NetFilter/iptables防火墙设置(下)
2007-02-23 12:39:42 来源:WEB开发网核心提示: iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport444 -j DNAT --to 192.168.1.254:443iptables -A FORWARD -m state --state NEW,ESTA
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport
444 -j DNAT --to 192.168.1.254:443
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp --dport
443 -j ACCEPT
假设192.168.1.254上的mail服务器有个SSL网络接口。而你已经在防火墙上使用了443端口,用来允许对192.168.1.253上网络服务的SSL访问。那么,我们可以用iptables来让防火墙的公共端444端口来把传输转到mail服务器的http端口。现在我们就可以访问网络邮件http://firewall.public.address:444/了。
完整脚本
那么这就是上面所讲的用SuSE Linux版本配置的防火墙的init完整脚本了。创建/etc/init.d/firewall并将如下的文本粘贴进取并保存。将文件类型改为可执行文件,并用chkconfig firewall on来在init时间使该脚本生效(/etc/init.d/firewall开始现在开始启动脚本)。使用这个脚本时,务必确保已经关掉了其他防火墙脚本。
#! /bin/bash
# Copyright (c) 2005
#
# Author: David Mair
#
# /etc/init.d/firewall
#
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $network syslog
# Required-Stop:
# Should-Stop:
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Short-Description: Firewall configuration
### END INIT INFO
##############################################################################
# DEFAULT POLICY
SetDefaultPolicy() {
# Drop everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
}
##############################################################################
# FLUSH TABLES
FlushTables() {
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
iptables -X
}
##############################################################################
# ROUTING
EnableRouting() {
echo 1 > /proc/sys/net/ipv4/ip_forward
}
DisableRouting() {
echo 0 > /proc/sys/net/ipv4/ip_forward
}
##############################################################################
# FORWARDING
SetForwardingRules() {
iptables -A FORWARD -i $IF_PUB -o $IF_PRV -m state --state ESTABLISHED,RELATED -
j ACCEPT
iptables -A FORWARD -i $IF_PRV -o $IF_PUB -j ACCEPT
}
##############################################################################
# LOOPBACK
SetLoopbackRules() {
# Allow everything
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
}
##############################################################################
# PRIVATE INTERFACES
SetPrivateInterfaceRules() {
# Allow everything
iptables -A INPUT -i $IF_PRV -s $NET_PRV -j ACCEPT
iptables -A OUTPUT -o $IF_PRV -d $NET_PRV -j ACCEPT
}
#############################################################################
# PUBLIC INTERFACES
SetPublicInterfaceRules() {
iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_PUB -j ACCEPT
}
##############################################################################
# SOURCE NAT
EnableSourceNAT() {
# Then source NAT everything else
iptables -t nat -A POSTROUTING -s $NET_PRV -o $IF_PUB -j SNAT --to $IP_PUB
}
# Various ICMP
SetICMP_Open() {
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
}
# SSH (on a non-standard port)
SetSSH_Open() {
iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB --dport 2202 -j ACCEPT
}
##############################################################################
# Destination NAT
# smtp
SetSMTP_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j
DNAT --to 192.168.1.254
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp -
-dport smtp -j ACCEPT
}
# pop3
SetPOP3_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport pop3 -j
DNAT --to 192.168.10.254
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp -
-dport pop3 -j ACCEPT
}
# Webmail (444->443)
SetWebmail_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j DNAT -
-to 192.168.10.254:443
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp -
-dport 443 -j ACCEPT
}
# http
SetHTTP_DNAT() {
iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j
DNAT --to 192.168.10.253
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp -
-dport http -j ACCEPT
}
# Blocked protocols
SetBlockedProtocols() {
# Block all normal irc (used by botnets)
iptables -A INPUT -p tcp --dport irc -j DROP
iptables -A INPUT -p udp --dport irc -j DROP
iptables -A INPUT -p tcp --dport irc-serv -j DROP
iptables -A INPUT -p udp --dport irc-serv -j DROP
iptables -A INPUT -p tcp --dport ircs -j DROP
iptables -A INPUT -p udp --dport ircs -j DROP
}
# Blocked hosts
SetBlockedHosts() {
iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-
host-prohibited
iptables -A FORWARD -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-
host-prohibited
}
# Blocked networks
SetBlockedNetworks() {
iptables -A INPUT -i $IF_PUB -s 10.220.232.0/24 -j REJECT --reject-with icmp-
net-prohibited
iptables -A FORWARD -i $IF_PUB -d $IP_PUB -s 10.220.232.0/24 -j REJECT --reject-
with icmp-net-prohibited
}
# Specify things to drop before logging
SetPrelogDropRules() {
# DHCP
iptables -A INPUT -i $IF_PUB -p udp --sport bootps -j DROP
}
# Log those on the public interface
SetLoggingRules() {
iptables -A INPUT -i $IF_PUB -j LOG --log-prefix="INPUT "
iptables -A OUTPUT -o $IF_PUB -j LOG --log-prefix="OUTPUT "
iptables -A FORWARD -j LOG --log-prefix="FORWARD "
# iptables -t nat -A PREROUTING -i $IF_PUB -j LOG --log-prefix="nPre "
# iptables -t nat -A POSTROUTING -o $IF_PUB -j LOG --log-prefix="nPost "
# iptables -t nat -A OUTPUT -o $IF_PUB -j LOG --log-prefix="NAT OUT "
}
# Drop them all
SetDropRules() {
# Reset tcp connection attempts on all other ports
# This is the standard TCP behaviour for a closed port. Reading
# suggests there is no value in stealthing ports and since some are
# open on this host it doesn't seem to matter. Therefore, let's be a
# good TCP citizen
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
}
##############################################################################
# SCRIPT ENTRY POINT
echo -n "Firewall configuration..."
echo $1
##############################################################################
# ENVIRONMENT
# Private interface
IF_PRV=eth0
IP_PRV=192.168.1.1
NET_PRV=192.168.1.0/24
# Public interface
IF_PUB=eth1
IP_PUB=10.0.0.1
NET_PUB=10.0.0.0/24
# Others
ANYWHERE=0.0.0.0/0
. /etc/rc.status
rc_reset
##############################################################################
# COMMAND LINE
case "$1" in
start)
SetDefaultPolicy
FlushTables
EnableRouting
SetBlockedProtocols
SetBlockedNetworks
SetBlockedHosts
SetForwardingRules
SetLoopbackRules
SetPrivateInterfaceRules
SetPublicInterfaceRules
EnableSourceNAT
SetICMP_Open
SetSSH_Open
SetSMTP_DNAT
SetPOP3_DNAT
SetWebmail_DNAT
SetHTTP_DNAT
SetPrelogDropRules
SetLoggingRules
;;
stop)
SetDefaultPolicy
FlushTables
SetPrivateInterfaceRules
SetPublicInterfaceRules
;;
restart)
$0 stop
$0 start
;;
*)
;;
esac
rc_exit
更多精彩
赞助商链接