用iptables发布内部服务的问题

ttyrone · 发表于 2005-5-23 11:27:09

弄一个简单点的，还是不行，chowroc帮忙看看 -s $sql_server的位置对吗？
#!/bin/bash
echo "Starting iptables rules..."
echo "1" >/proc/sys/net/ipv4/ip_forward

inet_iface=eth1
inet_ip=218.107.130.52
lan_iface=eth0
lan_ip=192.168.35.2
ip_range=192.168.35.0/24
IPT=/sbin/iptables

http_server=192.168.35.7
http=80

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
for TABLE in filter nat mangle; do
$IPT -t $TABLE -F
$IPT -t $TABLE -X
done

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for DNS in $(grep ^n /etc/resolv.conf |awk '{print $2}'); do
$IPT -A INPUT -p udp -s $DNS --sport domain -j ACCEPT
done

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t nat -A POSTROUTING -o $inet_iface -j SNAT --to $inet_ip

$IPT -t nat -A PREROUTING -p tcp --dport $http -d $inet_ip -i $inet_iface -j DNAT --to $http_server
$IPT -t nat -A POSTROUTING -o $inet_iface -p tcp -s $http_server --sport $http -j SNAT --to-source $inet_ip

$IPT -A FORWARD -p tcp -d $http_server --dport $http -m state --state NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Done"

ttyrone · 发表于 2005-5-23 15:12:22

顶一下，大侠们帮忙看看吧！～
弄好发布，才能继续学别的啊。

ttyrone · 发表于 2005-5-23 15:22:14

#!/bin/bash
echo "Starting iptables rules..."
echo "1" >/proc/sys/net/ipv4/ip_forward

inet_iface=eth1
inet_ip=218.107.130.52
lan_iface=eth0
lan_ip=192.168.35.2
ip_range=192.168.35.0/24
IPT=/sbin/iptables

http_server=192.168.35.7
http=80

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
for TABLE in filter nat mangle; do
$IPT -t $TABLE -F
$IPT -t $TABLE -X
done

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for DNS in $(grep ^n /etc/resolv.conf |awk '{print $2}'); do
$IPT -A INPUT -p udp -s $DNS --sport domain -j ACCEPT
done

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -A INPUT -p tcp --sport $http -j ACCEPT

$IPT -t nat -A POSTROUTING -o $inet_iface -j SNAT --to $inet_ip

$IPT -t nat -A PREROUTING -p tcp -d $inet_ip --dport $http -j DNAT --to $http_server

http

echo "Done"

ttyrone · 发表于 2005-5-23 15:32:23

#iptables -L -n

Chain INPUT (policy ACCEPT)
target    prot opt source             destination
ACCEPT    all  --  0.0.0.0/0          0.0.0.0/0          state RELATED,ESTABLISHED
ACCEPT    udp  --  210.82.8.1          0.0.0.0/0          udp spt:53
ACCEPT    udp  --  210.82.5.1          0.0.0.0/0          udp spt:53
ACCEPT    tcp  --  0.0.0.0/0          0.0.0.0/0          tcp spt:80

Chain FORWARD (policy ACCEPT)
target    prot opt source             destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source             destination

ttyrone · 发表于 2005-5-23 15:34:52

#iptables -t nat -L -n
看上去，已经把公网地址转移到内部的192.168.35.7了啊
怎么还是不行呢？

Chain PREROUTING (policy ACCEPT)
target    prot opt source             destination
DNAT    tcp  --  0.0.0.0/0          218.107.130.52    tcp dpt:80 to:192.168.35.7:80

Chain POSTROUTING (policy ACCEPT)
target    prot opt source             destination
SNAT    all  --  0.0.0.0/0          0.0.0.0/0          to:218.107.130.52

Chain OUTPUT (policy ACCEPT)
target    prot opt source             destination

Chowroc · 发表于 2005-5-23 17:12:59

看一下你 23 楼的脚本，DNS 那几行多余，$IPT -A INPUT -p tcp --sport $http -j ACCEPT 也多余，因为你的默认策略是 ACCEPT。

$IPT -t nat -A PREROUTING -p tcp -d $inet_ip --dport $http -j DNAT --to $http_server

http
我想应该是：
$IPT -t nat -A PREROUTING -p tcp -d $inet_ip (--dport $http) -j DNAT --to-destination $http_server(

http)
$IPT -t nat -A POSTROUTING -p tcp -s $http_server (--sport $http) -j SNAT --to-source $inet_ip(

http)

Chowroc · 发表于 2005-5-23 17:21:10

也就是加后面那一行。

ttyrone · 发表于 2005-5-24 14:53:01

又精简了，加上了出去的规则，还是不行啊
#!/bin/bash
echo "Starting iptables rules..."
echo "1" >/proc/sys/net/ipv4/ip_forward

inet_iface=eth1
inet_ip=218.107.130.52
lan_iface=eth0
lan_ip=192.168.35.2
ip_range=192.168.35.0/24
IPT=/sbin/iptables

http_server=192.168.35.7
http=80

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_LOG
for TABLE in filter nat mangle; do
$IPT -t $TABLE -F
$IPT -t $TABLE -X
done

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -A INPUT -p tcp --sport $http -j ACCEPT

$IPT -t nat -A POSTROUTING -o $inet_iface -j SNAT --to $inet_ip

$IPT -t nat -A PREROUTING -p tcp -d $inet_ip --dport $http -j DNAT --to-destination $http_server

http
$IPT -t nat -A POSTROUTING -p tcp -s $http_server --sport $http -j SNAT --to-source $inet_ip

http

echo "Done"

ttyrone · 发表于 2005-5-24 14:54:19

#iptables -L -n
Chain INPUT (policy ACCEPT)
target    prot opt source             destination
ACCEPT    tcp  --  0.0.0.0/0          0.0.0.0/0          tcp spt:80

Chain FORWARD (policy ACCEPT)
target    prot opt source             destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source             destination

ttyrone · 发表于 2005-5-24 14:55:24

#iptables -t nat -L -n

Chain PREROUTING (policy ACCEPT)
target    prot opt source             destination
DNAT    tcp  --  0.0.0.0/0          218.107.130.52    tcp dpt:80 to:192.168.35.7:80

Chain POSTROUTING (policy ACCEPT)
target    prot opt source             destination
SNAT    all  --  0.0.0.0/0          0.0.0.0/0          to:218.107.130.52
SNAT    tcp  --  192.168.35.7       0.0.0.0/0          tcp spt:80 to:218.107.130.52:80

Chain OUTPUT (policy ACCEPT)
target    prot opt source             destination

		自动登录	找回密码
密码			注册