cat > firewall.txt
# Generated by iptables-save v1.4.7 on Wed Mar 16 21:11:30 2011
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Mar 16 21:11:30 2011
# Generated by iptables-save v1.4.7 on Wed Mar 16 21:11:30 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -m state --state NEW -j LOG --log-prefix "firewall-INPUT "
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -m state --state NEW -j LOG --log-prefix "firewall-FORWARD "
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -m state --state NEW -j LOG --log-prefix "firewall-OUTPUT "
COMMIT
# Completed on Wed Mar 16 21:11:30 2011
cat firewall.txt | sudo /usr/sbin/iptables-restore
cat > firewall.sh
IPTABLES='/usr/sbin/iptables'
while read line
do
unset SRC
unset SPT
unset DST
unset DPT
unset HSRC
unset HSPT
unset HDST
unset HDPT
unset IPDST
unset FQDNDST
unset ACTION
echo $line | grep "firewall-" > /dev/null 2>&1
[ $? != 0 ] && continue
for item in $line
do
case $item in
firewall-*) CHAIN=${item#firewall-};;
PROTO=*) PROTO=${item#PROTO=}; PROTO=${PROTO,,};;
SRC=*) SRC=${item#SRC=};;
SPT=*) SPT=${item#SPT=};;
DST=*) DST=${item#DST=};;
DPT=*) DPT=${item#DPT=};;
esac
done
sudo $IPTABLES -n -L $CHAIN | awk '{print $2,$5,$7}' \
| grep "$PROTO\W$DST\/*\w*${DPT:+"\\Wdpt:$DPT"}\W*$" > /dev/null && continue
HSRC=`host $SRC | grep "domain name pointer" | head -n 1 | awk '{print $5}'`
HDST=`host $DST | grep "domain name pointer" | head -n 1 | awk '{print $5}'`
HSPT=`grep "\W$SPT/$PROTO\W" /etc/services | awk '{print $1}'`
HDPT=`grep "\W$DPT/$PROTO\W" /etc/services | awk '{print $1}'`
HSRC=${HSRC:-$SRC}
HDST=${HDST:-$DST}
HSPT=${HSPT:-$SPT}
HDPT=${HDPT:-$DPT}IPDST="-d $HDST -p $PROTO"
FQDNDST="-d $DST -p $PROTO"
[ -z $DPT ] || IPDST="$IPDST --dport $DPT"
[ -z $DPT ] || FQDNDST="$FQDNDST --dport $DPT"
ACTION=`LANG=C xmessage -buttons "ACCEPT-FQDN,ACCEPT-IP,\
DROP-FQDN,DROP-IP,SKIP" -default SKIP -timeout 15 \
-print "$HSRC => $HDST:$HDPT($DST:$DPT/$PROTO)"`
ACTION=${ACTION:-"SKIP"}
case $ACTION in
SKIP) continue;;
ACCEPT-FQDN) sudo $IPTABLES -I $CHAIN 4 $FQDNDST -j ACCEPT \
|| LANG=C xmessage "Error performing line: $line <$FQDNDST>";;
ACCEPT-IP) sudo $IPTABLES -I $CHAIN 4 $IPDST -j ACCEPT \
|| LANG=C xmessage "Error performing line: $line <$IPDST>";;
DROP-FQDN) sudo $IPTABLES -I $CHAIN 4 $FQDNDST -j DROP \
|| LANG=C xmessage "Error performing line: $line <$FQDNDST>";;
DROP-IP) sudo $IPTABLES -I $CHAIN 4 $IPDST -j DROP \
|| LANG=C xmessage "Error performing line: $line <$IPDST>";;
*) continue;;
esac
sleep 3
done
__edit sudoers__
chmod a+x firewall.sh
chgrp users /var/log/syslog
chmod g+r /var/log/syslog
tail -n 1 -F /var/log/syslog | ./firewall.sh
Что это было ....
PS
/sbin/modprobe nf_conntrack
/sbin/modprobe nf_conntrack_amanda
/sbin/modprobe nf_conntrack_ftp
/sbin/modprobe nf_conntrack_h323
/sbin/modprobe nf_conntrack_irc
/sbin/modprobe nf_conntrack_netbios_ns
/sbin/modprobe nf_conntrack_netlink
/sbin/modprobe nf_conntrack_pptp
/sbin/modprobe nf_conntrack_proto_dccp
/sbin/modprobe nf_conntrack_proto_gre
/sbin/modprobe nf_conntrack_proto_sctp
/sbin/modprobe nf_conntrack_proto_udplite
/sbin/modprobe nf_conntrack_sane
/sbin/modprobe nf_conntrack_sip
/sbin/modprobe nf_conntrack_tftp
fixed:
cat > firewall.sh
IPTABLES='/usr/sbin/iptables'
while read line
do
unset SRC
unset SPT
unset DST
unset DPT
unset HSRC
unset HSPT
unset HDST
unset HDPT
unset IPDST
unset FQDNDST
unset ACTION
echo $line | grep "firewall-" > /dev/null 2>&1
[ $? != 0 ] && continue
for item in $line
do
case $item in
firewall-*) CHAIN=${item#firewall-};;
PROTO=*) PROTO=${item#PROTO=}; PROTO=${PROTO,,};;
SRC=*) SRC=${item#SRC=};;
SPT=*) SPT=${item#SPT=};;
DST=*) DST=${item#DST=};;
DPT=*) DPT=${item#DPT=};;
esac
done
sudo $IPTABLES -n -L $CHAIN | awk '{print $2,$5,$7}' \
| grep "$PROTO\W$DST\/*\w*${DPT:+"\\Wdpt:$DPT"}\W*$" > /dev/null && continue
HSRC=`host $SRC | grep "domain name pointer" | head -n 1 | awk '{print $5}'`
HDST=`host $DST | grep "domain name pointer" | head -n 1 | awk '{print $5}'`
HSPT=`grep "\W$SPT/$PROTO\W" /etc/services | awk '{print $1}'`
HDPT=`grep "\W$DPT/$PROTO\W" /etc/services | awk '{print $1}'`
HSRC=${HSRC:-$SRC}
HDST=${HDST:-$DST}
HSPT=${HSPT:-$SPT}
HDPT=${HDPT:-$DPT}IPDST="-d $HDST -p $PROTO"
FQDNDST="-d $DST -p $PROTO"
[ $CHAIN == "INPUT" ] && IPDST="-p $PROTO"
[ $CHAIN == "INPUT" ] && FQDNDST="-p $PROTO"
[ -z $DPT ] || IPDST="$IPDST --dport $DPT"
[ -z $DPT ] || FQDNDST="$FQDNDST --dport $DPT"
ACTION=`LANG=C xmessage -buttons "ACCEPT-FQDN,ACCEPT-IP,\
DROP-FQDN,DROP-IP,SKIP" -default SKIP -timeout 15 \
-print "$HSRC => $HDST:$HDPT($DST:$DPT/$PROTO)"`
ACTION=${ACTION:-"SKIP"}
case $ACTION in
SKIP) continue;;
ACCEPT-FQDN) sudo $IPTABLES -I $CHAIN 4 $FQDNDST -j ACCEPT \
|| LANG=C xmessage "Error performing line: $line <$FQDNDST>";;
ACCEPT-IP) sudo $IPTABLES -I $CHAIN 4 $IPDST -j ACCEPT \
|| LANG=C xmessage "Error performing line: $line <$IPDST>";;
DROP-FQDN) sudo $IPTABLES -I $CHAIN 4 $FQDNDST -j DROP \
|| LANG=C xmessage "Error performing line: $line <$FQDNDST>";;
DROP-IP) sudo $IPTABLES -I $CHAIN 4 $IPDST -j DROP \
|| LANG=C xmessage "Error performing line: $line <$IPDST>";;
*) continue;;
esac
sleep 3
done
fixed2:
cat > firewall.sh
IPTABLES='/usr/sbin/iptables'
while read line
do
unset SRC
unset SPT
unset DST
unset DPT
unset HSRC
unset HSPT
unset HDST
unset HDPT
unset IPDST
unset FQDNDST
unset ACTION
echo $line | grep "firewall-" > /dev/null 2>&1
[ $? != 0 ] && continue
for item in $line
do
case $item in
firewall-*) CHAIN=${item#firewall-};;
PROTO=*) PROTO=${item#PROTO=}; PROTO=${PROTO,,};;
SRC=*) SRC=${item#SRC=};;
SPT=*) SPT=${item#SPT=};;
DST=*) DST=${item#DST=};;
DPT=*) DPT=${item#DPT=};;
esac
done
[ $CHAIN == "INPUT" ] && sudo $IPTABLES -n -L $CHAIN | awk '{print $2,$7}' \
| grep "$PROTO${DPT:+"\\Wdpt:$DPT"}\W*$" > /dev/null && continue
sudo $IPTABLES -n -L $CHAIN | awk '{print $2,$5,$7}' \
| grep "$PROTO\W$DST\/*\w*${DPT:+"\\Wdpt:$DPT"}\W*$" > /dev/null && continue
HSRC=`host $SRC | grep "domain name pointer" | head -n 1 | awk '{print $5}'`
HDST=`host $DST | grep "domain name pointer" | head -n 1 | awk '{print $5}'`
HSPT=`grep "\W$SPT/$PROTO\W" /etc/services | awk '{print $1}'`
HDPT=`grep "\W$DPT/$PROTO\W" /etc/services | awk '{print $1}'`
HSRC=${HSRC:-$SRC}
HDST=${HDST:-$DST}
HSPT=${HSPT:-$SPT}
HDPT=${HDPT:-$DPT}
IPDST="-d $DST -p $PROTO"
FQDNDST="-d $HDST -p $PROTO"
[ $CHAIN == "INPUT" ] && IPDST="-p $PROTO"
[ $CHAIN == "INPUT" ] && FQDNDST="-p $PROTO"
[ -z $DPT ] || IPDST="$IPDST --dport $DPT"
[ -z $DPT ] || FQDNDST="$FQDNDST --dport $DPT"
ACTION=`LANG=C xmessage -buttons "ACCEPT-FQDN,ACCEPT-IP,\
DROP-FQDN,DROP-IP,SKIP" -default SKIP -timeout 15 \
-print "$HSRC => $HDST:$HDPT($DST:$DPT/$PROTO)"`
ACTION=${ACTION:-"SKIP"}
case $ACTION in
SKIP) continue;;
ACCEPT-FQDN) sudo $IPTABLES -I $CHAIN 4 $FQDNDST -j ACCEPT \
|| LANG=C xmessage "Error performing line: $line <$FQDNDST>";;
ACCEPT-IP) sudo $IPTABLES -I $CHAIN 4 $IPDST -j ACCEPT \
|| LANG=C xmessage "Error performing line: $line <$IPDST>";;
DROP-FQDN) sudo $IPTABLES -I $CHAIN 4 $FQDNDST -j DROP \
|| LANG=C xmessage "Error performing line: $line <$FQDNDST>";;
DROP-IP) sudo $IPTABLES -I $CHAIN 4 $IPDST -j DROP \
|| LANG=C xmessage "Error performing line: $line <$IPDST>";;
*) continue;;
esac
sleep 3
doneSorry!!!
fixed 3
IPTABLES='/usr/sbin/iptables'
while read line
do
unset SRC
unset SPT
unset DST
unset DPT
unset HSRC
unset HSPT
unset HDST
unset HDPT
unset IPRULE
unset FQDNRULE
unset ACTION
echo $line | grep "firewall-" > /dev/null 2>&1
[ $? != 0 ] && continue
for item in $line
do
case $item in
firewall-*) CHAIN=${item#firewall-};;
PROTO=*) PROTO=${item#PROTO=}; PROTO=${PROTO,,};;
SRC=*) SRC=${item#SRC=};;
SPT=*) SPT=${item#SPT=};;
DST=*) DST=${item#DST=};;
DPT=*) DPT=${item#DPT=};;
esac
done
case $CHAIN in
INPUT) sudo $IPTABLES -n -L $CHAIN | awk '{print $2,$4,$7}' \
| grep "$PROTO\W$SRC\/*\w*${DPT:+"\\Wdpt:$DPT"}\W*$" > /dev/null && continue;;
OUTPUT) sudo $IPTABLES -n -L $CHAIN | awk '{print $2,$5,$7}' \
| grep "$PROTO\W$DST\/*\w*${DPT:+"\\Wdpt:$DPT"}\W*$" > /dev/null && continue;;
FORWARD) sudo $IPTABLES -n -L $CHAIN | awk '{print $2,$4,$5,$7}' \
| grep "$PROTO\W$SRC\W$DST\/*\w*${DPT:+"\\Wdpt:$DPT"}\W*$" > /dev/null && continue;;
esac
[ $CHAIN == "INPUT" ] && sudo $IPTABLES -n -L $CHAIN | awk '{print $2,$7}' \
| grep "$PROTO${DPT:+"\\Wdpt:$DPT"}\W*$" > /dev/null && continue
sudo $IPTABLES -n -L $CHAIN | awk '{print $2,$5,$7}' \
| grep "$PROTO\W$DST\/*\w*${DPT:+"\\Wdpt:$DPT"}\W*$" > /dev/null && continue
HSRC=`host $SRC | grep "domain name pointer" | head -n 1 | awk '{print $5}'`
HDST=`host $DST | grep "domain name pointer" | head -n 1 | awk '{print $5}'`
HSPT=`grep "\W$SPT/$PROTO\W" /etc/services | awk '{print $1}'`
HDPT=`grep "\W$DPT/$PROTO\W" /etc/services | awk '{print $1}'`
HSRC=${HSRC:-$SRC}
HDST=${HDST:-$DST}
HSPT=${HSPT:-$SPT}
HDPT=${HDPT:-$DPT}
case $CHAIN in
INPUT) IPRULE="-s $SRC -p $PROTO"; FQDNRULE="-s $HSRC -p $PROTO";;
OUTPUT) IPRULE="-d $DST -p $PROTO"; FQDNRULE="-d $HDST -p $PROTO";;
FORWARD) IPRULE="-s $SRC -d $DST -p $PROTO"; FQDNRULE="-s $HSRC -d $HDST -p $PROTO";;
esac
[ -z $DPT ] || IPRULE="$IPRULE --dport $DPT"
[ -z $DPT ] || FQDNRULE="$FQDNRULE --dport $DPT"
ACTION=`LANG=C xmessage -buttons "ACCEPT-FQDN,ACCEPT-IP,DROP-FQDN,DROP-IP,SKIP" -default SKIP -timeout 15 \
-print "$HSRC => $HDST:$HDPT($DST:$DPT/$PROTO)"`
ACTION=${ACTION:-"SKIP"}
case $ACTION in
SKIP) continue;;
ACCEPT-FQDN) sudo $IPTABLES -I $CHAIN 4 $FQDNRULE -j ACCEPT \
|| LANG=C xmessage "Error performing line: $line <$FQDNRULE>";;
ACCEPT-IP) sudo $IPTABLES -I $CHAIN 4 $IPRULE -j ACCEPT \
|| LANG=C xmessage "Error performing line: $line <$IPRULE>";;
DROP-FQDN) sudo $IPTABLES -I $CHAIN 4 $FQDNRULE -j DROP \
|| LANG=C xmessage "Error performing line: $line <$FQDNRULE>";;
DROP-IP) sudo $IPTABLES -I $CHAIN 4 $IPRULE -j DROP \
|| LANG=C xmessage "Error performing line: $line <$IPRULE>";;
*) continue;;
esac
done