由 emerson 在 11-16-2004 13:48 发表:

关于iptables做访问限制的问题?

小弟最近在配置一代理服务器,用iptables+squid已经实现了透明代理,现在要用iptables做访问控制,如内网用户默认禁止所有服务,再逐步开通相关服务.在iptables中的配置如下(/etc/rc.local):

===================================================================

#!/bin/sh

This script will be executed after all the other init scripts.

You can put your own initialization stuff in here if you don't

want to do the full Sys V style init stuff.

OUTER_PORT = eth1

INTER_PORT = eth0

touch /var/lock/subsys/local

echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_nat_ftp

/sbin/iptables -F

/sbin/iptables -t nat -F

/sbin/iptables -X

/sbin/iptables -t nat -X

/sbin/iptables -P INPUT DROP

/sbin/iptables -P OUTPUT DROP

/sbin/iptables -P FORWARD DROP

/sbin/iptables -N bad_tcp_packets

/sbin/iptables -N allowed

/sbin/iptables -N tcp_packetsfirewall

/sbin/iptables -N udp_packets

/sbin/iptables -N icmp_packets

/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"

/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

/sbin/iptables -A allowed -p TCP --syn -j ACCEPT

/sbin/iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A allowed -p TCP -j DROP

/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j ACCEPT

/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j ACCEPT

/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 23 -j ACCEPT

/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 25 -j ACCEPT

/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 53 -j ACCEPT

/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j ACCEPT

/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 110 -j ACCEPT

/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j ACCEPT

/sbin/iptables -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT

/sbin/iptables -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT

/sbin/iptables -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT

/sbin/iptables -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

/sbin/iptables -A udp_packets -p UDP -s 0/0 --source-port 8000 -j ACCEPT

/sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

/sbin/iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

/sbin/iptables -A INPUT -p tcp -j bad_tcp_packets

/sbin/iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT

/sbin/iptables -A INPUT -p ALL -i lo -s 192.168.100.253 -j ACCEPT

/sbin/iptables -A INPUT -p ALL -i lo -s 10.0.0.15 -j ACCEPT

Rules for incoming packets from anywhere

/sbin/iptables -A INPUT -p ALL -d 10.0.0.15 -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A INPUT -p TCP -j tcp_packets

/sbin/iptables -A INPUT -p UDP -j udp_packets

/sbin/iptables -A INPUT -p ICMP -j icmp_packets

/sbin/iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: "

/sbin/iptables -A FORWARD -p tcp -j bad_tcp_packets

/sbin/iptables -A FORWARD -p tcp --dport 21 -i eth0 -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --dport 80 -i eth0 -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --dport 110 -i eth0 -j ACCEPT

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: "

/sbin/iptables -A OUTPUT -p tcp -j bad_tcp_packets

/sbin/iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT

/sbin/iptables -A OUTPUT -p ALL -s 192.168.100.253 -j ACCEPT

/sbin/iptables -A OUTPUT -p ALL -s 10.0.0.15 -j ACCEPT

/sbin/iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: "

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth1 -j SNAT --to-source 10.0.0.15

==================================================================

然而如果用/etc/rc.d/init.d/iptables restart

/etc/rc.local运行使会提示错误如下:

==================================================================

[root@localhost root]# /etc/rc.local: command not found 10:

modprobe: Can't locate module ip_tables

modprobe: Can't locate module ip_conntrack

modprobe: Can't locate module iptable_filter

modprobe: Can't locate module iptable_mangle

modprobe: Can't locate module iptable_nat

modprobe: Can't locate module ipt_LOG

modprobe: Can't locate module ipt_limit

modprobe: Can't locate module ipt_state

modprobe: Can't locate module ip_conntrack_ftp

modprobe: Can't locate module ip_nat_ftp: command not found 25:

iptables: No chain/target/match by that name

iptables: Table does not exist (do you need to insmod?)

iptables: Table does not exist (do you need to insmod?): command not found 31:

iptables: Bad policy name

iptables: Bad policy name: command not found 36:; command not found 43:

'ptables v1.2.8: unknown reject type `tcp-reset