我正在设置防火墙/网关(Ubuntu服务器8.04.1)
防火墙有三个网卡:eth0 192.168.0.2 eth1 192.168.1.2 eth2 192.168.2.2
eth1直接连接到ADSL路由器(它也有NAT)ADSL路由器的IP是192.168.1.1
个人电脑192.168.0.x需要通过路由器访问互联网(网关设置为192.168.0.2,为他们每个人)
192.168.2.x上的服务器接收来自互联网的stream量
到目前为止,这里是防火墙脚本(更新) :
#!/bin/bash # Local - eth0 - 192.168.0.* # Comms - eth1 - 192.168.1.* # Servr - eth2 - 192.168.2.* iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # SSH iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # DNS iptables -A OUTPUT -p udp -o eth1 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT iptables -A INPUT -p udp -i eth2 --sport 53 -j ACCEPT # Firewall outgoing (access 80,443,53 from the firewall itself; don't open up for unrelated incoming connections) iptables -A OUTPUT -o eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT # NAT iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT iptables -A FORWARD -i eth2 -j ACCEPT iptables -A FORWARD -o eth2 -j ACCEPT echo 1 >/proc/sys/net/ipv4/ip_forward iptables --table nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT iptables -A FORWARD -i eth2 -p tcp -m multiport --dports 80,443 -j ACCEPT iptables -A FORWARD -i eth0 -p udp -m multiport --dports 53 -j ACCEPT iptables -A FORWARD -i eth2 -p udp -m multiport --dports 53 -j ACCEPT iptables -A FORWARD -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Allow responses iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth1 -p udp -m state --state ESTABLISHED -j ACCEPT # Load balance iptables -A PREROUTING -i eth1 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.2.81 iptables -A PREROUTING -i eth1 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.2.82 iptables -A PREROUTING -i eth1 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.2.83 # ICMP iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -N icmp_accept iptables -A icmp_accept -p icmp --icmp-type echo-reply -j ACCEPT iptables -A icmp_accept -p icmp --icmp-type echo-request -j ACCEPT iptables -A icmp_accept -p icmp --icmp-type ttl-exceeded -j ACCEPT iptables -A icmp_accept -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A icmp_accept -p icmp --icmp-type parameter-problem -j ACCEPT iptables -A FORWARD -p icmp -j icmp_accept # Anti DoS #iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT # Logging iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -j LOG --log-prefix "IPTABLES-DROP " --log-level 4 iptables -A LOGGING -j DROP 防火墙的网关设置为192.168.1.1
cat / etc / network / interfaces:
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.0.2 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 auto eth1 iface eth1 inet static address 192.168.1.2 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 dns-nameservers 192.168.1.1 auto eth2 iface eth2 inet static address 192.168.2.2 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.255
ip route list 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2 default via 192.168.1.1 dev eth1度量100
防火墙
电脑 – 可以ping防火墙 – 不能http / ping互联网上的IP地址
已经跑了:sysctl -w net.ipv4.ip_forward = 1
我从各个网站收集到的这个或多或less是推荐的configuration。 有关如何让PC通过防火墙访问互联网站点的任何build议?
谢谢
我会replace
iptables -A FORWARD -i eth1 -p tcp ! --syn -j ACCEPT
同
iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
除了icmp(INPUT和OUTPUT)之外,我也看不到任何关于网关stream量的规则。
您缺less基本的FORWARD表规则 – 您的数据包在前往互联网的途中转发,但是由于您尚未定义任何接受它们的规则并将缺省的FORWARD策略设置为DROP,所以响应将被丢弃。 我会补充
# ACCEPT reverse path packets for outbound TCP connections iptables -A FORWARD -i eth1 -p tcp ! --syn -j ACCEPT # ACCEPT reverse path packets for outbound UDP "connections" iptables -A FORWARD -i eth1 -p udp -m state --state ESTABLISHED -j ACCEPT # create and fill icmp_accept chain with rules for desired ICMP messages iptables -N icmp_accept iptables -A icmp_accept -p icmp --icmp-type echo-reply -j ACCEPT iptables -A icmp_accept -p icmp --icmp-type echo-request -j ACCEPT iptables -A icmp_accept -p icmp --icmp-type ttl-exceeded -j ACCEPT iptables -A icmp_accept -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A icmp_accept -p icmp --icmp-type parameter-problem -j ACCEPT # allow necessary ICMP iptables -A FORWARD -p icmp -j icmp_accept
YMMV取决于什么样的安全性和你需要什么级别的日志logging,但这应该让你开始。