iptables脚本，哪位高手帮忙解释一下！

flyingzf · 发表于 2005-8-9 22:53:30

# Keep state.
iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP

# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
# keep it here.
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# We don't like the NetBIOS and Samba leaking..
iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEVICE} --dport 135:139 -j DROP
iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEVICE} --dport 137:139 -j DROP

# We would like to ask for names from our floppyfw box
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Ping and friends.
iptables -A OUTPUT -p icmp -j ACCEPT # to both sides.
iptables -A INPUT -p icmp -j ACCEPT

# And also, DHCP, but we can basically accept anything from the inside.
iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT

# Finally, list what we have
#iptables -L

# If broken DNS:
iptables -L -n

# This enables dynamic IP address following
echo 7 > /proc/sys/net/ipv4/ip_dynaddr

# Rules set, we can enable forwarding in the kernel.
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Policy for chains DROP everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Good old masquerading.
iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -j MASQUERADE

# DNS Forward to ISP Dns Server
iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.9:53
#iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.4:53
#iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 202.100.4.15:53

# Forwarding outside ports to an internal server.
# This used to be the ipchains / ipmasqadm portfw commad.

dissipator · 发表于 2005-8-10 11:54:39

楼上在西安吗？

斯文人 · 发表于 2005-8-10 13:44:29

我也想知道是什么意思啊，有人来解释吗？

mikkoyue · 发表于 2005-8-10 14:40:10

不全，只有一部分。

memory · 发表于 2005-8-10 16:08:41

[QUOTE=flyingzf]# Keep state.
iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP
只转发内网接口发来的数据包，丢弃外网转发来的新包和无效的包。

# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
# keep it here.
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
侦测ppp数据包帧大小。

# We don't like the NetBIOS and Samba leaking..
iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEVICE} --dport 135:139 -j DROP
iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEVICE} --dport 137:139 -j DROP
丢弃内网接收到的smb数据包。

# We would like to ask for names from our floppyfw box
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
本机只接收已建立的以及相关的连接数据包；
本机允许发送数据包。

# Ping and friends.
iptables -A OUTPUT -p icmp -j ACCEPT # to both sides.
iptables -A INPUT -p icmp -j ACCEPT
本机允许icmp数据包（也就是ping）。

# And also, DHCP, but we can basically accept anything from the inside.
iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT
本机允许内网接口通信（收、发）。

# Finally, list what we have
#iptables -L

# If broken DNS:
iptables -L -n
iptables规则列表。

# This enables dynamic IP address following
echo 7 > /proc/sys/net/ipv4/ip_dynaddr
允许动态改变ip地址（针对拨号线路）。应该是echo 1，可能敲错了。

# Rules set, we can enable forwarding in the kernel.
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward
允许数据包转发。

# Policy for chains DROP everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
所有连接缺省策略为丢弃。

# Good old masquerading.
iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -j MASQUERADE
所有转发到外网接口的数据包做地址转换。

# DNS Forward to ISP Dns Server
iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.9:53
#iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.4:53
#iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 202.100.4.15:53
所有dns数据做目的地址转换，也就是说所有dns查询都由61.134.1.9来完成。只有第一行有用。

总的来说是很乱的一个规则列表，前后冲突，而且可以肯定的是nat失败，根本就没有允许转发回来的数据包。

flyingzf · 发表于 2005-8-10 20:53:20

我就是西安的，怎么了！

flyingzf · 发表于 2005-8-10 21:03:09

谢谢大家的解释：上面memory这位朋友说：“是很乱的一个规则列表，前后冲突，而且可以肯定的是nat失败，根本就没有允许转发回来的数据包”能否帮忙修补一下呢？谢谢：

总的来说是一个代理脚本：全文是：

#!/bin/sh
echo "0" > /proc/sys/net/ipv4/ip_forward
#If you config you device
OUTSIDE_DEVICE=eth0
INSIDE_DEVICE=eth1
#If you config you IP address
OUTSIDE_IP=222.90.69.26
SERVER_IP=192.168.1.250
SERVER_IP1=192.168.1.253
#SERVER_IP2=192.168.1.6
#OUTSIDE_IP_GW=
#SERVER_IP_GW=

#If you have PC more than 255,Please use 3 C Class address
#ifconfig eth1:1 10.10.0.1 netmask 255.255.255.0 broadcast 10.10.0.255
#ifconfig eth1:2 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
#ifconfig eth1:3 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255
#If you have OTHER IP ADDRESS
#ifconfig eth0:1 xxx.xxx.xxx.xxx netmask 255.255.255.x broadcast xxx.xxx.xxx.xxx

#route del -net default gw ${OUTSIDE_IP_GW} netmask 255.255.255.252 dev eth0
#route del -net default gw ${SERVER_IP_GW} netmask 255.255.255.0 dev eth1
#route add -net default gw ${OUTSIDE_IP_GW} netmask 255.255.255.252 dev eth0
#route add -net default gw ${SERVER_IP_GW} netmask 255.255.255.0 dev eth1

#
# We like ues FTP server
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

# Flushing the chains.
iptables -F
iptables -t nat -F
iptables -X
iptables -Z # zero all counters

# Policy for chains DROP everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Good old masquerading.
iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -j MASQUERADE

# DNS Forward to ISP Dns Server
iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.9:53
#iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 61.134.1.4:53
#iptables -t nat -A PREROUTING -p udp -d 0.0.0.0/0 --dport 53 -j DNAT --to 202.100.4.15:53
# SSH
iptables -A INPUT -p tcp -i ${OUTSIDE_DEVICE} --dport 22 -j ACCEPT
#iptables -A INPUT -p tcp -i ${OUTSIDE_DEVICE} --dport 9999 -j ACCEPT

#squid
#iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

# Forwarding outside ports to an internal server.
# This used to be the ipchains / ipmasqadm portfw commad.

#WINDOWS 2000 SERVER TSC
#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 3389 -j DNAT --to ${SERVER_IP}:3389
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 3389 -o ${INSIDE_DEVICE} -j ACCEPT

# Web:
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${SERVER_IP1}:80
#iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP1} --dport 80 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

#mir
#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 7000 -j DNAT --to ${SERVER_IP1}:7000
#iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 7000 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP1} --dport 7000 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 7100 -j DNAT --to ${SERVER_IP1}:7100
#iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 7100 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP1} --dport 7100 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 7200 -j DNAT --to ${SERVER_IP1}:7200
#iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 7200 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP1} --dport 7200 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 63000 -j DNAT --to ${SERVER_IP}:63000
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 63000 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 63000 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

# FTP:
iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 21 -j DNAT --to ${SERVER_IP}:21
iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT
iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 21 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}
# 5800
#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 5800 -j DNAT --to ${SERVER_IP}:5800
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 5800 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 5800 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

# CS
#iptables -A PREROUTING -t nat -p tcp  -d ${OUTSIDE_IP} --dport 27017 -j DNAT --to ${SERVER_IP2}:27017
#iptables -A FORWARD -p tcp -d ${SERVER_IP2} --dport 27017 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP2} --dport 27017 -s 192.168.0.0/255.255.255.0 -j SNAT --to ${OUTSIDE_IP}

# MAIL:
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 25 -j DNAT --to ${SERVER_IP}:25
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 25 -o ${INSIDE_DEVICE} -j ACCEPT
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 143 -j DNAT --to ${SERVER_IP}:110
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 110 -o ${INSIDE_DEVICE} -j ACCEPT

# Keep state.
iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP

# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
# keep it here.
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# We don't like the NetBIOS and Samba leaking..
iptables -t nat -A PREROUTING -p TCP -i ${INSIDE_DEVICE} --dport 135:139 -j DROP
iptables -t nat -A PREROUTING -p UDP -i ${INSIDE_DEVICE} --dport 137:139 -j DROP

# We would like to ask for names from our floppyfw box
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Ping and friends.
iptables -A OUTPUT -p icmp -j ACCEPT # to both sides.
iptables -A INPUT  -p icmp -j ACCEPT

# And also, DHCP, but we can basically accept anything from the inside.
iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT

# Finally, list what we have
#iptables -L

# If broken DNS:
iptables -L -n

# This enables dynamic IP address following
echo 7 > /proc/sys/net/ipv4/ip_dynaddr

# Rules set, we can enable forwarding in the kernel.
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward

memory · 发表于 2005-8-10 22:27:00

上边的那个nat应该是可以的，我看错了，不好意思。

上述这份脚本的大概意图是：
在一台双网卡的机器上做地址转换（nat），使整个局域网上网。脚本中关闭了所有端口（input、output、forward缺省策略都是drop），只打开需要的端口，如ftp、mail等等。

如果你要是想做地址转换，可以从最简单的规则开始，没必要做得这么复杂。

# 加载必要的模块
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

#缺省策略为接受
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# 设置nat
iptables -t nat -A POSTROUTING -o ${OUTSIDE_DEVICE} -j MASQUERADE

# 打开转发
# Rules set, we can enable forwarding in the kernel.
echo "Enabling IP forwarding."
echo "1" > /proc/sys/net/ipv4/ip_forward

如果需要禁用某些应用，封端口就行了。哈，和你提供的脚本策略正好相反。

你还是找份iptables的中文文档吧，其实真的不是很难。

		自动登录	找回密码
密码			注册

iptables脚本，哪位高手帮忙解释一下！

浏览过的版块