一个NAT+SQUID+DNAT+FORWARD+反弹式FIREWALL的例子
一个NAT+SQUID+DNAT+FORWARD+反弹式FIREWALL的例子,一个NAT+SQUID+DNAT+FORWARD+反弹式FIREWALL的例子
环境:
ADSL(eth0)网卡启动时不激活
内网(eth1)192.168.0.1/24
代码:
#! /bin/bash
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/iptables -F -t filter
/sbin/iptables -F -t nat
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
# ALLOW ALL in PRIVATE NET
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -j ACCEPT
# NAT
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
# DNAT RADMIN to PRIVATE in platinum.3322.org
/sbin/iptables -A PREROUTING -t nat -p tcp -s ! 192.168.0.0/24 --dport 4899 -j DNAT --to 192.168.0.2:4899
/sbin/iptables -A PREROUTING -t nat -p tcp -s ! 192.168.0.0/24 --dport 5000 -j DNAT --to 192.168.0.3:4899
# SQUID
/sbin/iptables -A PREROUTING -t nat -p tcp -s 192.168.0.0/24 --dport 80 -j DNAT --to 192.168.0.1:3128
# FORWARD edit by Platinum
/sbin/iptables -A FORWARD -p tcp --dport 21 -j ACCEPT # FTP
/sbin/iptables -A FORWARD -p tcp --dport 22 -j ACCEPT # SSH
/sbin/iptables -A FORWARD -p udp --dport 53 -j ACCEPT # DNS
/sbin/iptables -A FORWARD -p tcp --dport 80 -j ACCEPT # HTTP
/sbin/iptables -A FORWARD -p tcp --dport 443 -j ACCEPT # HTTPS
/sbin/iptables -A FORWARD -p udp --dport 8000 -j ACCEPT # QQ
/sbin/iptables -A FORWARD -p tcp --dport 25 -j ACCEPT # SMTP
/sbin/iptables -A FORWARD -p tcp --dport 110 -j ACCEPT # POP3
/sbin/iptables -A FORWARD -p tcp --dport 4899 -j ACCEPT # RADMIN
/sbin/iptables -A FORWARD -p tcp --dport 1863 -j ACCEPT # MSN (you must allow port 443)
/sbin/iptables -A FORWARD -p icmp -j ACCEPT
# allow the third handshake
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# exchange the other packets' "SOURCE" and "TARGET", and SEND it !!!
/sbin/iptables -A INPUT -j MIRROR
此防火墙适用于静态IP及动态IP地址
原文请参考 http://bbs.chinaunix.net/forum/4/20040622/353019.html