#!/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/bin |
# L Internet Nic interface connecting to the Internet
# Set the IP address of the Internet Nic.
EXTIFIPADDR=”219.150.46.98” |
# Interface for connecting the Intranet Nic of the LAN
# Intranet CIDR Block
# Enable the IP forwarding function of the system kernel to change Linux to a vro.
echo "1" >/proc/sys/net/ipv4/ip_forward |
# Prevent syn flood attacks
echo "1" > /proc/sys/net/ipv4/tcp_syncookies |
# Sort out the list of modules supported by the kernel
# Load the list of supported modules
modprobe ip_tablesmodprobe iptable_natmodprobe ip_nat_ftpmodprobe ip_nat_ircmodprobe ip_conntrackmodprobe ip_conntrack_ftpmodprobe ip_conntrack_irc |
# Clear the rules and restore them to the State without a firewall
iptables -Fiptables -Xiptables –Ziptables -F -t natiptables -X -t natiptables -Z -t natiptables -P INPUT DROPiptables -P OUTPUT DROPiptables -P FORWARD ACCEPTiptables -t nat -P PREROUTING ACCEPTiptables -t nat -P POSTROUTING ACCEPTiptables -t nat -P OUTPUT ACCEPT |
# Set the host Security
# Allow communication on local loopback Devices
iptables –A INPUT -i lo -p all -j ACCEPTiptables -A OUTPUT -o lo -p all -j ACCEPT |
# Let response packets that have been established or related to our host pass through
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT |
# Allow SSH remote host Management
iptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A OUTPUT -p tcp --sport 22 -j ACCEPT |
# Limit the number of IP fragmentation to prevent IP fragmentation attacks
iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT |
# Set the icmp protocol to allow the host to perform the ping operation to test the network, but other hosts are not allowed to ping the host.
iptables –A OUTPUT-p icmp --icmp-type echo-request –j ACCEPTiptables –A INPUT –p icmp --icmp-type echo-reply –j ACCEPT |
# Next we will configure NAT
# If you want Intranet access to the Internet, you must set SNAT.
iptables -t nat -A POSTROUTING –p all -s $INNET -o $EXTIF -j SNAT --to $EXTIFIPADDR |
# If you have a web server IP Address: 192.168.1.10 in the internal network, you must configure DNAT to access the Internet.
iptables –t nat –A PREROUTING –p tcp –i $EXTIF --dport 80 –j DNAT --to 192.168.1.10:80 |