брандмауэр и подсчет трафика на bash

blasterjon · Сообщение **blasterjon** » 20 апр 2008, 11:37

Написал брандмауэр и подсчет трафика на bash

#!/bin/sh
SYSCTL="/sbin/sysctl -w"

IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"

# Internet Interface
INET_IFACE="eth0"
INET_ADDRESS="192.168.10.100"

# Local Interface Information
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.30.1"
LOCAL_NET="192.168.30.0/24"
LOCAL_BCAST="192.168.30.255"

# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"

if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR </etc> /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.ip_forward="1"
$SYSCTL net.ipv4.tcp_syncookies="1"
$SYSCTL net.ipv4.conf.all.rp_filter="1"
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi

echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

# Set Policies

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

echo "Create and populate custom rule chains ..."
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG --log-prefix "fp=bad_packets:2 a=DROP "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "fp=bad_tcp_packets:2 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "fp=bad_tcp_packets:3 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "fp=bad_tcp_packets:4 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "fp=bad_tcp_packets:5 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "fp=bad_tcp_packets:6 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "fp=bad_tcp_packets:7 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "fp=icmp_packets:1 a=DROP "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG --log-prefix "fp=icmp_packets:2 a=ACCEPT "
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT
# $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j ACCEPT
# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT

# Email Server (SMTP)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT

# Email Server (POP3)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT

# Email Server (IMAP4)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT

# SSL Email Server (POP3)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT

# SSL Email Server (IMAP4)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT

# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
echo "Process INPUT chain ..."
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets

# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT

# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT

$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "

echo "Process FORWARD chain ..."

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log packets that still don't match
$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "

echo "Process OUTPUT chain ..."

# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Log packets that still don't match
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "

echo "Load rules for nat table ..."

# This is a sample that will exempt a specific host from the transparent proxy
#$IPT -t nat -A PREROUTING -p tcp -s 192.168.1.50 --destination-port 80 \
# -j RETURN
#$IPT -t nat -A PREROUTING -p tcp -s 192.168.1.50 --destination-port 443 \
# -j RETURN

# Redirect HTTP for a transparent proxy
#$IPT -t nat -A PREROUTING -p tcp --destination-port 80 \
# -j REDIRECT --to-ports 3128
# Redirect HTTPS for a transparent proxy - commented by default
# $IPT -t nat -A PREROUTING -p tcp --destination-port 443 \
# -j REDIRECT --to-ports 3128

###############################################################################
#
# POSTROUTING chain
#

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS

echo "Load rules for mangle table ..."
fi

#===========================
if [ "$1" = "restart" ]
then

date1=`date '+%F'`;
date2=`date '+%X'`;

$IPT -t mangle -nxvL POSTROUTING | awk '/ACCEPT.*eth1/ {print $9,$2}'>/etc/aatraff/traffic.txt

cat /etc/aatraff/traffic.txt | while read line;
do
var1=`echo "$line"|awk '{print $1}'`
var2=`echo "$line"|awk '{print $2}'`
MYSQL_RESULT=`mysql -D traffic -u root --password=xxxxxxxx -e "INSERT INTO kun VALUES('$var1','$var2','$date1','$date2')"`;
done;

$IPT -t mangle -F
$IPT -t nat -F
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS

cat /etc/aatraff/clients.txt | while read line;
do
var1=`echo "$line"|awk '{print $1}'`
var2=`echo "$line"|awk '{print $2}'`
var3=`echo "$line"|awk '/ACCEPT.*squid/ {print $1}'`

$IPT -t mangle -A PREROUTING -i eth0 -s $var1 -d 192.168.30.0/24 -j $var2
$IPT -t mangle -A POSTROUTING -o eth1 -d $var1 -s 192.168.30.0/24 -j $var2

if [ $var3 ]
then
$IPT -t nat -A PREROUTING -p tcp -s $var3 --destination-port 80 -j REDIRECT --to-ports 3128
fi
done

fi
#===============================

/etc/aatraff/clients.txt так выглядит
192.168.30.2 ACCEPT squid
192.168.30.3 ACCEPT squid
192.168.30.4 ACCEPT squid
192.168.30.5 DROP squid
192.168.30.6 DROP no
192.168.30.7 DROP no
192.168.30.8 DROP no
192.168.30.9 DROP no
192.168.30.10 DROP no
192.168.30.11 DROP no
192.168.30.12 DROP no
192.168.30.13 DROP no
192.168.30.14 DROP no
192.168.30.15 DROP no
192.168.30.16 DROP no
192.168.30.17 DROP no
192.168.30.18 DROP no
192.168.30.19 DROP no
192.168.30.20 DROP no
192.168.30.21 DROP no
192.168.30.22 DROP no
192.168.30.23 DROP no
192.168.30.24 DROP no
192.168.30.25 DROP no
192.168.30.26 DROP no
192.168.30.27 DROP no
192.168.30.28 DROP no
192.168.30.29 DROP no
192.168.30.30 DROP no
192.168.30.31 DROP no
192.168.30.32 DROP no
192.168.30.33 DROP no
192.168.30.34 DROP no
192.168.30.35 DROP no
192.168.30.36 DROP no
192.168.30.37 DROP no
192.168.30.38 DROP no
192.168.30.39 DROP no
192.168.30.40 DROP no
192.168.30.41 DROP no
192.168.30.42 DROP no
192.168.30.43 DROP no
192.168.30.44 DROP no
192.168.30.45 DROP no
192.168.30.46 DROP no
192.168.30.47 DROP no
192.168.30.48 DROP no
192.168.30.49 DROP no
192.168.30.50 DROP no
192.168.30.51 DROP no
192.168.30.52 DROP no
192.168.30.53 DROP no
192.168.30.54 DROP no
192.168.30.55 DROP no
192.168.30.56 DROP no
192.168.30.57 DROP no
192.168.30.58 DROP no
192.168.30.59 DROP no
192.168.30.60 DROP no
192.168.30.61 DROP no
192.168.30.62 DROP no
192.168.30.63 DROP no
192.168.30.64 DROP no
192.168.30.65 DROP no
192.168.30.66 DROP no
192.168.30.67 DROP no
192.168.30.68 DROP no
192.168.30.69 DROP no
192.168.30.70 DROP no
192.168.30.71 DROP no
192.168.30.72 DROP no
192.168.30.73 DROP no
192.168.30.74 DROP no
192.168.30.75 DROP no
192.168.30.76 DROP no
192.168.30.77 DROP no
192.168.30.78 DROP no
192.168.30.79 DROP no
192.168.30.80 DROP no
192.168.30.81 DROP no
192.168.30.82 DROP no
192.168.30.83 DROP no
192.168.30.84 DROP no
192.168.30.85 DROP no
192.168.30.86 DROP no
192.168.30.87 DROP no
192.168.30.88 DROP no
192.168.30.89 DROP no
192.168.30.90 DROP no
192.168.30.91 DROP no
192.168.30.92 DROP no
192.168.30.93 DROP no
192.168.30.94 DROP no
192.168.30.95 DROP no
192.168.30.96 DROP no
192.168.30.97 DROP no
192.168.30.98 DROP no
192.168.30.99 DROP no
192.168.30.100 DROP no
192.168.30.101 DROP no
192.168.30.102 DROP no
192.168.30.103 DROP no
192.168.30.104 DROP no
192.168.30.105 DROP no
192.168.30.106 DROP no
192.168.30.107 DROP no
192.168.30.108 DROP no
192.168.30.109 DROP no
192.168.30.110 DROP no
192.168.30.111 DROP no
192.168.30.112 DROP no
192.168.30.113 DROP no
192.168.30.114 DROP no
192.168.30.115 DROP no
192.168.30.116 DROP no
192.168.30.117 DROP no
192.168.30.118 DROP no
192.168.30.119 DROP no
192.168.30.120 DROP no
192.168.30.121 DROP no
192.168.30.122 DROP no
192.168.30.123 DROP no
192.168.30.124 DROP no
192.168.30.125 DROP no
192.168.30.126 DROP no
192.168.30.127 DROP no
192.168.30.128 DROP no
192.168.30.129 DROP no
192.168.30.130 DROP no
192.168.30.131 DROP no
192.168.30.132 DROP no
192.168.30.133 DROP no
192.168.30.134 DROP no
192.168.30.135 DROP no
192.168.30.136 DROP no
192.168.30.137 DROP no
192.168.30.138 DROP no
192.168.30.139 DROP no
192.168.30.140 DROP no
192.168.30.141 DROP no
192.168.30.142 DROP no
192.168.30.143 DROP no
192.168.30.144 DROP no
192.168.30.145 DROP no
192.168.30.146 DROP no
192.168.30.147 DROP no
192.168.30.148 DROP no
192.168.30.149 DROP no
192.168.30.150 DROP no
192.168.30.151 DROP no
192.168.30.152 DROP no
192.168.30.153 DROP no
192.168.30.154 DROP no
192.168.30.155 DROP no
192.168.30.156 DROP no
192.168.30.157 DROP no
192.168.30.158 DROP no
192.168.30.159 DROP no
192.168.30.160 DROP no
192.168.30.161 DROP no
192.168.30.162 DROP no
192.168.30.163 DROP no
192.168.30.164 DROP no
192.168.30.165 DROP no
192.168.30.166 DROP no
192.168.30.167 DROP no
192.168.30.168 DROP no
192.168.30.169 DROP no
192.168.30.170 DROP no
192.168.30.171 DROP no
192.168.30.172 DROP no
192.168.30.173 DROP no
192.168.30.174 DROP no
192.168.30.175 DROP no
192.168.30.176 DROP no
192.168.30.177 DROP no
192.168.30.178 DROP no
192.168.30.179 DROP no
192.168.30.180 DROP no
192.168.30.181 DROP no
192.168.30.182 DROP no
192.168.30.183 DROP no
192.168.30.184 DROP no
192.168.30.185 DROP no
192.168.30.186 DROP no
192.168.30.187 DROP no
192.168.30.188 DROP no
192.168.30.189 DROP no
192.168.30.190 DROP no
192.168.30.191 DROP no
192.168.30.192 DROP no
192.168.30.193 DROP no
192.168.30.194 DROP no
192.168.30.195 DROP no
192.168.30.196 DROP no
192.168.30.197 DROP no
192.168.30.198 DROP no
192.168.30.199 DROP no
192.168.30.200 DROP no
192.168.30.201 DROP no
192.168.30.202 DROP no
192.168.30.203 DROP no
192.168.30.204 DROP no
192.168.30.205 DROP no
192.168.30.206 DROP no
192.168.30.207 DROP no
192.168.30.208 DROP no
192.168.30.209 DROP no
192.168.30.210 DROP no
192.168.30.211 DROP no
192.168.30.212 DROP no
192.168.30.213 DROP no
192.168.30.214 DROP no
192.168.30.215 DROP no
192.168.30.216 DROP no
192.168.30.217 DROP no
192.168.30.218 DROP no
192.168.30.219 DROP no
192.168.30.220 DROP no
192.168.30.221 DROP no
192.168.30.222 DROP no
192.168.30.223 DROP no
192.168.30.224 DROP no
192.168.30.225 DROP no
192.168.30.226 DROP no
192.168.30.227 DROP no
192.168.30.228 DROP no
192.168.30.229 DROP no
192.168.30.230 DROP no
192.168.30.231 DROP no
192.168.30.232 DROP no
192.168.30.233 DROP no
192.168.30.234 DROP no
192.168.30.235 DROP no
192.168.30.236 DROP no
192.168.30.237 DROP no
192.168.30.238 DROP no
192.168.30.239 DROP no
192.168.30.240 DROP no
192.168.30.241 DROP no
192.168.30.242 DROP no
192.168.30.243 DROP no
192.168.30.244 DROP no
192.168.30.245 DROP no
192.168.30.246 DROP no
192.168.30.247 DROP no
192.168.30.248 DROP no
192.168.30.249 DROP no
192.168.30.250 DROP no
192.168.30.251 DROP no
192.168.30.252 DROP no
192.168.30.253 DROP no
192.168.30.254 DROP no
192.168.30.255 DROP no

/etc/aatraff/traffic.txt
192.168.30.2 10389
192.168.30.3 345
192.168.30.4 0

Жду ваши замечание и предложение

kif0rt · Сообщение **kif0rt** » 20 апр 2008, 14:41

Предлагаю перенести в Wiki.

Silos · Сообщение **Silos** » 20 апр 2008, 21:54

kif0rt, займитесь, никто не запрещает