服务器 Gind.cn
  1. 服务器 Gind.cn
  3. MASQUERADE和IPTABLES使工作
Intereting Posts
Robocopy:如何移动目录的内容,但保留目录 IIS 7上SSL不匹配的地址证书错误 MySQL 5.x和多个实例:相同的MySQL数据库? Exchange 2010 Hub无法传递到Exchange 2007 Hub – “451 5.7.3无法实现Exchange Server身份validation” nginx不解释一些PHP文件 从后缀检查Exchange配额使用/防止使用Postfix + Exchange的后向散射 sonicwall VPN和NAT 如何设置Gitweb 在Windows Server中kill和taskkill命令有什么区别 nginx可以在同一个虚拟机上同时运行gitlab和taiga.io吗? IIS 7.5 Windows身份validation不起作用(有时) 多无线分布式networking? 你如何跟踪每个账户的转移使用情况? 为什么人们把空的index.html文件放到Web目录中? Nginx:将所有的wwwtrafficeredirect到非www版本

MASQUERADE和IPTABLES使工作

有IPTABLES的问题,有两种types的IPTABLES保存文件,一个是从我想使用的dedi服务器,另一个只是从我最近的Centos安装。

最近一个MASQUERADE运作良好dedi不起作用

我只是一个小白,说到防火墙,所以我发布了两个文件,问你们,帮个忙,纠正dedi iptables,使MASQUERADE也能正常工作。

谢谢! 

IPTABLES from dedi server # Generated by iptables-save v1.4.7 on Tue Jun 19 02:09:31 2012 *mangle :PREROUTING ACCEPT [76062:19805877] :INPUT ACCEPT [74250:19703779] :FORWARD ACCEPT [1811:101749] :OUTPUT ACCEPT [74061:18596265] :POSTROUTING ACCEPT [74061:18596265] COMMIT # Completed on Tue Jun 19 02:09:31 2012 # Generated by iptables-save v1.4.7 on Tue Jun 19 02:09:31 2012 *nat :PREROUTING ACCEPT [450:24602] :POSTROUTING ACCEPT [46:2576] :OUTPUT ACCEPT [154:9003] -A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Tue Jun 19 02:09:31 2012 # Generated by iptables-save v1.4.7 on Tue Jun 19 02:09:31 2012 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :ASL-ACTIVE-RESPONSE - [0:0] :ASL-BLACKLIST - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset -A INPUT -m state --state INVALID -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 12443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 11443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 11444 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8447 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8880 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -p tcp -m tcp --dport 106 -j ACCEPT -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j DROP -A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9008 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT -A INPUT -p udp -m udp --dport 137 -j ACCEPT -A INPUT -p udp -m udp --dport 138 -j ACCEPT -A INPUT -p tcp -m tcp --dport 139 -j ACCEPT -A INPUT -p tcp -m tcp --dport 445 -j ACCEPT -A INPUT -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 9522 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9522 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT -A INPUT -p tcp -m tcp --dport 4487 -j ACCEPT -A INPUT -p udp -j ACCEPT -A INPUT -p tcp -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT -A INPUT -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset -A FORWARD -m state --state INVALID -j DROP -A FORWARD -i lo -o lo -j ACCEPT -A FORWARD -j DROP -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset -A OUTPUT -m state --state INVALID -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT -A ASL-ACTIVE-RESPONSE -j DROP -A ASL-BLACKLIST -j DROP COMMIT # Completed on Tue Jun 19 02:09:31 2012 IPTABLES from recent install # Generated by iptables-save v1.4.7 on Tue Jun 19 11:27:53 2012 *mangle :PREROUTING ACCEPT [132014870:94154517348] :INPUT ACCEPT [32724511:17221418389] :FORWARD ACCEPT [99177664:76852711851] :OUTPUT ACCEPT [20020311:7695154264] :POSTROUTING ACCEPT [119214834:84553729574] COMMIT # Completed on Tue Jun 19 11:27:53 2012 # Generated by iptables-save v1.4.7 on Tue Jun 19 11:27:53 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [20020284:7695152280] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 4487 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 9522 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 9522 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A FORWARD -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A FORWARD -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A FORWARD -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp --dport 4487 -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp --dport 9522 -j ACCEPT -A FORWARD -p udp -m state --state NEW -m udp --dport 9522 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -i eth1 -j ACCEPT -A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth0 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Tue Jun 19 11:27:53 2012 # Generated by iptables-save v1.4.7 on Tue Jun 19 11:27:53 2012 *nat :PREROUTING ACCEPT [1974169:150131862] :POSTROUTING ACCEPT [163057:11741154] :OUTPUT ACCEPT [1599021:106159155] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Tue Jun 19 11:27:53 2012

如果cat /proc/sys/net/ipv4/ip_forward没有输出,那么sysctrl.conf中的规则没有被应用,这可能是分布处理方式的差异。 为确保IP转发已启用,请将其添加到您的/etc/rc.local文件中: 

 sysctl -w net.ipv4.ip_forward=1

或者添加(到相同的文件): 

 echo 1 > /proc/sys/net/ipv4/ip_forward

或者如果你通过bash脚本设置iptables,你可以popup其中的一行代码(这可能会更好)。