关于网站的防火墙问题

huzi

我在3322.org上申请了动态域名,现在在我的机器上架起了WWW服务器,但是有关防火墙的问题很麻烦. 如果我用系统RH8.0自带的防火墙设置, 别人就可以访问, 但用我自己设置的防火墙, 访问就被拒绝. 我不知道是什么问题, 现在把脚本贴上来, 请大虾帮我看看, 谢谢!!!(LINUX下打字好慢喔)

我的eth0接内网, eth1接ADSL.   I am waitting online!  Thanks!!

cho "Enable IP Forwarding..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "Starting iptables rules..."
/sbin/modprobe iptable_filter
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eht1 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -i eth0 -j ACCEPT
iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp --dport 80 -i ppp0 -j DNAT --to 192.168.0.1
iptables -t nat -A PREROUTING -p tcp --dport 21 -i ppp0 -j DNAT --to 192.168.0.1
iptables -t nat -A PREROUTING -p tcp --dport 22 -i ppp0 -j DNAT --to 192.168.0.1

huzi

eth0 :  192.168.0.1 netmask: 255.255.255.0
eth1 :  192.168.1.1 netmask: 255.255.255.0

my site: http://kanxue.3322.org.  Now you can visit.

huzi

顶一下!我还在网上等待ing....

oyzjin

iptables -t nat -A PREROUTING -p tcp --dport 80 -i ppp0 -j DNAT --to 192.168.0.1
iptables -t nat -A PREROUTING -p tcp --dport 21 -i ppp0 -j DNAT --to 192.168.0.1
iptables -t nat -A PREROUTING -p tcp --dport 22 -i ppp0 -j DNAT --to 192.168.0.1

有没有试过把上面的PREROUTING改为OUTPUT或INPUT？

huzi

不过,我把上面的几句去掉了, 然后加了以下几句:
iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT

就可以了. 我还有点疑问, 为什么去掉那几句也可以啊?

huzi

把PREROUTING改为INPUT or OUTPUT 不行. 因为DNAT是针对PREROUTING链来说的.

seacon

把FORWARD链改成下面的试一试：
iptables -A FORWARD -s 192.168.0.0/24 -i eth0 -j ACCEPT
iptables -A FORWARD -d 192.168.0.1 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 192.168.0.1 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A FORWARD -d 192.168.0.1 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

huzi

echo "Enable IP Forwarding..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo "Starting iptables rules..."
/sbin/modprobe iptable_filter
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT

iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -i eth0 -j ACCEPT

iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.0.1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 21 -j DNAT --to 192.168.0.1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.0.1

iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE

这样我只开放了三个端口，可以用http,ftp,ssh来访问我的服务器。