以下是我自己的一个防火墙例子,对大家最近提出的DNAT(端口映射)的问题很有帮助 | 代码: |
#! /bin/bash /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/iptables -F -t filter /sbin/iptables -F -t nat /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD DROP /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT # ALLOW ALL in PRIVATE NET /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -i eth1 -j ACCEPT # NAT /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE # DNAT RADMIN to PRIVATE in platinum.3322.org /sbin/iptables -A PREROUTING -t nat -p tcp -s ! 192.168.0.0/24 --dport 4899 -j DNAT --to 192.168.0.2:4899 /sbin/iptables -A PREROUTING -t nat -p tcp -s ! 192.168.0.0/24 --dport 5000 -j DNAT --to 192.168.0.3:4899 # SQUID /sbin/iptables -A PREROUTING -t nat -p tcp -s 192.168.0.0/24 --dport 80 -j DNAT --to 192.168.0.1:3128 # FORWARD edit by Platinum /sbin/iptables -A FORWARD -p tcp --dport 21 -j ACCEPT # FTP /sbin/iptables -A FORWARD -p tcp --dport 22 -j ACCEPT # SSH /sbin/iptables -A FORWARD -p udp --dport 53 -j ACCEPT # DNS /sbin/iptables -A FORWARD -p tcp --dport 80 -j ACCEPT # HTTP /sbin/iptables -A FORWARD -p tcp --dport 443 -j ACCEPT # HTTPS /sbin/iptables -A FORWARD -p udp --dport 8000 -j ACCEPT # QQ /sbin/iptables -A FORWARD -p tcp --dport 25 -j ACCEPT # SMTP /sbin/iptables -A FORWARD -p tcp --dport 110 -j ACCEPT # POP3 /sbin/iptables -A FORWARD -p tcp --dport 4899 -j ACCEPT # RADMIN /sbin/iptables -A FORWARD -p tcp --dport 1863 -j ACCEPT # MSN (you must allow port 443) /sbin/iptables -A FORWARD -p icmp -j ACCEPT # allow the third handshake /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # exchange the other packets' "SOURCE" and "TARGET", and SEND it !!! /sbin/iptables -A INPUT -j MIRROR |
|