我正在设置防火墙/网关(Ubuntu 服务器 8.04.1)
防火墙有三个网卡:eth0 192.168.0.2 eth1 192.168.1.2 eth2 192.168.2.2
eth1 直接连接到 ADSL 路由器(该路由器上也有 NAT),ADSL 路由器的 IP 是 192.168.1.1
192.168.0.x 上的 PC 需要通过路由器访问互联网(每台 PC 的网关均设置为 192.168.0.2)
192.168.2.x 上的服务器接收来自互联网的流量
以下是我目前掌握的防火墙脚本(更新):
#!/bin/bash
# Local - eth0 - 192.168.0.*
# Comms - eth1 - 192.168.1.*
# Servr - eth2 - 192.168.2.*
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# DNS
iptables -A OUTPUT -p udp -o eth1 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth2 --sport 53 -j ACCEPT
# Firewall outgoing (access 80,443,53 from the firewall itself; don't open up for unrelated incoming connections)
iptables -A OUTPUT -o eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
# NAT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -j ACCEPT
iptables -A FORWARD -o eth2 -j ACCEPT
echo 1 >/proc/sys/net/ipv4/ip_forward
iptables --table nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A FORWARD -i eth0 -p udp -m multiport --dports 53 -j ACCEPT
iptables -A FORWARD -i eth2 -p udp -m multiport --dports 53 -j ACCEPT
iptables -A FORWARD -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow responses
iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -p udp -m state --state ESTABLISHED -j ACCEPT
# Load balance
iptables -A PREROUTING -i eth1 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.2.81
iptables -A PREROUTING -i eth1 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.2.82
iptables -A PREROUTING -i eth1 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.2.83
# ICMP
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -N icmp_accept
iptables -A icmp_accept -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type ttl-exceeded -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A FORWARD -p icmp -j icmp_accept
# Anti DoS
#iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
# Logging
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -j LOG --log-prefix "IPTABLES-DROP " --log-level 4
iptables -A LOGGING -j DROP
防火墙的网关设置为192.168.1.1
猫/等/网络/接口:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
auto eth1
iface eth1 inet static
address 192.168.1.2
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
dns-nameservers 192.168.1.1
auto eth2
iface eth2 inet static
address 192.168.2.2
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
ip 路由列表 192.168.2.0/24 dev eth2 proto 内核范围链接 src 192.168.2.2 192.168.1.0/24 dev eth1 proto 内核范围链接 src 192.168.1.2 192.168.0.0/24 dev eth0 proto 内核范围链接 src 192.168.0.2 默认通过 192.168.1.1 dev eth1 度量 100
防火墙
- 可以 ping 通互联网上的 IP
- 无法通过 http 访问互联网上的 IP
PC 可以 ping 通防火墙,但无法通过 http / ping 互联网上的 IP
已运行:sysctl -w net.ipv4.ip_forward=1
这或多或少是我从各个网站收集到的推荐配置。关于如何让 PC 通过防火墙访问互联网上的网站,有什么建议吗?
谢谢
答案1
我会替换
iptables -A FORWARD -i eth1 -p tcp ! --syn -j ACCEPT
和
iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
另外,除了 icmp(INPUT 和 OUTPUT)之外,我没有看到网关流量的任何规则。
答案2
您缺少基本的 FORWARD 表规则 - 您的数据包在前往互联网的途中被转发,但响应被丢弃,因为您没有定义任何规则来接受它们并将默认 FORWARD 策略设置为 DROP。我想补充
# ACCEPT reverse path packets for outbound TCP connections
iptables -A FORWARD -i eth1 -p tcp ! --syn -j ACCEPT
# ACCEPT reverse path packets for outbound UDP "connections"
iptables -A FORWARD -i eth1 -p udp -m state --state ESTABLISHED -j ACCEPT
# create and fill icmp_accept chain with rules for desired ICMP messages
iptables -N icmp_accept
iptables -A icmp_accept -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type ttl-exceeded -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type parameter-problem -j ACCEPT
# allow necessary ICMP
iptables -A FORWARD -p icmp -j icmp_accept
YMMV,取决于您需要什么样的安全性和什么级别的日志记录,但这应该可以帮助您入门。