WEB开发网
开发学院网络安全防火墙 NetFilter/iptables防火墙设置(下) 阅读

NetFilter/iptables防火墙设置(下)

 2007-02-23 12:39:42 来源:WEB开发网   
核心提示: iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport444 -j DNAT --to 192.168.1.254:443iptables -A FORWARD -m state --state NEW,ESTA
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport
444 -j DNAT --to 192.168.1.254:443
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp --dport
443 -j ACCEPT

假设192.168.1.254上的mail服务器有个SSL网络接口。而你已经在防火墙上使用了443端口,用来允许对192.168.1.253上网络服务的SSL访问。那么,我们可以用iptables来让防火墙的公共端444端口来把传输转到mail服务器的http端口。现在我们就可以访问网络邮件http://firewall.public.address:444/了。

完整脚本

那么这就是上面所讲的用SuSE Linux版本配置的防火墙的init完整脚本了。创建/etc/init.d/firewall并将如下的文本粘贴进取并保存。将文件类型改为可执行文件,并用chkconfig firewall on来在init时间使该脚本生效(/etc/init.d/firewall开始现在开始启动脚本)。使用这个脚本时,务必确保已经关掉了其他防火墙脚本。

#! /bin/bash
# Copyright (c) 2005
#
# Author: David Mair
#
# /etc/init.d/firewall
#
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $network syslog
# Required-Stop:
# Should-Stop:
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Short-Description: Firewall configuration
### END INIT INFO
##############################################################################
# DEFAULT POLICY
SetDefaultPolicy() {
  # Drop everything
  iptables -P INPUT DROP
  iptables -P OUTPUT DROP
  iptables -P FORWARD DROP
}
##############################################################################
# FLUSH TABLES
FlushTables() {
  iptables -F -t nat
  iptables -F -t mangle
  iptables -F -t filter
  iptables -X
}
##############################################################################
# ROUTING
EnableRouting() {
  echo 1 > /proc/sys/net/ipv4/ip_forward
}
DisableRouting() {
  echo 0 > /proc/sys/net/ipv4/ip_forward
}
##############################################################################
# FORWARDING
SetForwardingRules() {
  iptables -A FORWARD -i $IF_PUB -o $IF_PRV -m state --state ESTABLISHED,RELATED -
j ACCEPT
  iptables -A FORWARD -i $IF_PRV -o $IF_PUB -j ACCEPT
}
##############################################################################
# LOOPBACK
SetLoopbackRules() {
  # Allow everything
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A OUTPUT -o lo -j ACCEPT
}
##############################################################################
# PRIVATE INTERFACES
SetPrivateInterfaceRules() {
  # Allow everything
  iptables -A INPUT -i $IF_PRV -s $NET_PRV -j ACCEPT
  iptables -A OUTPUT -o $IF_PRV -d $NET_PRV -j ACCEPT
}
#############################################################################
# PUBLIC INTERFACES
SetPublicInterfaceRules() {
  iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A OUTPUT -o $IF_PUB -j ACCEPT
}
##############################################################################
# SOURCE NAT
EnableSourceNAT() {
  # Then source NAT everything else
  iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j SNAT --to $IP_PUB
}
# Various ICMP
SetICMP_Open() {
  iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
  iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
  iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
  iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
}
# SSH (on a non-standard port)
SetSSH_Open() {
  iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB --dport 2202 -j ACCEPT
}
##############################################################################
# Destination NAT
# smtp
SetSMTP_DNAT() {
  iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j
DNAT --to 192.168.1.254
  iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp -
-dport smtp -j ACCEPT
}
# pop3
SetPOP3_DNAT() {
  iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport pop3 -j
DNAT --to 192.168.10.254
  iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp -
-dport pop3 -j ACCEPT
}
# Webmail (444->443)
SetWebmail_DNAT() {
  iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j DNAT -
-to 192.168.10.254:443
  iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp -
-dport 443 -j ACCEPT
}
# http
SetHTTP_DNAT() {
  iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j
DNAT --to 192.168.10.253
  iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp -
-dport http -j ACCEPT
}
# Blocked protocols
SetBlockedProtocols() {
  # Block all normal irc (used by botnets)
  iptables -A INPUT -p tcp --dport irc -j DROP
  iptables -A INPUT -p udp --dport irc -j DROP
  iptables -A INPUT -p tcp --dport irc-serv -j DROP
  iptables -A INPUT -p udp --dport irc-serv -j DROP
  iptables -A INPUT -p tcp --dport ircs -j DROP
  iptables -A INPUT -p udp --dport ircs -j DROP
}
# Blocked hosts
SetBlockedHosts() {
  iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-
host-prohibited
  iptables -A FORWARD -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-
host-prohibited
}
# Blocked networks
SetBlockedNetworks() {
  iptables -A INPUT -i $IF_PUB -s 10.220.232.0/24 -j REJECT --reject-with icmp-
net-prohibited
  iptables -A FORWARD -i $IF_PUB -d $IP_PUB -s 10.220.232.0/24 -j REJECT --reject-
with icmp-net-prohibited
}
# Specify things to drop before logging
SetPrelogDropRules() {
  # DHCP
  iptables -A INPUT -i $IF_PUB -p udp --sport bootps -j DROP
}
# Log those on the public interface
SetLoggingRules() {
  iptables -A INPUT -i $IF_PUB -j LOG --log-prefix="INPUT  "
  iptables -A OUTPUT -o $IF_PUB -j LOG --log-prefix="OUTPUT "
  iptables -A FORWARD -j LOG --log-prefix="FORWARD "
#  iptables -t nat -A PREROUTING -i $IF_PUB -j LOG --log-prefix="nPre  "
#  iptables -t nat -A POSTROUTING -o $IF_PUB -j LOG --log-prefix="nPost  "
#  iptables -t nat -A OUTPUT -o $IF_PUB -j LOG --log-prefix="NAT OUT "
}
# Drop them all
SetDropRules() {
  # Reset tcp connection attempts on all other ports
  # This is the standard TCP behaviour for a closed port. Reading
  # suggests there is no value in stealthing ports and since some are
  # open on this host it doesn't seem to matter. Therefore, let's be a
  # good TCP citizen
  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
}
##############################################################################
# SCRIPT ENTRY POINT
echo -n "Firewall configuration..."
echo $1
##############################################################################
# ENVIRONMENT
# Private interface
IF_PRV=eth0
IP_PRV=192.168.1.1
NET_PRV=192.168.1.0/24
# Public interface
IF_PUB=eth1
IP_PUB=10.0.0.1
NET_PUB=10.0.0.0/24
# Others
ANYWHERE=0.0.0.0/0
. /etc/rc.status
rc_reset
##############################################################################
# COMMAND LINE
case "$1" in
  start)
    SetDefaultPolicy
    FlushTables
    EnableRouting
    SetBlockedProtocols
    SetBlockedNetworks
    SetBlockedHosts
    SetForwardingRules
    SetLoopbackRules
    SetPrivateInterfaceRules
    SetPublicInterfaceRules
    EnableSourceNAT
    SetICMP_Open
    SetSSH_Open
    SetSMTP_DNAT
    SetPOP3_DNAT
    SetWebmail_DNAT
    SetHTTP_DNAT
    SetPrelogDropRules
    SetLoggingRules
    ;;
  stop)
    SetDefaultPolicy
    FlushTables
    SetPrivateInterfaceRules
    SetPublicInterfaceRules
    ;;
  restart)
    $0 stop
    $0 start
    ;;
  *)
    ;;
esac
rc_exit

上一页  1 2 3 4 5 

Tags:NetFilter iptables 防火墙

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接