Set the firewall's external Nic and IP address
# Config out_eth interface
OUT_ETH = "eth1"
OUT_ETH_IP = "202.138.164.110"
# Set the tcp port of the NIC outside the firewall
# Set out_eth_ip (firewall out ip) ports
OUT_ETH_IP_PORTS = "22" # allow users to access only port 22 of the firewall remotely
# Set the firewall's internal Nic and IP address
# Config in_eth interface
IN_ETH = "eth0"
IN_ETH_IP = "10.10.11.110"
# Set the IP address segment of the firewall Internal Server
# Internal ip range
SERVER_IP = "10.10.11.0/24"
1. The system initializes the configuration file for ip packet forwarding. If the input value is 0, it indicates no forwarding. 1. Enable the forwarding function. In this case, the value needs to be initialized to 0.
# Disable forwarding
Echo 0>/proc/sys/net/ipv4/ip_forward
# Initialize the iptables rule list.
# Reset default policies
Iptables-P INPUT ACCEPT
Iptables-P FORWARD ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-t nat-P PREROUTING ACCEPT
Iptables-t nat-P POSTROUTING ACCEPT
Iptables-t nat-P OUTPUT ACCEPT
# Deleting all iptables rules
# Del all iptables rules
Iptables-F input # delete an input rule in iptables
Iptables-F forward # Delete the forward rule in iptables
Iptables-F output # Delete the output rule in iptables
# Clearing all rule chains
# Clean all non-default chains
Iptables-x
Iptables-T nat-x
# Define default rules for iptables Security
# Iptables default rules
Iptables-P input drop # reject all external data packets sent to the local machine, that is, prohibit all internal data packets from passing through
Iptables-P forward drop # all packets cannot be forwarded
Iptables-P output accept # Allow all packets sent internally to the outside to pass
# Allow ICMP packets to pass, that is, allow Ping
# Allow ping packets
Iptables-A input-p icmp-s 0/0 -- ICMP-type 0-J accept
Iptables-A input-p icmp-s 0/0 -- ICMP-type 3-J accept
Iptables-A input-p icmp-s 0/0 -- ICMP-type 5-J accept
Iptables-a input-p ICMP-s 0/0 -- icmp-type 8-j ACCEPT
Iptables-a input-p ICMP-s 0/0 -- icmp-type 11-j ACCEPT
Iptables-a input-p ICMP-s 0/0 -- icmp-type 11-j ACCEPT
# When the online status is established, data can be forwarded to each other. Among them, ESTABLISHED indicates that the packet belongs to a ESTABLISHED online,
# RELATED indicates that the packet belongs to a newly established online host.
# Enable forwarding
Iptables-a forward-m state -- state ESTABLISHED, RELATED-j ACCEPT # Allow packet forwarding between online packets or response packets
# Data packet status is online and allowed to enter when the response status is
# State related for router
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT # Allow online packets or response packets to enter
# Allow packets sent from the source ip address to the NIC in the firewall to enter
# Accept internal packets on the internal I/f
Iptables-a input-I $ IN_ETH-s $ SERVER_IP-p tcp-j ACCEPT
# Control the port of the firewall's external IP address
# Accept firewall out eth ip ports
For OEP in $ OUT_ETH_IP_PORTS
Do
Iptables-a input-d $ OUT_ETH_IP-p tcp -- destination-port $ OEP-j ACCEPT
Done
# Control external ports of internal servers
# Open ports on router for server/services
# TCP PORTS)
For ATP in $ TPORTS
Do
# Allow the connection package of the tcp port whose source address is not an internal server segment and the destination address is an internal server ip address to enter
Iptables-a input! -S $ SERVER_IP-d $ SERVER_IP-p tcp -- destination-port $ ATP-j ACCEPT
Iptables-a forward-p tcp -- destination-port $ ATP-j ACCEPT # packets are transmitted between the destination port connections.
Done
# UDP PORTS)
For AUP in $ UPORTS
Do
Iptables-a input-p udp -- destination-port $ AUP-j ACCEPT
Iptables-a forward-p udp -- destination-port $ AUP-j ACCEPT
Done
# In the internal access connection, the packet is discarded as long as it is an INVALID (that is, an INVALID connection ).
# Bad_packets chain
# Drop INVALID packets immediately
# Iptables-a input-p ALL-m state -- state INVALID-j DROP
# Limit the frequency of filtering rules to 100 packets per second on average, and set instantaneous traffic to process up to 100 packets at a time
(Packets exceeding the upper limit will be discarded and not processed) to prevent DoS attacks, that is, flood attacks on a large number of data packets.
# Limit SYN flood
# Iptables-a input-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT # limit the sending speed of internal packets
# Iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT # Restrict the speed of creating online forwarding packets
# Allow local Loopback interface, that is, 127.0.0.1
# Allow loopback
Iptables-a input-I lo-p all-j ACCEPT
Iptables-a output-o lo-p all-j ACCEPT
# Start the IP Forward Interface
# Enable forwarding
Echo 1>/proc/sys/net/ipv4/ip_forward
# When the local machine performs NAT, Multiple Static ing IP addresses are bound to the outer network card. If you want to add or modify the IP address of the nat static ing, add the IP address according to the rules here.
# Config net-eth IP Address
Ifconfig eth0: 1 202.138.164.101 netmask 255.255.255.128
Ifconfig eth0: 2 202.138.164.102 netmask 255.255.255.128
Ifconfig eth0: 3 202.138.164.103 netmask 255.255.255.128
Ifconfig eth0: 4 202.138.164.104 netmask 255.255.255.128
Ifconfig eth0: 5 202.138.164.105 netmask 255.255.255.128
Ifconfig eth0: 8 202.138.164.108 netmask 255.255.255.128
# Set a ing rule for static Nat. To delete a static Nat entry, modify and add it here.
# Set static ip nat rule, postrouting/prerouting
# (SNAT) iptables-T Nat-A postrouting-j snat -- To 202.202.210.10
# (DNAT) iptables-T Nat-A prerouting-j dnat -- To 10.10.10.10
#
Iptables-T Nat-A postrouting-s 10.10.11.101-j snat -- To 202.138.164.101 # The received source IP address is 10.10.10.101)
Iptables-t nat-a prerouting-d 202.138.164.101-j DNAT -- to 10.10.11.101 # all packets received from the destination ip address 202.38.64.101 are destination NAT (DNAT)
Iptables-t nat-a postrouting-s 10.10.11.102-j SNAT -- to 202.138.164.102
Iptables-t nat-a prerouting-d 202.138.164.102-j DNAT -- to 10.10.11.102
Iptables-t nat-a postrouting-s 10.10.11.103-j SNAT -- to 202.138.164.103
Iptables-t nat-a prerouting-d 202.138.164.103-j DNAT -- to 10.10.11.103
Iptables-t nat-a postrouting-s 10.10.11.104-j SNAT -- to 202.138.164.104
Iptables-t nat-a prerouting-d 202.138.164.104-j DNAT -- to 10.10.11.104
Iptables-t nat-a postrouting-s 10.10.11.105-j SNAT -- to 202.318.164.105
Iptables-t nat-a prerouting-d 202.138.164.105-j DNAT -- to 10.10.11.105
Iptables-t nat-a postrouting-s 10.10.11.108-j SNAT -- to 202.138.164.108
Iptables-t nat-a prerouting-d 202.138.164.108-j DNAT -- to 10.10.11.108
**************************************** ****************************
**
* ********* Appendix: Description of deleting only nat files for firewall rules (no_firewall.sh )**********
**
**************************************** ****************************
#! /Bin/sh
Path =/sbin:/bin:/usr/sbin:/usr/bin
# Deleting all iptables rules
# Del all iptables rules
Iptables-F input # delete an input rule in iptables
Iptables-F forward # Delete the forward rule in iptables
Iptables-F output # Delete the output rule in iptables
# Clearing all rule chains
# Clean all non-default chains
Iptables-x
Iptables-T nat-x
# Accept all connection packages by default, that is, no control
# Reset the default indexes ies in the nat table.
#
Iptables-P INPUT ACCEPT
Iptables-P FORWARD ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-t nat-P PREROUTING ACCEPT
Iptables-t nat-P POSTROUTING ACCEPT
Iptables-t nat-P OUTPUT ACCEPT
# Enable the ip Forwarding Interface
Echo 1>/proc/sys/net/ipv4/ip_forward
Mailto: zcatlinux@yahoo.com.cn