|
|
eth0 172.19.3.2 {外网}
eth1 192.168.1.1 (内网)
问题所在:在eth0 接口上开启了HTTP服务,现在不管怎么弄,与eth0接口在同一网段的客户无法访问,如果关闭防火墙则可以。麻烦兄弟们帮帮忙,
我的防火墙角本:
#!/bin/bash
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t filter -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth1 -j ACCEPT
##open web ports
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
##open sshd ports
/sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
##proxy and nat
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j SNAT --to-source 172.19.3.2
/sbin/iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
##allow state pack
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -j DROP
[root@www rc.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
老鸟请赐教如何写开放WEB端口,应该是
/sbin/iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 80 -j ACCEPT
规则为filter表的input链 ,条件为从eth0接口进入,来源地址任意,目的端口为80 ,符合这一规则的放行 |
|
IP卡
狗仔卡
发表于 2008-12-8 15:46:15
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主