[求助]大家推荐一个slackware下用的防火墙吧..

heartlylig

谢谢
大家觉得哪一个比较好/?

LiEn

IP伪装固太防火墙：(见代)

1. 
   
2. #!/bin/bash
   
3. #Our complete stateful firewall script.  This firewall can be customized for
   
4. #a laptop, workstation, router or even a server. :)
   
5. #change this to the name of the interface that provides your "uplink"
   
6. #(connection to the Internet)
   
7. UPLINK="eth1"
   
8. #if you're a router (and thus should forward IP packets between interfaces),
   
9. #you want ROUTER="yes"; otherwise, ROUTER="no"
   
10. ROUTER="yes"
    
11. #change this next line to the static IP of your uplink interface for static SNAT, or
    
12. #"dynamic" if you have a dynamic IP.  If you don't need any NAT, set NAT to "" to
    
13. #disable it.
    
14. NAT="1.2.3.4"
    
15. #change this next line so it lists all your network interfaces, including lo
    
16. INTERFACES="all"
    
17. #change this line so that it lists the assigned numbers or symbolic names (from
    
18. #/etc/services) of all the services that you'd like to provide to the general
    
19. #public.  If you don't want any services enabled, set it to ""
    
20. SERVICES="http ftp smtp ssh rsync"
    
21. if [ "$1" = "start" ]
    
22. then
    
23.         echo "Starting firewall..."
    
24.         iptables -P INPUT DROP
    
25.         iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
    
26.         iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
27.         #enable public access to certain services
    
28.         for x in ${SERVICES}
    
29.         do
    
30.                 iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
    
31.         done
    
32. 
    
33.         iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
    
34.         iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
    
35. 
    
36.         #explicitly disable ECN
    
37.         if [ -e /proc/sys/net/ipv4/tcp_ecn ]
    
38.         then
    
39.                 echo 0 > /proc/sys/net/ipv4/tcp_ecn
    
40.         fi
    
41.         #disable spoofing on all interfaces
    
42.         for x in ${INTERFACES}
    
43.         do      
    
44.                 echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
    
45.         done
    
46.         if [ "$ROUTER" = "yes" ]
    
47.         then
    
48.                 #we're a router of some kind, enable IP forwarding
    
49.                 echo 1 > /proc/sys/net/ipv4/ip_forward
    
50.                 if [ "$NAT" = "dynamic" ]
    
51.                 then
    
52.                         #dynamic IP address, use masquerading   
    
53.                         echo "Enabling masquerading (dynamic ip)..."
    
54.                         iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
    
55.                 elif [ "$NAT" != "" ]
    
56.                 then
    
57.                         #static IP, use SNAT
    
58.                         echo "Enabling SNAT (static ip)..."
    
59.                         iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${UPIP}192.168.0.1
    
60.                 fi
    
61.         fi
    
62. 
    
63. elif [ "$1" = "stop" ]
    
64. then
    
65.         echo "Stopping firewall..."
    
66.         iptables -F INPUT
    
67.         iptables -P INPUT ACCEPT
    
68.         #turn off NAT/masquerading, if any
    
69.         iptables -t nat -F POSTROUTING
    
70. fi
    

复制代码

时间有限没来的急做代码解释，本人一直在使用它。
(可实现IP转发和伪装)