追加・修正部分は赤字で表示されている部分です。
ファイアウォールのスクリプト例(aquarius.fw)
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v2.0.10-1
#
# Generated Sun Aug 6 15:44:12 2006 JST by root
#
# files: * aquarius.fw
#
#
#
#
#
#
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
#
# Prolog script
# ファイアウォール停止(すべてのルールをクリア)
/etc/rc.d/init.d/iptables stop
# APNICのip fileを取得
sh /etc/cron.daily/otherfilter_check.sh
#
# End of prolog script
#
log() {
echo "$1"
test -x "$LOGGER" && $LOGGER -p info "$1"
}
va_num=1
add_addr() {
addr=$1
nm=$2
dev=$3
type=""
aadd=""
L=`$IP -4 link ls $dev | head -n1`
if test -n "$L"; then
OIFS=$IFS
IFS=" /:,<"
set $L
type=$4
IFS=$OIFS
L=`$IP -4 addr ls $dev to $addr | grep inet | grep -v :`
if test -n "$L"; then
OIFS=$IFS
IFS=" /"
set $L
aadd=$2
IFS=$OIFS
fi
fi
if test -z "$aadd"; then
if test "$type" = "POINTOPOINT"; then
$IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
if test "$type" = "BROADCAST"; then
$IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
fi
}
getInterfaceVarName() {
echo $1 | sed 's/\./_/'
}
getaddr() {
dev=$1
name=$2
L=`$IP -4 addr show dev $dev | grep inet | grep -v :`
test -z "$L" && {
eval "$name=''"
return
}
OIFS=$IFS
IFS=" /"
set $L
eval "$name=$2"
IFS=$OIFS
}
getinterfaces() {
NAME=$1
$IP link show | grep ": $NAME" | while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IPTABLES_RESTORE="/sbin/iptables-restore"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"
if $IP link ls >/dev/null 2>&1; then
echo;
else
echo "iproute not found"
exit 1
fi
INTERFACES="eth0 lo "
for i in $INTERFACES ; do
$IP link show "$i" > /dev/null 2>&1 || {
log "Interface $i does not exist"
exit 1
}
done
$IP -4 neigh flush dev eth0 >/dev/null 2>&1
$IP -4 addr flush dev eth0 secondary label "eth0:FWB*" >/dev/null 2>&1
add_addr 192.168.1.2 24 eth0
$IP link set eth0 up
add_addr 127.0.0.1 8 lo
$IP link set lo up
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_* | sed -n -e 's/\.ko$//p' -e 's/\.o$//p' -e 's/\.ko\.gz$//p' -e 's/\.o\.gz$//p')`
for module in $MODULES; do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
log 'Activating firewall script generated Sun Aug 6 15:44:12 2006 by root'
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
ip6tables -L -n > /dev/null 2>&1 && {
ip6tables -P OUTPUT DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
}
cat /proc/net/ip_tables_names | while read table; do
test "X$table" = "Xmangle" && continue
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0 (eth0)
#
echo "Rule 0 (eth0)"
#
#
#
$IPTABLES -N eth0_In_RULE_0
$IPTABLES -A INPUT -i eth0 -s 192.168.1.2 -j eth0_In_RULE_0
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.2 -j eth0_In_RULE_0
$IPTABLES -A eth0_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
$IPTABLES -A eth0_In_RULE_0 -j DROP
#
# Rule 0 (lo)
#
echo "Rule 0 (lo)"
#
#
#
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
# Rule 0 (global)
#
echo "Rule 0 (global)"
#
#
#
# $IPTABLES -N RULE_0
# $IPTABLES -A INPUT -s 200.0.0.0/8 -j RULE_0
# $IPTABLES -A FORWARD -s 200.0.0.0/8 -j RULE_0
# $IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
# $IPTABLES -A RULE_0 -j DROP
#
echo "Rule pre (global)"
# 2006/12/8 双方向アクセス禁止スクリプトを追加。
# spam_hostに記載したIPアドレスはログを記録して双方向のアクセスを拒否
# ※拒否IPアドレスは/root/spam_hostに1行ごとに記述しておくこと
# (/etc/rc.d/spam_hostがなければなにもしない)
$IPTABLES -N SPAMHOST
if [ -s /etc/rc.d/spam_host ]; then
for spamip in `cat /etc/rc.d/spam_host`
do
$IPTABLES -A INPUT -s $spamip -j SPAMHOST
$IPTABLES -A OUTPUT -d $spamip -j SPAMHOST
$IPTABLES -A FORWARD -s $spamip -j SPAMHOST
$IPTABLES -A FORWARD -d $spamip -j SPAMHOST
done
fi
$IPTABLES -A SPAMHOST -j LOG --log-level info --log-prefix "SPAMHOST -- DENY "
$IPTABLES -A SPAMHOST -j DROP
# $deny_hostの変更後
# 拒否IPアドレスからのアクセスはログを記録して破棄
# ※拒否IPアドレスは/etc./rc.d/deny_hostに1行ごとに記述しておくこと
# (/etc/rc.d/deny_hostがなければなにもしない)
$IPTABLES -N LOG_ALLOWHOST
$IPTABLES -N LOG_DENYHOST
if [ -s /etc/rc.d/deny_host ]; then
for badip in `cat /etc/rc.d/deny_host`
do
$IPTABLES -A LOG_ALLOWHOST -s $badip -j LOG_DENYHOST
done
fi
# 指定した国からのアクセスはログを記録して破棄
# 最初に/etc/cron.weekry/otherfilter_chck.shを実行しておくこと
# ※COUNTRYLISTにスペース区切りでアクセスを拒否したいCountry Code(ここでは中国と韓国)を指定
# ※各国割当てIPアドレス情報はAPNIC(http://www.apnic.net/)より最新版を取得
# ※Country Codeと国名の対応(例:JP<==>日本) http://www.nsrc.org/codes/country-codes.html#contry%20codes
COUNTRYLIST='CN KR'
for country in $COUNTRYLIST
do
for badip in `cat /tmp/$country | grep "apnic|$country|ipv4|"`
do
FILTER_ADDR=`echo $badip |cut -d "|" -f 4`
TEMP_CIDR=`echo $badip |cut -d "|" -f 5`
FILTER_CIDR=32
while [ $TEMP_CIDR -ne 1 ];
do
TEMP_CIDR=$((TEMP_CIDR/2))
FILTER_CIDR=$((FILTER_CIDR-1))
done
$IPTABLES -A LOG_ALLOWHOST -s $FILTER_ADDR/$FILTER_CIDR -j LOG_DENYHOST
done
done
# LOG_DENYHOSTのIPからのアクセスは遮断するが、こちらからのアクセスは可能。
$IPTABLES -A LOG_ALLOWHOST -j ACCEPT
$IPTABLES -A INPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES INPUT] : '
$IPTABLES -A FORWARD -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FORWARD] : '
$IPTABLES -A LOG_DENYHOST -j DROP
$IPTABLES -A INPUT -p tcp -m state --state NEW -j LOG_ALLOWHOST
# Rule 1 (global)
#
echo "Rule 1 (global)"
#
#
#
$IPTABLES -A INPUT -s 192.168.1.0/24 -d 192.168.1.2 -m state --state NEW -j ACCEPT
#
# Rule 2 (global)
#
echo "Rule 2 (global)"
#
#
#
$IPTABLES -N Cid44D44557.0
$IPTABLES -A OUTPUT -d 192.168.1.2 -m state --state NEW -j Cid44D44557.0
$IPTABLES -A Cid44D44557.0 -p icmp -m icmp --icmp-type 11/0 -j ACCEPT
$IPTABLES -A Cid44D44557.0 -p icmp -m icmp --icmp-type 11/1 -j ACCEPT
$IPTABLES -A Cid44D44557.0 -p icmp -m icmp --icmp-type 0/0 -j ACCEPT
$IPTABLES -A Cid44D44557.0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A Cid44D44557.0 -p tcp -m tcp --sport 20 --dport 1024:65535 -j ACCEPT
$IPTABLES -A Cid44D44557.0 -p tcp -m tcp -m multiport --dports 80,21,20,143,993,110,995,25,465 -j ACCEPT
$IPTABLES -N Cid44D44557.1
$IPTABLES -A INPUT -d 192.168.1.2 -m state --state NEW -j Cid44D44557.1
$IPTABLES -A Cid44D44557.1 -p icmp -m icmp --icmp-type 11/0 -j ACCEPT
$IPTABLES -A Cid44D44557.1 -p icmp -m icmp --icmp-type 11/1 -j ACCEPT
$IPTABLES -A Cid44D44557.1 -p icmp -m icmp --icmp-type 0/0 -j ACCEPT
$IPTABLES -A Cid44D44557.1 -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A Cid44D44557.1 -p tcp -m tcp --sport 20 --dport 1024:65535 -j ACCEPT
$IPTABLES -A Cid44D44557.1 -p tcp -m tcp -m multiport --dports 80,21,20,143,993,110,995,25,465 -j ACCEPT
#
# Rule 3 (global)
#
echo "Rule 3 (global)"
#
# server needs DNS to back-resolve clients IPs.
# Even if it does not log host names during its
# normal operations, statistics scripts such as
# webalizer need it for reporting.
#
$IPTABLES -A INPUT -s 192.168.1.2 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s 192.168.1.2 -m state --state NEW -j ACCEPT
#
# Rule 4 (global)
#
echo "Rule 4 (global)"
#
# this rejects auth (ident) queries that remote
# mail relays may send to this server when it
# tries to send email out.
#
$IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.2 --dport 113 -j REJECT
$IPTABLES -A INPUT -p tcp -m tcp -d 192.168.1.2 --dport 113 -j REJECT
#
# Rule 5 (global)
#
echo "Rule 5 (global)"
#
#
#
$IPTABLES -N RULE_5
$IPTABLES -A OUTPUT -j RULE_5
$IPTABLES -A INPUT -j RULE_5
$IPTABLES -A FORWARD -j RULE_5
$IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY "
$IPTABLES -A RULE_5 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
# 再起動時にも上記設定が有効となるようにルールを保存
/etc/rc.d/init.d/iptables save
# ファイアウォール起動
/etc/rc.d/init.d/iptables start
#
# Epilog script
#
# End of epilog script
#
©2005
hiruneko