bigmichael
2003-03-14, 05:01 PM
我的環境和鳥哥的列子有些不同
我的主機只有一張網卡有實體ip並且我不做nat所以做了以下的修改,如下綠色的部份
我將鳥哥的iptables.rule的某部份的內容
#!/bin/bash
#
# ³oÓ script ¬O¥Î¨Ó«Ø¥ß iptables ¨¾¤õÀ𪺰ò¥»³W«h¡I
# °ò¥»³W«h©w¸q¬°¡y©Úµ´©Ò¦³¡A¶}©ñ‾S©w¡zªº¼Ò¦¡¡I
# §A¥i¥H±N³oÓÀɮשñ¸m¦b /usr/local/virus/iptables ©³¤U¡AÀɦW¥i©w¸q¬° iptables.rule ¡I
# °ò¥»¤W¡A§A¥i¥H°Ñ¦Ò³oÓºô‾¸¸ê®Æ¡G http://linux.vbird.org
#
# HISTORY:
# 2002/08/20 First release by VBird
#
# 0.0 Please key in your parameters
EXTIF="eth1" # the interface that connect Internet
INIF="" # the inside interface. if you don't have this one
# and you must let this be black ex> INIF=""
INNET="" # This is for NAT's network
# 1.0 Testing your Kernel version and remove the ipchains module
kver=`uname -r | cut -c 1-3`
if [ "$kver" != "2.4" ] && [ "$kver" != "2.5" ]; then
echo "Your Linux Kernel Version may not be suported by this script!"
echo "This scripts will not be runing"
exit
fi
ipchains=`lsmod | grep ipchains`
if [ "$ipchains" != "" ]; then
echo "unload ipchains in your system"
rmmod ipchains 2> /dev/null
fi
# 2.0 Loading some modules
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH EXTIF INIF INNET
modprobe ip_tables > /dev/null 2>&1
modprobe iptable_nat > /dev/null 2>&1
modprobe ip_nat_ftp > /dev/null 2>&1
modprobe ip_nat_irc > /dev/null 2>&1
modprobe ip_conntrack > /dev/null 2>&1
modprobe ip_conntrack_ftp > /dev/null 2>&1
modprobe ip_conntrack_irc > /dev/null 2>&1
# 3.0 Clear the iptables's rules
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
# 4.0 Allow the lo and inside interface to access the server and internet
# /sbin/iptables -A INPUT -i lo -j ACCEPT
# if [ "$INIF" != "" ]; then
# /sbin/iptables -A INPUT -i $INIF -j ACCEPT
# echo "1" > /proc/sys/net/ipv4/ip_forward
# /sbin/iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE
# fi
# 5.0 Deny and Allow IP or host or network from files
if [ -f /usr/local/virus/iptables/iptables.deny ]; then
/usr/local/virus/iptables/iptables.deny
fi
if [ -f /usr/local/virus/iptables/iptables.allow ]; then
/usr/local/virus/iptables/iptables.allow
fi
# 6.0 Allow ICMP come in
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
/sbin/iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
done
# 7.0 Allow services
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 21 -j ACCEPT # FTP
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 22 -j ACCEPT # SSH
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 25 -j ACCEPT # SMTP
/sbin/iptables -A INPUT -p UDP -i $EXTIF --dport 53 -j ACCEPT # DNS
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 53 -j ACCEPT # DNS
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT # WWW
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 110 -j ACCEPT # POP3
# 8.0 Allow RELATED and ESTABLISHED
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 9.0 deny all
/sbin/iptables -A INPUT -m state --state NEW,INVALID -j DROP
其它的和鳥哥的設定一樣
則得到如下的結果
[root@linux root]# /usr/local/virus/iptables/iptables.rule
bash: /usr/local/virus/iptables/iptables.rule: bad interpreter: No such file or directory
[root@linux root]# lsmod
Module Size Used by
binfmt_misc 6416 1
iscsi 21984 0 (unused)
scsi_mod 95696 1 [iscsi]
autofs 11520 0 (autoclean) (unused)
via-rhine 11424 1
eepro100 17664 1
appletalk 20912 0 (autoclean)
ipx 16448 0 (autoclean)
usb-uhci 21536 0 (unused)
usbcore 51712 1 [usb-uhci]
[root@linux root]#
不能用也,是哪裡出問題呢?
贊助商連結
我的主機只有一張網卡有實體ip並且我不做nat所以做了以下的修改,如下綠色的部份
我將鳥哥的iptables.rule的某部份的內容
#!/bin/bash
#
# ³oÓ script ¬O¥Î¨Ó«Ø¥ß iptables ¨¾¤õÀ𪺰ò¥»³W«h¡I
# °ò¥»³W«h©w¸q¬°¡y©Úµ´©Ò¦³¡A¶}©ñ‾S©w¡zªº¼Ò¦¡¡I
# §A¥i¥H±N³oÓÀɮשñ¸m¦b /usr/local/virus/iptables ©³¤U¡AÀɦW¥i©w¸q¬° iptables.rule ¡I
# °ò¥»¤W¡A§A¥i¥H°Ñ¦Ò³oÓºô‾¸¸ê®Æ¡G http://linux.vbird.org
#
# HISTORY:
# 2002/08/20 First release by VBird
#
# 0.0 Please key in your parameters
EXTIF="eth1" # the interface that connect Internet
INIF="" # the inside interface. if you don't have this one
# and you must let this be black ex> INIF=""
INNET="" # This is for NAT's network
# 1.0 Testing your Kernel version and remove the ipchains module
kver=`uname -r | cut -c 1-3`
if [ "$kver" != "2.4" ] && [ "$kver" != "2.5" ]; then
echo "Your Linux Kernel Version may not be suported by this script!"
echo "This scripts will not be runing"
exit
fi
ipchains=`lsmod | grep ipchains`
if [ "$ipchains" != "" ]; then
echo "unload ipchains in your system"
rmmod ipchains 2> /dev/null
fi
# 2.0 Loading some modules
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH EXTIF INIF INNET
modprobe ip_tables > /dev/null 2>&1
modprobe iptable_nat > /dev/null 2>&1
modprobe ip_nat_ftp > /dev/null 2>&1
modprobe ip_nat_irc > /dev/null 2>&1
modprobe ip_conntrack > /dev/null 2>&1
modprobe ip_conntrack_ftp > /dev/null 2>&1
modprobe ip_conntrack_irc > /dev/null 2>&1
# 3.0 Clear the iptables's rules
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
# 4.0 Allow the lo and inside interface to access the server and internet
# /sbin/iptables -A INPUT -i lo -j ACCEPT
# if [ "$INIF" != "" ]; then
# /sbin/iptables -A INPUT -i $INIF -j ACCEPT
# echo "1" > /proc/sys/net/ipv4/ip_forward
# /sbin/iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE
# fi
# 5.0 Deny and Allow IP or host or network from files
if [ -f /usr/local/virus/iptables/iptables.deny ]; then
/usr/local/virus/iptables/iptables.deny
fi
if [ -f /usr/local/virus/iptables/iptables.allow ]; then
/usr/local/virus/iptables/iptables.allow
fi
# 6.0 Allow ICMP come in
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
/sbin/iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
done
# 7.0 Allow services
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 21 -j ACCEPT # FTP
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 22 -j ACCEPT # SSH
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 25 -j ACCEPT # SMTP
/sbin/iptables -A INPUT -p UDP -i $EXTIF --dport 53 -j ACCEPT # DNS
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 53 -j ACCEPT # DNS
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT # WWW
/sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 110 -j ACCEPT # POP3
# 8.0 Allow RELATED and ESTABLISHED
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 9.0 deny all
/sbin/iptables -A INPUT -m state --state NEW,INVALID -j DROP
其它的和鳥哥的設定一樣
則得到如下的結果
[root@linux root]# /usr/local/virus/iptables/iptables.rule
bash: /usr/local/virus/iptables/iptables.rule: bad interpreter: No such file or directory
[root@linux root]# lsmod
Module Size Used by
binfmt_misc 6416 1
iscsi 21984 0 (unused)
scsi_mod 95696 1 [iscsi]
autofs 11520 0 (autoclean) (unused)
via-rhine 11424 1
eepro100 17664 1
appletalk 20912 0 (autoclean)
ipx 16448 0 (autoclean)
usb-uhci 21536 0 (unused)
usbcore 51712 1 [usb-uhci]
[root@linux root]#
不能用也,是哪裡出問題呢?
贊助商連結