- 论坛徽章:
- 0
|
原帖由 jzcqx 于 2006-6-19 09:15 发表
rc.local文件内容如下
modprobe ip_conntrack
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_nat_ftp
iptables -F
i ...
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_nat_ftp
#modprobe ip_nat_pptp
#modprobe ip_conntrack_proto_gre
iptables -F
iptables -X
iptables -Z
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -o eth1 -p all -j ACCEPT
######################################################################################
#***************set var********************
WAN_IP="10.0.0.4"
LAN_NET="192.168.168.0/24"
#******************************************
#IP_forward
#and you can modify "/etc/sysctl.conf"
echo 1 > /proc/sys/net/ipv4/ip_forward
#LAN->WAN(NAT)
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $WAN_IP
#PORT NAT
iptables -t nat -A PREROUTING -i eth0 -p tcp -d $WAN_IP --dport 5900 -j DNAT --to 192.168.168.13:5900
iptables -t nat -A PREROUTING -i eth0 -p tcp -d $WAN_IP --dport 5800 -j DNAT --to 192.168.168.13:5800
#**********************************Start Add Routing*********************************
#Route to Taibei
route add -net 172.22.16.0 netmask 255.255.240.0 gw 192.168.8.1
#Route to Taoyuan
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.8.1
#Route to Dongguan
route add -net 172.22.80.0 netmask 255.255.240.0 gw 192.168.8.1
#***********************************End Add Routing**********************************
MAC="
00:16:76:1C:50:B2
00:16:76:35:A7:89"
for i in $MAC
do
iptables -t filter -A FORWARD -p all -m mac --mac-source $i -j ACCEPT
done
以上问题已经解决,只需增加蓝色字部分,现又出现一个问题就是文中红色字部分,DNAT无法实现端口转发,在外网无法通过nat主机访问内部的VNC主机,请各位高手看看,上面的shell哪里需要增加一些相关的语句,谢谢! |
|