RouterSrv IPTABLES
IPTABLES 添加必要的网络地址转换规则,使外部客户端能够访问到内部服务器上的dns、mail、web和ftp服务;
INPUT、OUTPUT和FOREARD链默认拒绝(DROP)所有流量通行;
配置源地址转换允许内部客户端能够访问互联网区域。
SNAT规则:
[root@routserv ~]# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ens33 -j MASQUERADE [root@routserv ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE [root@routserv ~]# iptables -t nat -nvL POSTROUTING Chain POSTROUTING (policy ACCEPT 1 packets, 98 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * ens33 192.168.0.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0 [root@routserv ~]#
DNAT规则:
[root@routersrv ~]# iptables -t nat -A PREROUTING -d 81.6.63.254 -p udp --dport 53 -j DNAT --to 192.168.100.100 [root@routersrv ~]# iptables -t nat -A PREROUTING -d 81.6.63.254 -p tcp -m multiport --dport 53,80,443,465,993 -j DNAT --to 192.168.100.100 [root@routersrv ~]# iptables -t nat -A PREROUTING -d 81.6.63.254 -p tcp -m multiport --dport 20,21,137,138,139,444,445,4500:5000 -j DNAT --to 192.168.100.200 [root@routersrv ~]# iptables -t nat -nvL PREROUTING Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 udp -- * * 0.0.0.0/0 81.6.63.254 udp dpt:53 0 0 DNAT udp -- * * 0.0.0.0/0 81.6.63.254 udp dpt:53 to:192.168.100.100 0 0 DNAT tcp -- * * 0.0.0.0/0 81.6.63.254 multiport dports 53,80,443,465,993 to:192.168.100.100 0 0 DNAT tcp -- * * 0.0.0.0/0 81.6.63.254 multiport dports 20,21,137,138,139,444,445,4500:5000 to:192.168.100.200 [root@routersrv ~]#
默认拒绝和放行必要流量:
iptables -A INPUT -p tcp -m multiport --dport 1194,2021 -j ACCEPT iptables -A INPUT -p udp -m multiport --dport 67,68 -j ACCEPT iptables -A FORWARD -p udp -m multiport --dport 53 -j ACCEPT iptables -A FORWARD -p tcp -m multiport --dport 53,80,443,465,993,20 -j ACCEPT iptables -A OUTPUT -p udp -m multiport --dport 67,68 -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP