Turn from:
A iptables script
#!/bin/bash
Path=/sbin:/usr/sbin:/bin:/usr/bin
Rc_squid=/etc/rc.d/init.d/squid
# on the outside connection
extif= "Eth1"
# on the Inside
intif= "Eth0"
innet= "192.168.100.1/24"
# Pin NAT & DHCP
natnet= "Eth2"
ntnet= "192.168.21.1/24"
#掛入相關 Module
/sbin/modprobe Ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe Ip_conntrack
/sbin/modprobe ip_conntrack_ftp
# Clear all the fire walls first
/sbin/iptables-f
/sbin/iptables-x
/sbin/iptables-z
/sbin/iptables-f-T NAT
/sbin/iptables-x-T NAT
/sbin/iptables-z-T NAT
/sbin/iptables-p INPUT DROP
/sbin/iptables-p OUTPUT ACCEPT
/sbin/iptables-p FORWARD ACCEPT
/sbin/iptables-t nat-p prerouting ACCEPT
/sbin/iptables-t nat-p postrouting ACCEPT
/sbin/iptables-t nat-p OUTPUT ACCEPT
# Open a specific port
/sbin/iptables-a input-p tcp-i $EXTIF--dport 22-j DROP # SSH
/sbin/iptables-a input-p tcp-i $EXTIF--dport 25-j ACCEPT # SMTP
/sbin/iptables-a input-p udp-i $EXTIF--dport 53-j ACCEPT # DNS
/sbin/iptables-a input-p tcp-i $EXTIF--dport 53-j ACCEPT # DNS
/sbin/iptables-a input-p tcp-i $EXTIF--dport 80-j ACCEPT # WWW
/sbin/iptables-a input-p tcp-i $EXTIF--dport 110-j ACCEPT # POP3
/sbin/iptables-a input-p tcp-i $EXTIF--dport 113-j ACCEPT # AUTH
/sbin/iptables-a input-p tcp-i $INTIF--dport 137-j ACCEPT # SMB
/sbin/iptables-a input-p tcp-i $INTIF--dport 138-j ACCEPT # SMB
/sbin/iptables-a input-p tcp-i $INTIF--dport 139-j ACCEPT # SMB
/sbin/iptables-a input-p tcp-i $EXTIF--dport 7021-j ACCEPT # vftp
/sbin/iptables-a input-p tcp-i $EXTIF--dport 6080-j ACCEPT # WWW
/sbin/iptables-p OUTPUT ACCEPT
/sbin/iptables-p FORWARD DROP
/sbin/iptables-t filter-a forward-i eth1-o eth2-m State--state established,relate-j ACCEPT
/sbin/iptables-t filter-a forward-i eth2-o eth1-p tcp-s 192.168.100.0/24--dport 6080-j ACCEPT
# Activate all interfaces to source IP check
if [-e/proc/sys/net/ipv4/conf/all/rp_filter]
Then
For F In/proc/sys/net/ipv4/conf/*/rp_filter
Do
Echo 1〉 $f
Done
Fi
# Prevent sync flood attack
/sbin/iptables-n Synfoold
/sbin/iptables-a synfoold-p tcp--syn-m limit--limit 1/s-j RETURN
/sbin/iptables-a synfoold-p tcp-j REJECT--reject-with tcp-reset
/sbin/iptables-a input-p tcp-m State--state new-j Synfoold
# Prevent Ping of death
/sbin/iptables-n Ping
/sbin/iptables-a ping-p ICMP--icmp-type echo-request-m limit--limit 1/second-j RETURN
/sbin/iptables-a ping-p icmp-j REJECT
/sbin/iptables-i input-p ICMP--icmp-type echo-request-m State--state new-j Ping
# Prevent malicious scans
/sbin/iptables-a input-i $EXTIF-P TCP--tcp-flags all fin,urg,psh-j DROP
/sbin/iptables-a input-i $EXTIF-P TCP--tcp-flags all all-j DROP
/sbin/iptables-a input-i $EXTIF-P TCP--tcp-flags all syn,rst,ack,fin,urg-j DROP
/sbin/iptables-a input-i $EXTIF-P TCP--tcp-flags all none-j DROP
/sbin/iptables-a input-i $EXTIF-P TCP--tcp-flags Syn,rst syn,rst-j DROP
/sbin/iptables-a input-i $EXTIF-P TCP--tcp-flags Syn,fin syn,fin-j DROP
# to be released from inside
/sbin/iptables-a input-i $INTIF-j ACCEPT
/sbin/iptables-a input-i $NATNET-j ACCEPT
# REDIRECT www please ask for Squid (through agent)
# If you have a Proxy Server you can remove the
# This can force users to use Proxy without modifying client-side settings
/sbin/iptables-t nat-a prerouting-i $NATNET-P TCP--dport 80-j REDIRECT--to-port 6080
# Activate IP hypocrites
/sbin/iptables-t nat-a postrouting-s $NATNET-o $EXTIF-j Masquerade
# RETAINER the specified network card
# This is a new feature of the Kernel 2.4 series, mainly to prevent Client illegal hog IP
#/sbin/iptables-a Input-m mac--mac-source xx:xx:xx:xx:xx:xx-j DROP
# finally retainer off other external connection requirements
/sbin/iptables-a input-i $NATNET-M state--state New,invalid-j DROP
/sbin/iptables-a forward-i $NATNET-M state--state New,invalid-j DROP
# Prevent excessive attack
Echo 1〉/proc/sys/net/ipv4/tcp_syncookies
# Activate IP transfer
Echo 1〉/proc/sys/net/ipv4/ip_forward
"Iptables script for Linux tools"