在下的一个基于netfilter的防火墙脚本,请各位看看,给点意见

Bomber

才开始学Shell、netfilter/iptables，按照自己想法写了个脚本，请赐教#!/bin/sh
################
#
#三网卡,提供WAN、LAN、DMZ区
#
################

#设置变量
WANLINK="eth2"
DMZLINK="eth1"
LANLINK="eth0"
NAT="dynamic"
ROUTER="yes"
SERVICE="22"
VISITED="20 21 80"
LANVISITED="20 21 80"
DMZVISITED="20 21 80"
DMZDMZWEB_IP="192.168.133.129"
DMZDMZFTP_IP="192.168.133.109"
DENYTCPPORTS="3389 7626 135 139 445 1 7 9 15"
DENYUDPPORT="135 139 445 7 9 15"
DENYLANTCPPORTS="3389 7626 135 139 445 1 7 9 15"
DENYLANUDPPORT="135 139 445 7 9 15"
DENYDMZTCPPORTS="3389 7626 135 139 445 1 7 9 15"
DENYDMZUDPPORT="135 139 445 7 9 15"

if [ "$1" = "start" ]
then
echo "Start Firewall......"
#flush the rules
echo "Now Flushing the rules......"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F -t filter
iptables -F -t nat
iptables -F -t mangle
iptables -Z
iptables -X
echo "        OK!!!"

#创建新用户链
iptables -N denyports
iptables -N inforsrv
iptables -N inforusr
iptables -N outforsrv
iptables -N outforusr
iptables -N denylanports
iptables -N lanusr
iptables -N denydmzports
iptables -N dmzsrv
iptables -N dmzusr

#应用新用户链
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j denyports
iptables -A INPUT -j inforsrv
iptables -A INPUT -j inforusr
iptables -A INPUT -p tcp -i ! lo -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ! lo -j REJECT --reject-with icmp-port-unreachable

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -j outforsrv
iptables -A OUTPUT -j outforusr
iptables -A OUTPUT -p tcp -o ! lo -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -p udp -o ! lo -j REJECT --reject-with icmp-port-unreachable

iptables -A FORWARD -j denydmzports
iptables -A FORWARD -j denylanports
iptables -A FORWARD -j dmzsrv
iptables -A FORWARD -j dmzusr
iptables -A FORWARD -j lanusr
iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p udp -j REJECT --reject-with icmp-port-unreachable

#设置禁止本机端口的规则
for x in ${DENYTCPPORTS}
do
iptables -A denyports -p tcp --dport ${x} -j LOG --log-prefix "INVAILD PORT{x} TCP IN:"
iptables -A denyports -p tcp --dport ${x} -j REJECT --reject-with tcp-reset
done
for x in ${DENYUDPPORTS}
do
iptables -A denyports -p udp --dport ${x} -j LOG --log-prefix "INVAILD PORT{x} UDP IN:"
iptables -A denyports -p udp --dport ${x} -j REJECT --reject-with icmp-port-unreachable
done

#设置用户链inforsrv规则
for x in ${SERVICE}
do
iptables -A inforsrv -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done

#设置用户链inforusr规则
iptables -A inforusr -p icmp -j ACCEPT
for x in ${VISITED}
do
iptables -A inforusr -p tcp --sport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
done

#设置用户链outforsrv规则
for x in ${SERVICE}
do
iptables -A outforsrv -p tcp --sport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
done

#设置用户链outforusr规则
iptables -A outforusr -p icmp -j ACCEPT
for x in ${VISITED}
do
iptables -A outforusr -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done

#设置禁止DMZ端口的规则
for x in ${DENYDMZTCPPORTS}
do
iptables -A denydmzports -p tcp --dport ${x} -j LOG --log-prefix "INVAILD PORT{x} TCP IN DMZ:"
iptables -A denydmzports -p tcp --dport ${x} -j REJECT --reject-with tcp-reset
done
for x in ${DENYDMZUDPPORTS}
do
iptables -A denydmzports -p udp --dport ${x} -j LOG --log-prefix "INVAILD PORT{x} UDP IN DMZ:"
iptables -A denydmzports -p udp --dport ${x} -j REJECT --reject-with icmp-port-unreachable
done

#设置禁止局域网端口的规则
for x in ${DENYLANTCPPORTS}
do
iptables -A denylanports -p tcp --dport ${x} -j LOG --log-prefix "INVAILD PORT{x} TCP IN LAN:"
iptables -A denylanports -p tcp --dport ${x} -j REJECT --reject-with tcp-reset
done
for x in ${DENYLANUDPPORTS}
do
iptables -A denylanports -p udp --dport ${x} -j LOG --log-prefix "INVAILD PORT{x} UDP IN LAN:"
iptables -A denylanports -p udp --dport ${x} -j REJECT --reject-with icmp-port-unreachable
done

#设置用户链dmzsrv规则
iptables -A dmzsrv -o ${DMZLINK} -p tcp -d ${DMZWEB_IP} --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A dmzsrv -o ${DMZLINK} -p tcp -d ${DMZFTP_IP} --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A dmzsrv -o ${DMZLINK} -p tcp -d ${DMZFTP_IP} --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A dmzsrv -i ${DMZLINK} -p tcp -s ${DMZWEB_IP} --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A dmzsrv -i ${DMZLINK} -p tcp -s ${DMZFTP_IP} --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A dmzsrv -i ${DMZLINK} -p tcp -s ${DMZFTP_IP} --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT

#设置用户链dmzusr规则
iptables -A dmzusr -i ${DMZLINK} -p icmp -j ACCEPT
iptables -A dmzusr -o ${DMZLINK} -p icmp -j ACCEPT
for x in ${DMZVISITED}
do
iptables -A dmzusr -i ${DMZLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A dmzusr -o ${DMZLINK} -p tcp --sport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
done

#设置用户链lanusr规则
iptables -A lanusr -i ${LANLINK} -p icmp -j ACCEPT
iptables -A lanusr -o ${LANLINK} -p icmp -j ACCEPT
for x in ${LANVISITED}
do
iptables -A lanusr -i ${LANLINK} -p tcp --dport ${x} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A lanusr -i ${WANLINK} -p tcp --sport ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
done

#设置nat链的规则PREROUTING&OSTROUTING
if [ "$ROUTER" = "yes" ]
then
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ "$NAT" = "dynamic" ]
then
IP_ADDR=`ifconfig ppp0 | grep inet | cut -d : -f 2 | cut -d " " -f 1`
echo "        Now you IP ADDRESS is : ${IP_ADDR}"
iptables -t nat -A POSTROUTING -o ${WANLINK} -j MASQUERADE
iptables -t nat -A PREROUTING -d ${IP_ADDR} -p tcp --dport 80 -i ${WANLINK} -j DNAT --to ${DMZWEB_IP}:80
iptables -t nat -A PREROUTING -d ${IP_ADDR} -p tcp --dport 20 -i ${WANLINK} -j DNAT --to ${DMZFTP_IP}:20
iptables -t nat -A PREROUTING -d ${IP_ADDR} -p tcp --dport 21 -i ${WANLINK} -j DNAT --to ${DMZFTP_IP}:21
elif [ "$NAT" != "" ]
then
iptables -t nat -A POSTROUTING -o ${WANLINK} -j SNAT --to ${NAT}
iptables -t nat -A PREROUTING -d ${NAT} -p tcp --dport 80 -i ${WANLINK} -j DNAT --to ${DMZWEB_IP}:80
iptables -t nat -A PREROUTING -d ${NAT} -p tcp --dport 20 -i ${WANLINK} -j DNAT --to ${DMZFTP_IP}:20
iptables -t nat -A PREROUTING -d ${NAT} -p tcp --dport 21 -i ${WANLINK} -j DNAT --to ${DMZFTP_IP}:21
fi
fi

echo "The firewall has successful Started up!!!"

elif [ "$1" = "stop" ]
then
echo "Stopping firewall......"
echo "Now Flushing the rules......"
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F -t filter
iptables -F -t nat
iptables -F -t mangle
iptables -Z
iptables -X
echo "        OK!!!"
echo "The firewall has successful shuted down!!! Be careful!!!"
else
echo "Usage: $0 {start|stop|}"
fi