ITPub博客

首页 > IT基础架构 > 网络安全 > iptables+tc配置(转)

iptables+tc配置(转)

原创 网络安全 作者:roninwei 时间:2006-07-20 12:25:16 0 删除 编辑
##启用netfilter中的forward链的转发功能
# Enabling IP Forwarding......
echo "Enabling IP Forwarding........"
echo "1" > /proc/sys/net/ipv4/ip_forward
IPTABLES="/sbin/iptables"

##定义通信端口,以便调用
# Protocols Configuration.
HTTP="80"
HTTPS="443"
FTP="21"
FTP_DATA="20"
SMTP="25"
POP3="110"
IMAP="143"
SSH="22"
TELNET="23"
PCAW_TCP="5631"
PCAW_UDP="5632"
WEBMIN="10000"
WAM="12000"
DNS="53"

##配置网络接口
# Internet Configuration.
INET_IF="ppp0"

#internet netcard
EXT_IF="eth0"

#intranet netcard
LAN_IF="eth1"
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
#TRUSTED_TCP_PORT="22 25 53 80 110 143 443 3128 6000 6001 6002 7100"

# Localhost Configuration.
LO_IF="lo"
LO_IP="127.0.0.1"

##挂载相应功能模块
# Module loading.
echo "modprobe modules"
# Module loading.
# Needed to initially load modules
/sbin/depmod -a
#Required modules
#/sbin/modprobe ip_tables
#/sbin/modprobe ip_conntrack
#/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe iptable_nat
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_state
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_ftp

# Non-Required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_irc

#############################################################################开始用tc控制网络流量
##########################TC begin##########################################
##########################################################################上传端口配置
echo "Enabling uplink limit"
#uplink limit
##clear dev eth0 rule
tc qdisc del dev eth0 root 2>/dev/null

##定义上传总带宽(用tc语法,这里用的是htb过滤器)
##define root and default rule
tc qdisc add dev eth0 root handle 10: htb default 70
##define uplink max rate
tc class add dev eth0 parent 10: classid 10:1 htb rate 64kbps ceil 64kbps

##对不同的业务进行分类,定义不同的数据流量
##define second leaf
#tc class add dev eth0 parent 10:1 classid 10:10 htb rate 2kbps ceil 4kbps prio 2
#tc class add dev eth0 parent 10:1 classid 10:20 htb rate 2kbps ceil 4kbps prio 2
#tc class add dev eth0 parent 10:1 classid 10:30 htb rate 32kbps ceil 40kbps prio 3
tc class add dev eth0 parent 10:1 classid 10:40 htb rate 3kbps ceil 13kbps prio 0
tc class add dev eth0 parent 10:1 classid 10:50 htb rate 1kbps ceil 11kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:60 htb rate 1kbps ceil 11kbps prio 1
tc class add dev eth0 parent 10:1 classid 10:70 htb rate 2kbps ceil 5kbps prio 1
##定义不同数据传输业务的优先级别和优化数据传输方法
##define rule for second leaf
#tc qdisc add dev eth0 parent 10:10 handle 101: pfifo
#tc qdisc add dev eth0 parent 10:20 handle 102: pfifo
#tc qdisc add dev eth0 parent 10:30 handle 103: pfifo
#tc qdisc add dev eth0 parent 10:40 handle 104: pfifo
#tc qdisc add dev eth0 parent 10:50 handle 105: pfifo
#tc qdisc add dev eth0 parent 10:60 handle 106: pfifo
#tc qdisc add dev eth0 parent 10:70 handle 107: pfifo
##tc qdisc add dev eth0 parent 10:10 handle 101: sfq perturb 10
##tc qdisc add dev eth0 parent 10:20 handle 102: sfq perturb 10
##tc qdisc add dev eth0 parent 10:30 handle 103: sfq perturb 10
tc qdisc add dev eth0 parent 10:40 handle 104: sfq perturb 5
tc qdisc add dev eth0 parent 10:50 handle 105: sfq perturb 10
tc qdisc add dev eth0 parent 10:60 handle 106: sfq perturb 10
tc qdisc add dev eth0 parent 10:70 handle 107: sfq perturb 10
##为netfilter链中的mangle链打标记做好准备(做句柄标示)
##define fw for ipfilter
#tc filter add dev eth0 parent 10: protocol ip prio 100 handle 10 fw classid 10:10
#tc filter add dev eth0 parent 10: protocol ip prio 100 handle 20 fw classid 10:20
#tc filter add dev eth0 parent 10: protocol ip prio 100 handle 30 fw classid 10:30
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 40 fw classid 10:40
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 50 fw classid 10:50
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 60 fw classid 10:60
tc filter add dev eth0 parent 10: protocol ip prio 100 handle 70 fw classid 10:70

###################################################################################
##下载端口配置(方法同上传配置,只是在速率定义上有调整)
echo "Enabling downlink limit"
#downlink limit
##clear dev eth1 rule
tc qdisc del dev eth1 root 2>/dev/null
##define root and default rule
tc qdisc add dev eth1 root handle 10: htb default 70
##define downlink max rate
tc class add dev eth1 parent 10: classid 10:1 htb rate 128kbps ceil 128kbps
##define second leaf
#tc class add dev eth1 parent 10:1 classid 10:10 htb rate 2kbps ceil 32kbps prio 2
#tc class add dev eth1 parent 10:1 classid 10:20 htb rate 2kbps ceil 32kbps prio 2
#tc class add dev eth1 parent 10:1 classid 10:30 htb rate 32kbps ceil 212kbps prio 3
tc class add dev eth1 parent 10:1 classid 10:40 htb rate 5kbps ceil 20kbps prio 0
tc class add dev eth1 parent 10:1 classid 10:50 htb rate 2kbps ceil 17kbps prio 1
tc class add dev eth1 parent 10:1 classid 10:60 htb rate 2kbps ceil 17kbps prio 1
tc class add dev eth1 parent 10:1 classid 10:70 htb rate 3kbps ceil 5kbps prio 1
##define rule for second leaf
#tc qdisc add dev eth1 parent 10:10 handle 101: pfifo
#tc qdisc add dev eth1 parent 10:20 handle 102: pfifo
#tc qdisc add dev eth1 parent 10:30 handle 103: pfifo
#tc qdisc add dev eth1 parent 10:40 handle 104: pfifo
#tc qdisc add dev eth1 parent 10:50 handle 105: pfifo
#tc qdisc add dev eth1 parent 10:60 handle 106: pfifo
#tc qdisc add dev eth1 parent 10:70 handle 107: pfifo
##tc qdisc add dev eth1 parent 10:10 handle 101: sfq perturb 10
##tc qdisc add dev eth1 parent 10:20 handle 102: sfq perturb 10
##tc qdisc add dev eth1 parent 10:30 handle 103: sfq perturb 10
tc qdisc add dev eth1 parent 10:40 handle 104: sfq perturb 5
tc qdisc add dev eth1 parent 10:50 handle 105: sfq perturb 10
tc qdisc add dev eth1 parent 10:60 handle 106: sfq perturb 10
tc qdisc add dev eth1 parent 10:70 handle 107: sfq perturb 10

##define fw for ipfilter
#tc filter add dev eth1 parent 10: protocol ip prio 100 handle 10 fw classid 10:10
#tc filter add dev eth1 parent 10: protocol ip prio 100 handle 20 fw classid 10:20
#tc filter add dev eth1 parent 10: protocol ip prio 100 handle 30 fw classid 10:30
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 40 fw classid 10:40
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 50 fw classid 10:50
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 60 fw classid 10:60
tc filter add dev eth1 parent 10: protocol ip prio 100 handle 70 fw classid 10:70

#############################################################################
##定义iptables规则
echo "Enabling iptables rules"
# Enabling iptables rules
##清空各个链中原有的内容
# Reset the default policies in the tables
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

##定义默认链的政策(全部拒绝)采取需要时才开放策略
# Set policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
############################################################################

##允许本机做ping回环测试
# allow ping localhost,ping 192.168.0.1/2
# Allow loopback access
iptables -A INPUT -p icmp -i lo -j ACCEPT
iptables -A OUTPUT -p icmp -o lo -j ACCEPT

##允许从本机ping局域网内的微机
# Allow ping LAN
iptables -A INPUT -p ALL -i $LAN_IF -s $LAN_IP_RANGE -j ACCEPT
iptables -A OUTPUT -p ALL -o $LAN_IF -d $LAN_IP_RANGE -j ACCEPT

##定义从ppp0端口出去的包和ppp0进来的并且是响应的包允许通过
# Allow ppp0
iptables -A INPUT -p ALL -i $INET_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ALL -o $INET_IF -j ACCEPT

##定义新的自定义链
# Creat userspecified chains
iptables -N allowed
iptables -N tcp_packets
iptables -N bad_tcp_packets
iptables -N icmp_packets
iptables -N limited_packets

##在bad_tcp_packets 链中定义坏包检测机制
# bad_tcp_packets rules chain
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

##定义允许通过的包的检测条件
# allowed rules chain
iptables -A allowed -p tcp --syn -j ACCEPT
iptables -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p tcp -j DROP

#定义icmp规则包,防止ping死攻击
# ICMP rules chain
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
# limited_packets rules chain
#iptables -A limited_packets -p tcp ! --syn -m state --state NEW -j DROP
#iptables -A INPUT -i $INET_IF -s 192.168.0.0/16 -j DROP
#iptables -A INPUT -p udp -i $LAN_IF --dport 67 --sport 68 -j ACCEPT
#
######################################################################
##对input链做bad_tcp_packets过滤
# The first bad_tcp_packets filter of INPUT chain
iptables -A INPUT -p tcp -j bad_tcp_packets
##对input链做icmp_packets过滤
# The second icmp_packets filter of INPUT chain
iptables -A INPUT -p icmp -i $INET_IF -j icmp_packets
# Open trusted ports
#echo "Open trusted ports....."
#iptables -N services
#for PORT in $TRUSTED_TCP_PORT; do
#iptables -A tcp_packets -s 0/0 -p tcp --dport $PORT -j allowed
#done
#for PORT in $TRUSTED_UDP_PORT; do
#iptables -A tcp_packets -s 0/0 -p udp --dport $PORT -j allowed
#done
# The trust port of INPUT chain
#iptables -A INPUT -p tcp -i $INET_IF -j tcp_packets
##拒绝欺骗攻击
# deny local cheat
iptables -A INPUT -i $INET_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $INET_IF -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $INET_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $INET_IF -s 127.0.0.0/8 -j DROP
# allow DHCP_packets from LAN
#iptables -A INPUT -p udp -i $LAN_IF --dport 67 --sport 68 -j ACCEPT
##拒绝burst攻击
# deny attack of hack to input chain
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "IPT INPUT packets died:"


##定义forward链上的规则
# FORWARD chain
##bad_tcp_packets filter检查
# bad_tcp_packets filter
iptables -A FORWARD -p tcp -j bad_tcp_packets
# address of limited filter
#iptables -A FORWARD -p tcp -j limited_packets
##从内网出去的包不做流量外的限制
# allow the packets from LAN to WAN
iptables -A FORWARD -o $INET_IF -s $LAN_IP_RANGE -j ACCEPT
iptables -A FORWARD -i $LAN_IF -s $LAN_IP_RANGE -j ACCEPT
##定义从ppp0进来的包通过foward链的规则
# allow the packets from wan to lan
iptables -A FORWARD -i $INET_IF -d $LAN_IP_RANGE -m state --state ESTABLISHED,RELATED -j ACCEPT
##对forward做burst检测
# deny attack of hack to forward chain
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packets died:"
##对forward链做icmp(ping攻击)检测
# deny ping attack of hack
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

##对forward链做简单的ddos防御
# deny DDOS attack
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

##做伪装(net转换)
# allow UDP
#iptables -A FORWARD -p udp -d $LAN_IP_RANGE -i $EXT_IF -j ACCEPT
# the servies of www to the port for Squid
#iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# the other servies use nat chain to masquerade
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
############mark for mangle filter############
echo "Enabling mangle "
# uploads
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto dns -j MARK --set-mark 10
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto smtp -j MARK --set-mark 20
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto http -j MARK --set-mark 30
##为ip地址打标记以便进行流量控制--上传
#iptables -t mangle -A PREROUTING -s 192.168.0.52 -j MARK --set-mark 40
#iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -j MARK --set-mark 70
#iptables -t mangle -A PREROUTING -s 192.168.0.3 -j MARK --set-mark 60
# downloads
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto dns -j MARK --set-mark 10
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto smtp -j MARK --set-mark 20
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto http -j MARK --set-mark 30
##为ip地址打标记以便进行流量控制--下载
#iptables -t mangle -A POSTROUTING -d 192.168.0.52 -j MARK --set-mark 40
#iptables -t mangle -A POSTROUTING -d 192.168.0.0/24 -j MARK --set-mark 70
#iptables -t mangle -A POSTROUTING -d 192.168.0.3 -j MARK --set-mark 60

################################### iptables END########################################
echo "iptables END"
#echo "Enabling Squid"
#/usr/local/squid/sbin/squid
echo "Enabling ADSL"
adsl-start
##########################################################
每个人的linux安装的不一样,netfilter模块加载的也不一样,在模块加载处估计各位要进行微调,将需要加载的模块前带#的去掉几个估计就可以了,tc处可根据自己的实际情况进行微调。
本配置已经实际运行了3年,没出现什么问题(配置上),但要是某个高手盯上你了,估计。。。。嘿嘿,技术就是这样,没有绝对的,反正我的配置(p3赛阳600,128mpc100,10g硬盘,810e主板,双8139d百兆网卡,debian woody 2.4.32核心)不关机除了每两个月的正常清洁外没出现过什么异常(因为对内网是没有限制的,故清理内鬼是比较重要的[@more@]

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/7507082/viewspace-850788/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论
  • 博文量
    151
  • 访问量
    1014546