免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
1234下一页
最近访问板块 发新帖
查看: 8090 | 回复: 37

[网络管理] 请帮忙看一下这个iptables [复制链接]

论坛徽章:
0
发表于 2007-11-23 10:24 |显示全部楼层
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#/sbin/ifconfig eth0:0 192.168.10.50
#/sbin/ifconfig eth1:1 192.168.100.2
su squid -c "/usr/local/squid/sbin/squid -s"
/usr/local/apache2/bin/apachectl -k start
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle

iptables -P FORWARD DROP
iptables -t nat -P PREROUTING  ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#dns
iptables -A FORWARD -p udp --dport 53 -j ACCEPT


#ftp,telnet
iptables -t nat -A PREROUTING -d 202.96.186.240 -p tcp --dport 21 -j DNAT --to 192.168.100.4
iptables -A FORWARD -o eth0 -d 192.168.100.4 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.100.4 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.100.4 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth0 -d 192.168.100.4 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -t nat -A PREROUTING -d 202.96.186.240 -p tcp --dport 23 -j DNAT --to 192.168.100.4
iptables -A FORWARD -o eth0 -d 192.168.100.4 -p tcp --dport 23 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.100.4 -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -d 192.168.100.4 -p tcp --dport 23 -j SNAT --to 192.168.100.1
iptables -t nat -A POSTROUTING -d 192.168.100.4 -p tcp --dport 21 -j SNAT --to 192.168.100.1

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.100.0/24 -j MASQUERADE

iptables -A PREROUTING -t nat -p tcp -s 192.168.100.0/24 -d 202.96.186.240 --dport 80 -j REDIRECT --to-ports 3128
#FIRE
#iptables -I FORWARD -m string --string "???繞" -j DROP
#iptables -I FORWARD -s 192.168.100.0/24 -m string --string "qq.com" -j DROP
#iptables -I FORWARD -d 192.168.100.0/24 -m string --string "聶穩?繕?簞?繙" -#iptables -I FORWARD -s 192.168.100.0/24 -m string --string "?竄?矇" -j DROP
#iptables -I FORWARD -p tcp --sport 80 -m string --string "繒瓊繡疆" -j DROP
#iptables -I FORWARD -s 192.168.100.0/24 -p tcp --dport 80 -j DROP -m comment --comment "the bad guy can not online"
#iptables -I FORWARD -s 192.168.100.0/24 -m string --string "qq.com" -j DROP -m comment --comment "denny go to qq.com"
#iptables -I FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j DROP
#iptables -A INPUT -s 192.186.100.0/24 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
iptables -A INPUT -s 192.186.100.0/24 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

#MAIL
iptables -A FORWARD -s 192.168.100.0/24 -p udp -m multiport --dport 53,1800,1810,8000,8080 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.100.0/24 -m multiport --dport 110,25 -j ACCEPT
#SUPUSER
iptables -I FORWARD -m iprange --src-range 192.168.100.2-192.168.100.50 -j ACCEPT
#MSNUSER
iptables -I FORWARD -p tcp -m iprange --src-range 192.168.100.103-192.168.100.119 -m multiport --dport 443,80,8081,3389 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.60 -m multiport --dport 443,80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.221 -m multiport --dport 443,80 -j ACCEPT
iptables -I FORWARD -p TCP -s 192.168.100.220 -m multiport --dport 443,80 -j ACCEPT
#USER
iptables -I FORWARD -p tcp -m iprange --src-range 192.168.100.61-192.168.100.70 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.67 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.70 --dport 4000 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.65 -j DROP


iptables -I FORWARD -p tcp -s 192.168.100.66 -j DROP
iptables -I FORWARD -p tcp -s 192.168.100.68 -j DROP
iptables -I FORWARD -p tcp -s 192.168.100.151 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.156 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.157 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.159 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.163 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.164 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.170 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.173 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.158 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.181 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.188 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.212 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.214 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.211 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.100.215 --dport 80 -j ACCEPT
#CWUSER
iptables -I FORWARD -p tcp -m iprange --src-range 192.168.100.71-192.168.100.79 -m multiport --dport 80,8080,7002,7001,443,3333 -j ACCEPT



以上,我设在开机启动执行rc.local,像以上这种写法是不是每次开机执行的效果都不一样??这一句iptables -A PREROUTING -t nat -p tcp -s 192.168.100.0/24 -d 202.96.186.240 --dport 80 -j REDIRECT --to-ports 3128,我发现没有转发到squid去处理,然后我去掉-d 202.96.186.240 ,透明代理正常.现在有点糊涂了,请指出应该怎样改.

论坛徽章:
0
发表于 2007-11-23 10:56 |显示全部楼层
不要贴脚本,贴 iptables-save 的结果

论坛徽章:
0
发表于 2007-11-23 10:58 |显示全部楼层
原帖由 platinum 于 2007-11-23 10:56 发表
不要贴脚本,贴 iptables-save 的结果


支持,脚本看得晕。

论坛徽章:
0
发表于 2007-11-23 11:07 |显示全部楼层
iptables -A POSTROUTING -t nat -s 192.168.100.0/24 -j MASQUERADE

既然是MASQUERDE,想必是动态IP了,你那个 -d 202.96.186.240 根本就是多余的

论坛徽章:
0
发表于 2007-11-23 11:16 |显示全部楼层

回复 #4 kevin.tan 的帖子

是静态的,我没用SNAT.

论坛徽章:
0
发表于 2007-11-23 11:18 |显示全部楼层
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  192.186.100.0/24     anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            source IP range 192.168.100.71-192.168.100.79 multiport dports http,webcache,afs3-prserver,afs3-callback,https,3333
ACCEPT     tcp  --  192.168.100.215      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.211      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.214      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.212      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.188      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.181      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.158      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.173      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.170      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.164      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.163      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.159      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.157      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.156      anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.100.151      anywhere            tcp dpt:http
DROP       tcp  --  192.168.100.68       anywhere
DROP       tcp  --  192.168.100.66       anywhere
DROP       tcp  --  192.168.100.65       anywhere
ACCEPT     tcp  --  192.168.100.70       anywhere            tcp dpt:4000
ACCEPT     tcp  --  192.168.100.67       anywhere
ACCEPT     tcp  --  anywhere             anywhere            source IP range 192.168.100.61-192.168.100.70 tcp dpt:http
ACCEPT     tcp  --  192.168.100.220      anywhere            multiport dports https,http
ACCEPT     tcp  --  192.168.100.221      anywhere            multiport dports https,http
ACCEPT     tcp  --  192.168.100.60       anywhere            multiport dports https,http
ACCEPT     tcp  --  anywhere             anywhere            source IP range 192.168.100.103-192.168.100.119 multiport dports https,http,tproxy,3389
ACCEPT     all  --  anywhere             anywhere            source IP range 192.168.100.2-192.168.100.50
ACCEPT     tcp  --  192.168.100.0/24     anywhere            multiport dports pop3,smtp
ACCEPT     udp  --  192.168.100.0/24     anywhere            multiport dports domain,1800,1810,8000,webcache
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

论坛徽章:
0
发表于 2007-11-23 11:19 |显示全部楼层
我将脚本的A改成了I.是顺序插入。

论坛徽章:
0
发表于 2007-11-23 11:21 |显示全部楼层
原帖由 platinum 于 2007-11-23 10:56 发表
不要贴脚本,贴 iptables-save 的结果


# Generated by iptables-save v1.2.11 on Fri Nov 23 11:20:28 2007
*mangle
REROUTING ACCEPT [38155:17645793]
:INPUT ACCEPT [4674:452380]
:FORWARD ACCEPT [26548:15478267]
:OUTPUT ACCEPT [4861:992438]
OSTROUTING ACCEPT [31381:16468544]
COMMIT
# Completed on Fri Nov 23 11:20:28 2007
# Generated by iptables-save v1.2.11 on Fri Nov 23 11:20:28 2007
*filter
:INPUT ACCEPT [4674:452380]
:FORWARD DROP [28:2161]
:OUTPUT ACCEPT [4862:992594]
-A INPUT -s 192.186.100.0/255.255.255.0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m iprange --src-range 192.168.100.71-192.168.100.79 -m multiport --dports 80,8080,7002,7001,443,3333 -j ACCEPT
-A FORWARD -s 192.168.100.215 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.211 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.214 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.212 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.188 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.181 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.158 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.173 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.170 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.164 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.163 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.159 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.157 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.156 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.151 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.68 -p tcp -j DROP
-A FORWARD -s 192.168.100.66 -p tcp -j DROP
-A FORWARD -s 192.168.100.65 -p tcp -j DROP
-A FORWARD -s 192.168.100.70 -p tcp -m tcp --dport 4000 -j ACCEPT
-A FORWARD -s 192.168.100.67 -p tcp -j ACCEPT
-A FORWARD -p tcp -m iprange --src-range 192.168.100.61-192.168.100.70 -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.100.220 -p tcp -m multiport --dports 443,80 -j ACCEPT
-A FORWARD -s 192.168.100.221 -p tcp -m multiport --dports 443,80 -j ACCEPT
-A FORWARD -s 192.168.100.60 -p tcp -m multiport --dports 443,80 -j ACCEPT
-A FORWARD -p tcp -m iprange --src-range 192.168.100.103-192.168.100.119 -m multiport --dports 443,80,8081,3389 -j ACCEPT
-A FORWARD -m iprange --src-range 192.168.100.2-192.168.100.50 -j ACCEPT
-A FORWARD -s 192.168.100.0/255.255.255.0 -p tcp -m multiport --dports 110,25 -j ACCEPT
-A FORWARD -s 192.168.100.0/255.255.255.0 -p udp -m multiport --dports 53,1800,1810,8000,8080 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Fri Nov 23 11:20:28 2007
# Generated by iptables-save v1.2.11 on Fri Nov 23 11:20:28 2007
*nat
REROUTING ACCEPT [8594:1826625]
OSTROUTING ACCEPT [14:892]
:OUTPUT ACCEPT [23:1648]
-A PREROUTING -s 192.168.100.0/255.255.255.0 -d 202.96.186.240 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 192.168.100.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 23 11:20:28 2007

论坛徽章:
0
发表于 2007-11-23 11:31 |显示全部楼层
”然后我去掉-d 202.96.186.240 ,透明代理正常“
加的目的是什么?
你又是如何测试的?

论坛徽章:
0
发表于 2007-11-23 11:39 |显示全部楼层

回复 #9 platinum 的帖子

之前也有的,透明代理正常,-d 202.96.186.240 是我的对外公网ip。这两天发现squid的透明代理没有起作用(在浏览器设定代理时,正常),于时早上将-d 202.96.186.240 去掉,透明代理起作用。可是iptables还是有问题,表现为iptables -I FORWARD -p tcp -s 192.168.100.65 -j DROP这个,居然可以登陆qq.我在想会不会是顺序问题?
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP