一个iptables做防火墙的例子

执笔： Administrator

2003-10-19

#!/bin/bash # Do iptables based masquerading and firewalling. # ~spot, 09/01/2002 # Set default PATH export PATH=/sbin:/usr/sbin:/bin:/usr/bin # Load NAT modules modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_nat_irc # Load connection-tracking modules modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc # Disable response to broadcasts. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Disable ICMP redirect acceptance. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Log spoofed packets, source routed packets, redirect packets echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Clean old iptables iptables -F iptables -X iptables -Z # Allow forwarding through the internal interface iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Default forward policy to DROP iptables -P FORWARD DROP # Do masquerading through eth0 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Port Forwarding iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.100.2:22 # Firewall Rules # Loopback - Allow unlimited traffic iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # SYN-Flooding Protection iptables -N syn-flood iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP # Make sure that new TCP connections are SYN packets iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP # Fragments : Don't trust the little buggers. Send 'em to hell. iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: " iptables -A INPUT -i eth0 -f -j DROP # Refuse spoofed packets claiming to be the loopback iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP # Allow BootP/DHCP UDP requests iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT # DNS # Allow UDP packets in for DNS client from nameservers iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT # SSH # allow all sshd incoming connections (including the port fw) iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT # HTTP # allow all http/https incoming/return connections iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT # FTP # allow all ftpd incoming connections iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT # Enable active ftp transfers iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable passive ftp transfers iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable ident probes (IRC) iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT # Allow ICMP in if it is related to other connections iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow bot traffic through iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT # enable dcc iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT # LOGGING: # UDP, log & drop iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: " iptables -A INPUT -i eth0 -p udp -j DROP # ICMP, log & drop iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: " iptables -A INPUT -i eth0 -p icmp -j DROP # Windows NetBIOS noise, log & drop iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: " iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP # IGMP noise, log & drop iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: " iptables -A INPUT -i eth0 -p 2 -j DROP # TCP, log & drop iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: " iptables -A INPUT -i eth0 -p tcp -j DROP # Anything else not allowed, log & drop iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: " iptables -A INPUT -i eth0 -j DROP 这个例子是做masqurede的，你的情况是做NAT，如果是静态NAT，可以如下： 然后我们将分配给A、B、C主机的公网ip绑定到iptables防火墙的外网接口，执行以下命令： ifconfig eth0 add 202.xxx.xxx.2netmask 255.255.255.0 ifconfig eth0 add 202.xxx.xxx.3 netmask 255.255.255.0 ifconfig eth0 add 202.xxx.xxx.3 netmask 255.255.255.0 首先，对防火墙接收到的目的ip为202.xxx.xxx.1和202.xxx.xxx.2的所有数据包进行目的NAT(DNAT)， 只写两个了： iptables -A PREROUTING -i eth0 -d 202.xxx.xxx.1 -j DNAT --to 10.10.10.1 iptables -A PREROUTING -i eth0 -d 202.xxx.xxx.2 -j DNAT --to 10.10.10.2 　　其次，对iptables防火墙接收到的源ip地址为10.10.10.1和10.10.10.2的数据包进行源NAT(SNAT): iptables -A POSTROUTING -o eth0 -s 10.10.10.1 -j SNAT --to 202.xxx.xxx.1 iptables -A POSTROUTING -o eth0 -s 10.10.10.2 -j SNAT --to 202.xxx.xxx.2 这样就实现了静态一一映射。 如果要基于端口：那么就要这样： #映射端口，以UDP5000为例子 iptables -t nat -A PREROUTING -i eth0 -d 202.xxx.xxx.1 -p udp --dport 5000 -j DNAT --to 10.10.10.1 iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.1 -p udp --sport 5000 -j SNAT --to 202.xxx.xxx.1 #映射协议，以ICMP协议为例子 iptables -t nat -A PREROUTING -i eth0 -d 202.xxx.xxx.1 -p icmp -j DNAT --to 10.10.10.1 iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.1 -p icmp -j SNAT --to 202.xxx.xxx.1 基本的方法就是这样了，要防火墙规则做得好，就去网上参考一些别人的规则样例吧。 祝你顺利！