我的networking中有一个不幸的并发症 – 有些用户/计算机连接到我们pipe理的一个完全私有和防火墙的办公networking(10.nnx / 24 intranet),而另一些连接到第三方提供的子网。 nnx / 25),因为他们需要通过第三方的代理访问互联网。
我以前设置了一个网关/路由器,以允许10.nnx / 24networking互联网访问:
# Allow established connections, and those !not! coming from the public interface # eth0 = public interface # eth1 = private interface iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections from the private interface iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # Masquerade (NAT) iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Don't forward any other traffic from the public to the private iptables -A FORWARD -i eth0 -o eth1 -j REJECT 但是,我现在需要使我们的129.nnx / 25子网上的用户能够访问10.nnx / 24networking上的一些专用服务器。
我想我可以做这样的事情:
# Allow established connections, and those !not! coming from the public interface # eth0 = public interface # eth1 = private interface #1 (10.nnx/24) # eth2 = private interface #2 (129.nnx/25) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections from the private interfaces iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT # Allow the two public connections to talk to each other iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT # Masquerade (NAT) iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Don't forward any other traffic from the public to the private iptables -A FORWARD -i eth0 -o eth1 -j REJECT iptables -A FORWARD -i eth0 -o eth2 -j REJECT
我担心的是,我知道我们的129.nnx / 25子网上的计算机可以通过提供商运营的大型networking通过VPN访问 – 因此,提供商的超网中的某个人是可能的子网?)能够访问我们的私人10.nnx / 24内联网?
这取决于你的路由器路由表。 如果你有一个从超级networking129.nnx / 25到你的networking10.nnx / 24的地址的路由,他们将有权访问,否则他们不会。 尽pipe如此,将eth1和eth2转发规则更加具体化(即向其添加源和目标范围)可能是明智的。