主页 > 知识库 > 服务器 > Linux/BSD >

linux iptable设置实践

来源:中国IT实验室 作者:佚名 发表于:2013-07-11 10:54  点击:
下面是设置网络时的基本状况: 主机3个网卡: eth0 192.168.0.1/24 内网 eth1 192.168.20.1/24 外网 eth2 192.168.50.1/24 会议室网络 ppp0 ( 设置为 eth1 上拨号上网) DHCP设置: 192.168.0.1/24 { 192.168.0.100----192.168.0.200 } 192.168.50.1/24 {192
下面是设置网络时的基本状况:
  主机3个网卡:
  eth0 192.168.0.1/24   内网
  eth1 192.168.20.1/24  外网
  eth2 192.168.50.1/24  会议室网络
  ppp0  ( 设置为 eth1 上拨号上网)
  DHCP设置:
  192.168.0.1/24      { 192.168.0.100----192.168.0.200 }
  192.168.50.1/24   {192.168.50.100---192.168.50.200 }
  VPN设置:
  localip:    192.168.10.1
  remoteip:  192.168.10. 100    192.168.10.150
  下面是firewall的具体设置:
  [root@yujiagw ~]# cat firewall
  #!/bin/sh
  iptables -F
  iptables -t nat -F
  iptables -P FORWARD ACCEPT
  iptables -X poweruser
  iptables -X qquser
  iptables -X httpuser
  # NAT
  iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
  #iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
  iptables -t nat -A PREROUTING -p tcp --dport 53 -j ACCEPT
  iptables -t nat -A PREROUTING -p udp --dport 53 -j ACCEPT
  iptables -t nat -A PREROUTING -p tcp --dport 25 -j ACCEPT
  iptables -t nat -A PREROUTING -p tcp --dport 110 -j ACCEPT
  #iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 443
  #iptables -t nat -A PREROUTING -p udp --dport 443 -j REDIRECT --to-port 443
  # Port Forwarding
  #iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 3389 -j DNAT --to 192.168.0.4:3389
  #iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.0.4:80
  #iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8080 -j DNAT --to 192.168.50.2:8080
  #iptables -A FORWARD -d 192.168.50.2 -p tcp --dport 8080 -j ACCEPT
  #iptables -t nat -A POSTROUTING -d 192.168.50.2 -p tcp --dport 8080 -j SNAT --to 192.168.0.1
  # Basic Port Open
  iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
  iptables -A FORWARD -p udp --dport 53 -j ACCEPT
  iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
  iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
  # VPN
  iptables -A FORWARD -s 192.168.10.0/24 -d 192.168.0.0/24 -j ACCEPT
  iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.10.0/24 -j ACCEPT
  # Conference Room
  iptables -A FORWARD -s 192.168.50.0/24 -d 192.168.0.0/24 -j ACCEPT
  iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.50.0/24 -j ACCEPT
  # Set Connect WAN
  iptables -A FORWARD -d 192.168.50.0/24 -j ACCEPT
  # HeQuanXin
  #iptables -A FORWARD -m mac --mac-source 00:1A:6B:35:A5:66 -j ACCEPT
  #iptables -A FORWARD -m mac --mac-source 44:D8:84:0A:9F:5D -j ACCEPT
  #-----------------------------------PowerUser-------define------------------------
  iptables -N poweruser
  iptables -A poweruser  -j ACCEPT
  #---------------------------------httpuser define-----------------
  # Set Http User
  iptables -N httpuser
  iptables -A httpuser -p tcp --dport 53 -j ACCEPT
  iptables -A httpuser -p udp --dport 53 -j ACCEPT
  # Reject QQZone
  iptables -A httpuser -d user.qzone.qq.com -j REJECT
  iptables -A httpuser -p tcp --dport 80 -j ACCEPT
  iptables -A httpuser -p udp --dport 80 -j ACCEPT
  iptables -A httpuser -p tcp --dport 25 -j ACCEPT
  iptables -A httpuser -p tcp --dport 110 -j ACCEPT
  iptables -A httpuser -p tcp --dport 443 -j ACCEPT
  iptables -A httpuser -p udp --dport 443 -j ACCEPT

有帮助
(0)
0%
没帮助
(0)
0%