iptables是Linux内核带的防火墙,结合Linux强大的路由功能,可以实现达到非常出色的性能并能满足大部分企业使用的要求。下面我就用一个常用的案例说明一下。
一、网络拓扑图
下面是示例中使用的架构:
# Generated by iptables-save v1.2.11 on Mon Jan 9 13:31:17 2006
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [8:672]
:OUTPUT ACCEPT [242:17914]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
#下面是开放防火墙上的22(ssh)端口
-A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state –state INVALID,NEW -j DROP
COMMIT
# Completed on Mon Jan 9 13:31:17 2006
# Generated by iptables-save v1.2.11 on Mon Jan 9 13:31:17 2006
*nat
:PREROUTING ACCEPT [1060:200436]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:67]
#下面是设置NAT共享
-A POSTROUTING -o eth0 -j MASQUERADE
#下面是开放内网的WWW服务器对外使用
-A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 10.0.0.2:80
-A POSTROUTING -p tcp -d 10.0.0.2 –dport 80 -j SNAT –to-source 10.0.0.1
COMMIT
# Completed on Mon Jan 9 13:31:17 2006
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [8:672]
:OUTPUT ACCEPT [242:17914]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
#下面是开放防火墙上的22(ssh)端口
-A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state –state INVALID,NEW -j DROP
COMMIT
# Completed on Mon Jan 9 13:31:17 2006
# Generated by iptables-save v1.2.11 on Mon Jan 9 13:31:17 2006
*nat
:PREROUTING ACCEPT [1060:200436]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:67]
#下面是设置NAT共享
-A POSTROUTING -o eth0 -j MASQUERADE
#下面是开放内网的WWW服务器对外使用
-A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 10.0.0.2:80
-A POSTROUTING -p tcp -d 10.0.0.2 –dport 80 -j SNAT –to-source 10.0.0.1
COMMIT
# Completed on Mon Jan 9 13:31:17 2006