当前位置: 技术问答>linux和unix
linux网关配置问题,请指点!
来源: 互联网 发布时间:2015-08-02
本文导语: 公司有web服务器,ftp服务器,email服务器,应用服务器。打算用一台双网卡的机子做网关。eth0绑定外网ip:1.2.3.4。eth1绑定内网ip:192.168.0.1。服务器均在内网,其中web服务器ip:192.168.0.2;ftp服务器ip:192.168.0.3;email服...
公司有web服务器,ftp服务器,email服务器,应用服务器。打算用一台双网卡的机子做网关。eth0绑定外网ip:1.2.3.4。eth1绑定内网ip:192.168.0.1。服务器均在内网,其中web服务器ip:192.168.0.2;ftp服务器ip:192.168.0.3;email服务器:192.168.0.4;应用服务器为:192.168.0.5,端口:8080。用iptables配置linux网关。以下是我对web服务器的配置,好像很有问题,俺是新手,请大侠指点。
iptables -F
iptables -P FORWARD DROP
iptables -p INPUT DROP
iptables -p OUTPUT DROP
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.2
iptables -t nat -A POSTROUITING -s 192.168.0.2 -p tcp --sport 80 -o eth0 -j SNAT --to 1.2.3.4
iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.2 -p tcp --sport 80 -j ACCEPT
iptables -F
iptables -P FORWARD DROP
iptables -p INPUT DROP
iptables -p OUTPUT DROP
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.2
iptables -t nat -A POSTROUITING -s 192.168.0.2 -p tcp --sport 80 -o eth0 -j SNAT --to 1.2.3.4
iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.2 -p tcp --sport 80 -j ACCEPT
|
The following command should be run on the gateway, not on the web server or ftp server...
# indicatess comments, you need not type the text following it when you input the command
iptables -F
iptables -P FORWARD DROP
iptables -p INPUT DROP
iptables -p OUTPUT DROP
# forward the http traffic to 192.168.0.2 web server
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.2
# forward the ftp traffic to 192.168.0.3
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 21 -i eth0 -j DNAT --to 192.168.0.3
# forward the e-mail traffic to 192.168.0.4
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -i eth0 -j DNAT --to 192.168.0.4
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 110 -i eth0 -j DNAT --to 192.168.0.4
# forward the traffic to application server
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 8080 -i eth0 -j DNAT --to 192.168.0.5
iptables -t nat -A POSTROUITING -s 192.168.0.2 -p tcp --sport 80 -o eth0 -j SNAT --to 1.2.3.4
# allow permitted traffic to go through the gateway
iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 8080 -j ACCEPT
# allow established or related connection to go through the gateway
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
**********************************************
sometime you need ip address masquerade to prevent computers on the external network (1.2.3.0/24) to see the ip addresses of the servers in the internal network (192.168.0.0/24), you should type:
iptables -t nat -A POSTROUTING -o eth0 -s 1.2.3.0/24 -j MASQUERADE
then the comoputers on the external network can not communicate the internal server directly, i mean ping 192.168.0.3 will not be allowed. They have to communicate the servers through the linux gateway.
More information on http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html
I hope it will be helpful to you.
# indicatess comments, you need not type the text following it when you input the command
iptables -F
iptables -P FORWARD DROP
iptables -p INPUT DROP
iptables -p OUTPUT DROP
# forward the http traffic to 192.168.0.2 web server
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.2
# forward the ftp traffic to 192.168.0.3
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 21 -i eth0 -j DNAT --to 192.168.0.3
# forward the e-mail traffic to 192.168.0.4
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -i eth0 -j DNAT --to 192.168.0.4
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 110 -i eth0 -j DNAT --to 192.168.0.4
# forward the traffic to application server
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 8080 -i eth0 -j DNAT --to 192.168.0.5
iptables -t nat -A POSTROUITING -s 192.168.0.2 -p tcp --sport 80 -o eth0 -j SNAT --to 1.2.3.4
# allow permitted traffic to go through the gateway
iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 8080 -j ACCEPT
# allow established or related connection to go through the gateway
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
**********************************************
sometime you need ip address masquerade to prevent computers on the external network (1.2.3.0/24) to see the ip addresses of the servers in the internal network (192.168.0.0/24), you should type:
iptables -t nat -A POSTROUTING -o eth0 -s 1.2.3.0/24 -j MASQUERADE
then the comoputers on the external network can not communicate the internal server directly, i mean ping 192.168.0.3 will not be allowed. They have to communicate the servers through the linux gateway.
More information on http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html
I hope it will be helpful to you.
|
说说是什么问题
|
delete this command
iptables -t nat -A POSTROUITING -s 192.168.0.2 -p tcp --sport 80 -o eth0 -j SNAT --to 1.2.3.4
it is not useful
1. to list iptables rules:
iptables -L
2. to list rules in nat table
iptables -L -t nat
3. to delete a rule
iptables -D chain-name rule-number
for example:
iptables -D INPUT 1
4. to delete a rule in nat table
iptables -D chain-name rule-number -t nat
iptables -D PREROUTING 1 -t nat
iptables -t nat -A POSTROUITING -s 192.168.0.2 -p tcp --sport 80 -o eth0 -j SNAT --to 1.2.3.4
it is not useful
1. to list iptables rules:
iptables -L
2. to list rules in nat table
iptables -L -t nat
3. to delete a rule
iptables -D chain-name rule-number
for example:
iptables -D INPUT 1
4. to delete a rule in nat table
iptables -D chain-name rule-number -t nat
iptables -D PREROUTING 1 -t nat