Linux iptables + TC做网关脚本 - linux/unix技术专区 - 操...

古代先生 2011-05-20

展开全文

Linux iptables + TC做网关脚本

[root@www /]# cat /etc/init.d/fw.sh
echo "iptables is start!"
#!/bin/bash
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_state

haiwang="192.168.0.35 192.168.0.37 192.168.0.41 192.168.0.50 192.168.0.51 192.168.0.52 192.168.0.54 192.168.0.55 \
192.168.0.56 192.168.0.57 192.168.0.58 192.168.0.61 192.168.0.62 192.168.0.65 192.168.0.67 192.168.0.74 \
192.168.0.75 192.168.0.80 192.168.0.81 192.168.0.82 192.168.0.88 192.168.0.89 192.168.0.90 192.168.0.95 \
192.168.0.104 192.168.0.105 192.168.0.106 192.168.0.112 192.168.0.114 192.168.0.116 192.168.0.118 192.168.0.121 \
192.168.0.123 192.168.0.124 192.168.0.125 192.168.0.126 192.168.0.129 192.168.0.130 192.168.0.134 192.168.0.183 \
192.168.0.193 192.168.0.207 192.168.0.208 192.168.0.211 192.168.0.213"

echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

iptables -F
iptables -X
iptables -Z
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -F -t mangle
iptables -X -t mangle
iptables -Z -t mangle

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALI -j DROP
iptables -A FORWARD -m state --state INVALI -j DROP

iptables -A INPUT -p tcp -m multiport --dport 20,21,22,23,25,53,80,110,137,139,3128,443,445,10000 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dport 53,161,177,514,2049 -j ACCEPT

iptables -A FORWARD -m connlimit --connlimit-above 40 -j DROP
#Deny stock software
iptables -A FORWARD -p tcp -m multiport --dport 5188,7002,7008,7009,7711,8001,6677,8601,9000,9999,22221,22222,22223,22224 -j DROP
iptables -A FORWARD -p udp -m multiport --dport 5188,7002,7008,7009,7711,8001,6677,8601,9000,9999,22221,22222,22223,22224 -j DROP
#Deny QianTai access Internet
iptables -A FORWARD -m mac --mac-source 00:0d:56:56:4b:df -j DROP

iptables -A FORWARD -m layer7 --l7proto rtsp -j DROP
iptables -A FORWARD -m layer7 --l7proto bittorrent -j DROP
iptables -A FORWARD -m layer7 --l7proto edonkey -j DROP
iptables -A FORWARD -m layer7 --l7proto kugoo -j DROP
iptables -A FORWARD -m layer7 --l7proto xunlei -j DROP
iptables -A FORWARD -m layer7 --l7proto pplive -j DROP
iptables -A FORWARD -m layer7 --l7proto tonghuashun -j DROP
iptables -A FORWARD -m layer7 --l7proto xboxlive -j DROP

for allowip in $haiwang

do
iptables -A FORWARD -s $allowip -j ACCEPT
iptables -A FORWARD -d $allowip -j ACCEPT
done
#sudan QQ port
iptables -A FORWARD -s 192.168.0.98 -p udp --dport 8000 -j ACCEPT
iptables -A FORWARD -d 192.168.0.98 -p udp --dport 8000 -j ACCEPT
#zhouhang
iptables -A FORWARD -s 192.168.0.204 -p tcp -m multiport --dport 88,8600 -j ACCEPT
iptables -A FORWARD -d 192.168.0.204 -p tcp -m multiport --dport 88,8600 -j ACCEPT
#kongling QQ Port
iptables -A FORWARD -s 192.168.0.199 -p udp --dport 8000 -j ACCEPT
iptables -A FORWARD -d 192.168.0.199 -p udp --dport 8000 -j ACCEPT
iptables -A FORWARD -s 192.168.0.199 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 192.168.0.199 -p tcp --dport 443 -j ACCEPT
#qiaoyishi QQ
iptables -A FORWARD -s 192.168.0.202 -p udp --dport 8000 -j ACCEPT
iptables -A FORWARD -d 192.168.0.202 -p udp --dport 8000 -j ACCEPT
#zhangli
iptables -A FORWARD -s 192.168.0.203 -p udp --dport 8000 -j ACCEPT
iptables -A FORWARD -d 192.168.0.203 -p udp --dport 8000 -j ACCEPT

#dingdehong
iptables -A FORWARD -s 192.168.0.184 -p udp --dport 8000 -j ACCEPT
iptables -A FORWARD -d 192.168.0.184 -p udp --dport 8000 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE

iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128

#start TC Qos

#ding yi zong de shang chuan dai kuan
tc qdisc del dev ppp0 root 2> /dev/null > /dev/null
tc qdisc del dev ppp0 ingress 2> /dev/null > /dev/null
tc qdisc add dev ppp0 root handle 1: htb
tc class add dev ppp0 parent 1: classid 1:1 htb rate 1Mbit
#ding yi zong de xia zai dai kuan
tc qdisc del dev eth0 root 2> /dev/null > /dev/null
tc qdisc add dev eth0 root handle 2: htb
tc class add dev eth0 parent 2: classid 2:1 htb rate 4Mbit

for((i=30;i<240;i++))
do
#shang chuan kong zhi mei ge ren shi ji zui da 56K/s
tc class add dev ppp0 parent 1:1 classid 1:1$i htb rate 256kbit ceil 512kbit burst 15k
tc qdisc add dev ppp0 parent 1:1$i handle 1$i sfq
tc filter add dev ppp0 parent 1:0 protocol ip prio $i handle $i fw classid 1:1$i
iptables -t mangle -A PREROUTING -s 192.168.0.$i -j MARK --set-mark 0x$i

#xia zai kong zhi mei ge ren shi ji zui da 128K/s
tc class add dev eth0 parent 2:1 classid 2:2$i htb rate 512kbit ceil 1024kbit burst 15k
tc qdisc add dev eth0 parent 2:2$i handle 2$i: sfq
tc filter add dev eth0 parent 2:0 protocol ip prio 4 u32 match ip dst 192.168.0.$i flowid 2:2$i
done